Building SharePoint 2016 development environment – Part 5 – Creating Certificate Authority.

A few years ago I wrote “Build your SharePoint 2013 development machine on Windows Server 2012” series, I mainly work in the cloud now, but as the blogs was so popular, I thought I would create a new series for the newer version of SharePoint.

You can access other parts of this post below.

Installing Certificate Authority

To allow our SharePoint sites to use SSL, these certificates come from a trusted certificate authority. This is what we are going to create

  • On your domain controller, open up Server Manager
  • On the right, click Manage > Add Roles and Features
  • Click Next
  • On Select installation type ensure that Role-based or feature based installation is selected. Click Next
  • On Select destination server screen, keep default choice of your domain controller, and click Next.
  • Select Active Directory Certificate Services and click Add Features when dialog pops up. Click Next.
  • On Select features click Next.
  • On Active Directory Certificate Services screen, it informs you how you cannot change the name or domain settings of this computer. Click Next.
  • On Select role services, select the following
    • Certification Authority
    • Certificate Enrollment Policy Web Service
    • Certificate Enrollment Web Service

    Click Add Features when prompted.

  • On Web Server Role (IIS) click Next.
  • On the Select role services click Next
  • Tick the Restart the destination server automatically if required, say yes to the dialog prompt. Then click Install.
  • Once the installation completes, you need to configure the Certification Services, click the link Configure Active Directory Certificate Services on the destination server
  • On the Credentials screen, ensure you are using domain admin account. Click Next
  • On Role Services tick Certification Authority, then click Next
  • On Setup Type, leave the default of Enterprise CA, click Next
  • Since this is the first CA in the domain, on CA Type leave the default of Root CA. Click Next
  • On Private Key leave it as Create a new private key and click Next
  • On Cryptography for CA select SHA256. Click Next
  • On CA Name, for development environment, I recommend to rename it to something simple like MY-CA or you can leave as is (You’ll need to remember this much later). Click Next.
  • On Validity Period, you can change the number of years if you wish. I would imagine in 5 years SharePoint 2016 will be old hat, and be using SharePoint 2020. Click Next.
  • Accept the default locations of the CA Database. Click Next.
  • On the final screen, Confirmation, click Configure. You will be presented with a succeeded screen. Click Close. You will be prompted with a Do you want to configure additional role services? Dialog. Click Yes.
  • After clicking yes, you will be presented back with the Credentials screen. Click Next
  • On the Role Services screen, now select both Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service. Click Next.
  • On the CA for CES screen, leave as is and click Next. This will allow your target CA to issue web certificates to SharePoint and other web servers. Click Next.
  • The Authentication Type for CES keep as the default Windows integrated authentication click Next.
  • On Service Account for CES switch the radio button to use Use the built-in application pool identity. Click Next
  • The Authentication Type for CEP leave as Windows integrated authentication. Click Next.
  • On the Server Certificate screen, select your existing self-signed certificate. Click Next
  • On the last screen, click Configure.
  • Finally, you are presented with success messages. Click Close.

Your Certificate Authority is now complete and read to give our certs to your SharePoint farm. This will be configured later after we have at least installed SharePoint.

Setting up a Global Policy for Certificate Enrollment.

Here we are going to change a global policy for all machines added to the domain. This is so Auto enrollment of certificate policies is allowed.

  1. Open up the Group Policy Management console, by typing gpmc.msc in a run window.
  2. Expand the Forest down to our domain.
  3. Right click the domain and select Create a GPO in this domain, and Link it here…
  4. In the New GPO dialog, give it the name of Cert Enrollment Policy, and click OK.
  5. In the left pane of Group Policy Management expand your domain and at the top you should see Cert Enrollment Policy, right click it and select edit.
  6. Navigate down to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and double click Certificate Services Client – Auto Enrollment
  7. In the dialog, set the Configuration Model to Enabled. Click OK.

We have reached the end of this blog post. It again could be a good idea, to shut the machine down and create a new checkpoint.