Creating a Private Certificate Authority with NPS

Page 10 of 39

Installation & Configuration Overview

The following is an outline of the overall procedure and steps in this document.
Step-by-step instructions will follow this section.
1.
2.
3.
4.
5.
6.

Install Microsoft Windows Server 2008 R2 (if not already installed)1

Join server to the Windows domain
Install and configure Certification Authority (CA)
Confirm the installation
Issue a certificate and test
Troubleshooting

Domain Membership
A Certification Authority does not need to run on the domain controller, but it
should be on a server that is a member of the domain.

Enterprise vs. Stand-Alone CAs

Microsoft supports two different types of CAs: enterprise and standalone. Before
installation it is a good idea to decide which one to use2.
Enterprise CAs are integrated with Active Directory. They publish certificates
and Certificate Revocation Lists (CRLs) to Active Directory. Enterprise CAs use
information stored in Active Directory, including user accounts and security
groups, to approve or deny certificate requests. Enterprise CAs use certificate
templates. When a certificate is issued, the enterprise CA uses information in the
certificate template to generate a certificate with the appropriate attributes for
that certificate type.
If you want to enable automated certificate approval and automatic user
certificate enrollment, use enterprise CAs to issue certificates. These features are
only available when the CA infrastructure is integrated with Active Directory.
Additionally, only enterprise CAs can issue certificates that enable smart card
logon, because this process requires that smart card certificates be mapped
automatically to the user accounts in Active Directory.
Stand-alone CAs do not require Active Directory and do not use certificate
templates. If you use stand-alone CAs, all information about the requested
certificate type must be included in the certificate request. By default, all
certificate requests submitted to stand-alone CAs are held in a pending queue
1

This document uses Microsoft Windows Server 2008 R2 Enterprise for the examples, however most
Windows servers should also work with some possible differences. Installing Microsoft Windows is outside
2
Only Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. Other versions (except
Windows Server 2008 Web) support a more limited version called a Standalone CA For more information,
please see the appropriate Microsoft documentation.
April-2012-1

Creating a Private Certificate Authority with NPS

Page 11 of 39

until a CA administrator approves them. You can configure stand-alone CAs to

issue certificates automatically upon request, but this is less secure and is usually
not recommended, because the requests are not authenticated.
From a performance perspective, using stand-alone CAs with automatic issuance
enables you to issue certificates at a faster rate than you can by using enterprise
CAs. However, unless you are using auto issuance, using stand-alone CAs to
issue large volumes of certificates usually comes at a high administrative cost
because an administrator must manually review and then approve or deny each
certificate request. For this reason, stand-alone CAs are best used with public
key security applications on extranets and the Internet, when users do not have
Windows 2000 or Windows Server 2003 accounts, and when the volume of
certificates to be issued and managed is relatively low.
You must use stand-alone CAs to issue certificates when you are using a thirdparty directory service or when Active Directory is not available.

April-2012-1

Creating a Private Certificate Authority with NPS

Page 12 of 39

Installing and Configuring the CA

Installing a root CA allows the organization to issue both client and user
certificates. Server certificates are typically issued to the RADIUS server, web
servers, etc. Certificates can also be issued to both users and machines. These
can be used as part of the EAP-TLS authentication process.
Installation steps:
1.
2.
3.
4.

Install Windows Server 2008 R2

Install and configure the Certification Authority
Confirm the CA installation
Issue a certificate and test

Install Windows Server 2008 R2

Installation of Windows Server is beyond the scope of this document. Please
refer to the documentation from Microsoft for details. Requirements for this
document are as follows:
Windows Server 2008 R2 Enterprise3
The server is a member of the domain.4

Install Root Certification Authority (CA)

The following are the steps to install and configure the Microsoft Certification
Authority:
1. Launch the Server Manager application and make sure you are on the main,
root-level screen
2. Under Role Summary, click Add Roles
3. Select Active Directory Certificate Services from the available roles

Microsofts CA may be run on any Windows 2008 or 2003 server including domain controllers. There may
be some configuration differences.
April-2012-1

Creating a Private Certificate Authority with NPS

Page 13 of 39

4. Click Next
5. Click Next to begin the installation

6. The minimum role services required is the Certification Authority itself.

However including the Certification Authority Web Enrollment can be helpful
for initial interaction and testing of the CA.
7. Click Next
8. The next screen allows you to select which type of CA to setup. For this
example, select the Enterprise CA option
9. Click Next

April-2012-1

Creating a Private Certificate Authority with NPS

10. The next option is the type of CA. Unless there are other CAs in your
organization, you should always choose Root CA

11. Click Next

April-2012-1

Page 14 of 39

Creating a Private Certificate Authority with NPS

Page 15 of 39

12. Select the Create a new private key in the next screen. This is the default
unless you are re-installing the CA and want to keep any existing certificates
13. Click Next

14. The default cryptography is fine, click Next to accept and continue

15. The next screen gives you a chance to enter the name for the CA. This should
be the hostname of the system as a client might see if via DNS. It is the name
that will show up as the certificate issuer in any certificates it creates
16. Click Next

April-2012-1

Creating a Private Certificate Authority with NPS

Page 16 of 39

17. Unless you have different requirements, accept the default validity period of 5
years for the certificate the CA will issue to itself.
18. Click Next

19. Click Next to accept the default location for the certificate database
20. If there are any components that the CA requires that are not already
installed, you will be prompted to install them next. E.g. web enrollment
requires IIS. You may accept the defaults for these components unless you
plan to use them for other applications
21. At the end, you will be presented with a summary screen listing the
installation and configuration options. Check this screen carefully before
clicking the Install button.

April-2012-1

Creating a Private Certificate Authority with NPS

Page 17 of 39

Confirm the CA Installation

At this point the Certification Authority should be ready for use. Before
deploying, it is useful to verify the CA issued a certificate to itself and is ready.
1. Launch the Server Manager application and make sure you are on the main,
root-level screen
2. In the left-hand navigation window, click Roles
3. Click Active Directory Certification Services from the available roles
4. Click the plus sign (+) next to Enterprise PKI to expand it
5. Click on the CA instances name
6. Examine the certificate information. All items should have a status of OK and
the common name should match what was configured

7. Click on Certificate Templates for this instance and verify the templates were
installed. At a minimum, you will need the Computer, User and Workstation
Authentication templates5
8. Next click on the plus sign next to the CA instance name to expand it

9. Click on Issued Certificates and verify at least one certificate has been issued
to the CA itself. There may be other certificates if the server has other roles
such as domain controller

If you are not issuing certificates to machines, only the User template is required
April-2012-1

Creating a Private Certificate Authority with NPS

Page 18 of 39

Issue a Certificate and Test

Before a CA is put into production, a test certificate should be issued and tested.
There are several different types of certificates that might be used; most
commonly for users and machines. Although there are many different types of
certificates (email, web servers, etc.) this document only deals with the
certificates required for PEAP/EAP-TLS authentication over Wi-Fi.
Test steps:
1.
2.
3.
4.
5.

Install and configure a RADIUS server, it not already installed6

Configure Wi-Fi network for PEAP/EAP-TLS
Install root CA certificate on a client
Issue a certificate to a user or client and install
Test the client and make sure it can authenticate and connect to the WLAN

Configure RADIUS
Before a WLAN can be configured to support 802.1X, a RADIUS server must be
configured. All Windows servers include an optional RADIUS server component.
For more information on how to install and configure this for Wi-Fi
authentication, please refer to the Ruckus application notes for NPS or IAS,
depending on your installation.

Configure Wi-Fi for PEAP/EAP-TLS

Once the back-end RADIUS system is ready, the Ruckus equipment should be
configured to broadcast the 802.1X-based SSID. Two common EAP types are
available, PEAP and EAP-TLS. For more information on the different EAP types,
please refer to the Ruckus 802.1X application notes or the references listed in the
appendix.

Install Root CA Certificate on the Client

A root certificate is the public version of the CAs own certificate. Devices that
need to verify a certificate claiming to be signed by that CA is valid use this. All
operating systems come with the root certificates of well-known CAs such as
Verisign, GoDaddy, etc. They can be viewed in Internet Options (Windows) or the
Keychain (Mac OS). Since this is a private CA, the clients do not have its root
certificate. Therefore it must be installed on each client that will use PEAP or
EAP-TLS authentication. If it is not present, the client will be unable to verify a
certificate is valid and reject it.

For more information on how to configure a RADIUS server on Microsoft Windows, Ruckus offers step-bystep guides for NPS and IAS. Microsoft also has detailed documentation.
April-2012-1

Creating a Private Certificate Authority with NPS

Page 19 of 39

There are several different ways to install the root CA certificate on a client. The
easiest are:

The user downloads and installs it individually

Push the certificate to all computers via a Group Policy (Windows only)
Auto-enrollment (Windows only)

Individual Installation of the Root CA Certificate

There are two ways a user can install a certificate: obtain the certificate via email,
etc. or download it from the CA via the web interface.
The first method is as easy as double-clicking the certificate file. It will install
automatically. This is true for most operating systems, however it is a good idea
to double-check the certificate was installed correctly. It should always be
installed into the Trusted Root Certification Authority list.
Verify Root Certification Installation (Windows)
To verify the certificate installed correctly on a Windows system, use the
following steps:
1. Launch Internet Options from the Start Menu or the Control Panel

2. Click the Content tab

3. Click the Publishers button

April-2012-1

Creating a Private Certificate Authority with NPS

Page 20 of 39

4. Click the Trusted Root Certification Authorities tab

5. Scroll down the list and make sure your CAs certificate is in the list
Verify Root Certification Installation (Mac OS)
To verify the certificate installed correctly on a Macintosh system, use the
following steps:
1. Click on Spotlight and enter Keychain Access to launch (or launch it from the
Finder via Applications->Utilities->Keychain Access
2. Click File->Import Item and select the certificate file
3. If prompted, mark the certificate as always trusted
4. Verify the certificate is installed

April-2012-1

Creating a Private Certificate Authority with NPS

Page 21 of 39

Distributing the Root CA Certificate via a Group Policy (Windows)

The root certificate can be distributed to multiple Windows machines in a
domain via a group policy object (GPO). The steps are:
1. Open the Group Policy Management Console
2. Open the forest entry and click the plus sign next to your domain to expand it
3. Navigate down to Group Policy Objects->Default Domain Policy

4. Right click on Default Domain Policy and select Edit

5. Navigate down to Computer Configuration->Policies->Windows Settings>Security Settings->Public Key Policies

April-2012-1

Creating a Private Certificate Authority with NPS

Page 22 of 39

6. Right click on Trusted Root Certification Authorities and select Import. This
will launch the Certificate Import Wizard
7. Click Next
8. When prompted, browse to the location of the root certificate file
9. Make sure the certificate will be imported into the Trusted Root Certification
Authorities store

April-2012-1

Creating a Private Certificate Authority with NPS

Page 23 of 39

10. Click Next

11. Click Finish to import the certificate
12. Verify the certificate appears inside the group object

13. You can make sure the group policy is updated immediately with the
gpupdate command. This is run from a command window with administrator
rights. The syntax is:
gpupdate /force

April-2012-1

Creating a Private Certificate Authority with NPS

Page 24 of 39

The group policy is now complete. Domain users should automatically download
the certificate the next time they login. You can test this by logging into a
domain machine. Open Internet Options and verify the certificate shows up in
the list of trusted root CAs.

Issue a Client Certificate

First determine which kind of certificates you wish to deploy. There are two
different kinds of client certificates that can be used: computer or user. A
computer certificate is issued to a specific machine and cannot be used by
another device. A user certificate it issued to a user account and can be used by
any device.
Issue User Certificates with Auto Enrollment (Windows)
1. Open the Certification Authority program on the CA system
2. Click the plus sign next to the name of the CA instance

3. Right click on Certificate Templates and choose Manage. This will open the
Certificate Templates Console

April-2012-1

Creating a Private Certificate Authority with NPS

Page 25 of 39

4. Right click the User template in the panel to the right and choose Duplicate
Template
5. In the next screen you are prompted to select the type of attributes
supported in the certificate: Windows Server 2003 or Windows Server 2008.
Choose whichever is most appropriate for you installation
6. Click Next
7. In the properties window, give the template a name. You may also adjust the
validity period and how re-enrollment is handled here

April-2012-1

Creating a Private Certificate Authority with NPS

8. Click the Security tab

9. Select the Domain Users group

April-2012-1

Page 26 of 39

Creating a Private Certificate Authority with NPS

Page 27 of 39

10. In the permissions section, select Enroll and Autoenroll

11. Click OK to same the template
12. Close the Certificate Authority Console and launch the Certification Authority
(certsrv) program again. This is the first one used, not the console editor
13. Click the plus sign next to your CA instance
14. Right click on Certificate Templates and select New->Certificate Template to
Issue

April-2012-1

Creating a Private Certificate Authority with NPS

Page 28 of 39

15. Click the name of your template and click the OK button
Next add this to a group policy object (GPO) on the AD server.
16. Open the Group Policy Management Console
17. Open the forest entry and click the plus sign next to your domain to expand it
18. Navigate down to Group Policy Objects->Default Domain Policy

19. Right click on Default Domain Policy and select Edit

20. Navigate down to User Configuration->Policies->Windows Settings->Security
Settings->Public Key Policies

April-2012-1

Creating a Private Certificate Authority with NPS

Page 29 of 39

21. Double-click the Certificate Services Client Auto-Enrollment

22. In the properties window, select Enabled from the Configuration Model dropdown box

23. Check the box next to Update certificates that user certificate templates
April-2012-1

Creating a Private Certificate Authority with NPS

Page 30 of 39

24. You may also wish to set other options on the screen regarding how expired
certificates are handled
25. Click the OK button to save your changes
26. Use the gpupdate command to force an immediate update and deploy the
new GPO for all new client logins to the domain
Test the new GPO by logging into a domain client. Verify a user certificate is
created an installed on the machine7.
Issue Device Certificates with Auto Enrollment (Windows)
The process to generate client certificates is the same as user certificates with a
few minor changes.
1. Open the Certification Authority program on the CA system
2. Click the plus sign next to the name of the CA instance

3. Right click on Certificate Templates and choose Manage. This will open the
Certificate Templates Console

At the time of this document, there is a known issue with user certificates not being issued if the user
account does not have an Email attribute in Active Directory. Adding an email address will fix this.
April-2012-1

Creating a Private Certificate Authority with NPS

Page 31 of 39

4. Right click the Workstation Authentication template in the panel to the right
and choose Duplicate Template
5. In the next screen you are prompted to select the type of attributes
supported in the certificate: Windows Server 2003 or Windows Server 2008.
Choose whichever is most appropriate for you installation
6. Click Next
7. In the properties window, give the template a name. You may also adjust the
validity period and how re-enrollment is handled here

April-2012-1

Creating a Private Certificate Authority with NPS

8. Click the Security tab

9. Select the Domain Computers group

April-2012-1

Page 32 of 39

Creating a Private Certificate Authority with NPS

Page 33 of 39

10. In the permissions section, select Enroll and Autoenroll

11. Click OK to same the template
12. Close the Certificate Authority Console and launch the Certification Authority
(certsrv) program again. This is the first one used, not the console editor
13. Click the plus sign next to your CA instance
14. Right click on Certificate Templates and select New->Certificate Template to
Issue

April-2012-1

Creating a Private Certificate Authority with NPS

Page 34 of 39

15. Click the name of your template and click the OK button
Next we need to add this to a group policy object (GPO) on the AD server.
16. Open the Group Policy Management Console
17. Open the forest entry and click the plus sign next to your domain to expand it
18. Navigate down to Group Policy Objects->Default Domain Policy

19. Right click on Default Domain Policy and select Edit

20. Navigate down to Computer Configuration->Policies->Windows Settings>Security Settings->Public Key Policies

April-2012-1

Creating a Private Certificate Authority with NPS

Page 35 of 39

21. Double-click the Certificate Services Client Auto-Enrollment object

22. In the properties window, select Enabled from the Configuration Model dropdown box

23. Check the box next to Update certificates that user certificate templates
24. You may also wish to set other options on the screen regarding how expired
certificates are handled
25. Click the OK button to save your changes
April-2012-1

Creating a Private Certificate Authority with NPS

Page 36 of 39

26. Use the gpupdate command to force an immediate update and deploy the
new GPO for all new client logins to the domain
Test the new GPO by logging into a domain client. Verify a machine certificate is
created an installed on the machine8.

Manually Issue Certificates with Web Enrollment (All Operating Systems)

If the web enrollment option was included when the Certification Authority was
install, users can go to a web URL and download the root CA as well as request a
certificate.
All the user needs to do is point their browser to the URL:
http://<servername>/certsrv. They will be prompted to enter their domain
credentials and see the main request screen.

From here they can download the root CA certificate as well as request a new
personal certificate. To request a personal certificate:
1. Click the Request a certificate link

At the time of this document, there is a known issue with user certificates not being issued if the user
account does not have an Email attribute in Active Directory. Adding an email address will fix this.
April-2012-1

Creating a Private Certificate Authority with NPS

Page 37 of 39

2. Select the certificate type (User Certificate for this example)

3. Click Submit to accept the default key strength on the next screen (it should
always be 2048)

4. Click the link on the next screen to download the certificate and install it

If automatic certificate approval is not enabled an administrator will need to use

the Certification Authority console to approve the request. A user may come
back at any time to view the status of a request.
This procedure works for any operating system as long as the user is allowed to
authenticate to the web server.

April-2012-1

Creating a Private Certificate Authority with NPS

Page 38 of 39

Implementing 802.1X with Certificates

Once the Certificate Authority is installed, there are a few additional steps
required before 802.1X authentication may be used. These include:
1.
2.
3.
4.

Issue a certificate to your RADIUS server

Configure the RADIUS server for wireless 802.1X authentication
Configure the ZoneDirector for 802.1X
Configure wireless clients

RADIUS server installation and configuration (Microsoft and ZoneFlex) is covered

in separate application notes from Ruckus. Please refer to these for step-by-step
instructions.
For information on how to configure a client as an 802.1X supplicant, please refer
to the application note from Ruckus Wireless and the vendors documentation.

April-2012-1

Creating a Private Certificate Authority with NPS

Page 39 of 39

Appendix A Further Reading

Digital (X.509) Certificates and How They Work
Microsoft Understanding Digital Certificates and Public Key Cryptography
http://technet.microsoft.com/en-us/library/bb123848(v=exchg.65).aspx

Installing Microsoft Certification Authority

Active Directory Certificate Services Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx
Deploy Certificates with Group Policy (Auto-enrollment)
http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

Request/Generate SSL Certificates

Obtain a Digital Certificate from an Online Certificate Authority (Windows)
http://www.petri.co.il/obtain_digital_certificate_from_online_ca.htm
How to Request a Certificate from a Microsoft CA (Mac OS)
http://support.apple.com/kb/HT4784

April-2012-1