Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.

aspx

Identity with Windows Server 2016

Install and Configure Enterprise Root CA

Introduction
Exercise 1 - Install AD Certificate Services
Exercise 2 - Configure Certificate Revocation Lists (CRLs)
Exercise 3 - Backup and Restore of Active Directory Certificate
Services
Summary

Introduction
The Install and Configure Enterprise Root CA module provides you with the
instruction and server hardware to develop your hands-on skills in the defined topics.
This module includes the following exercises:

Install AD Certificate Services

Configure Certificate Revocation Lists (CRLs)
Backup and Restore of Active Directory Certificate Services

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

Install AD Integrated Enterprise Certificate Authority (CA)

Install Enterprise Subordinate CA
Configure Certificate Revocation List (CRL) distribution points
Configure CA backup and recovery

Lab Diagram

1 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

During your session, you will have access to the following lab configuration.

Connecting to your Lab

In this module, you will be working on the following equipment to carry out the steps
defined in each exercise.

Important: When you start a module, PLABDC01 must be powered on first.

When PLABDC01’s activity indicator states “On,” you can then power on the
other devices in the sequence indicated below. This will ensure that certain
Windows services like Active Directory Services are successfully started and will
avoid errors in domain security policy. Please note that some network services
require Active Directory in order to function.

PLABDC01 (Windows Server 2016 - Domain Controller)

PLABDM01 (Windows Server 2016 - Domain Server)
PLABSA01 (Windows Server 2016 - Domain Server)
PLABWIN10 (Windows 10 - Domain Workstation)

2 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

For further information and technical support, please see our Help and Support
page.

Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1. You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.

Exercise 1 - Install AD Certificate Services

Public Key Infrastructure (PKI) is a set of policies and guidelines that control the
creation, management, distribution and revocation of certificates (digital ID) in an
organization. PKI ensure the secure transfer of electronic information like e-commerce
and confidential e-mail between an organization and external parties.

Windows Server 2016 implement PKI using Active Directory (AD) Certificate Services.
When AD Certificate Services is deployed in a corporate network, it is considered as an
internal resource as most users who will request certificates are members of the
organization. This type of resource is called an internal Certification Authority (CA).
For companies that transact business with the public like e-commerce or internet
banking, it will require the service of a trusted external CA to establish a trust with its
customers. The trusted CA proves the identity of an organization to the public as a
trustworthy and legitimate business.

In this exercise, you will add then install a parent/root CA which is the starting point of
a Windows PKI. The root CA generates a self-signed certificate. After which you will
add, install a subordinate CA which forms a hierarchy and trust path with the root CA.

3 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

The subordinate CA will have the authority to issue certificates validated by the root
CA.

To learn more about how to install and configure an Active Directory Enterprise
Certification Authority, please refer to your course material or use your preferred
search engine to research this topic in more detail.

Task 1 - Add AD Certificate Services

In this task, you will add the Windows feature called Active Directory Certificate
Services using Windows PowerShell.

Please note that you can use Server Manager to add the same feature, however in the
interest of making the lab steps manageable, you will be using Windows PowerShell.

Step 1
Ensure you have powered on the required devices indicated in the Introduction.

Connect to the PLABDC01.

In the Server Manager > Dashboard window, click on the Tools menu and select
Windows PowerShell.

Step 2
Please note that Windows PowerShell commands are not case-sensitive.

In the Windows PowerShell window, to add Active Directory Certificate Services

and Certification Authority Web Enrollment features, type the following command:

Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Web-Enrollment -IncludeManagementTools

Press Enter.

4 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.1 Screenshot of PLABDC01: A command is entered in Windows

PowerShell to install Certificate Authority services.

Step 3
Please wait while installation of the selected Windows features is in progress. This will
take a few minutes.

Important: You may encounter a bit of a system lag about 2 minutes as the
features are being installed. Installation may seem to have frozen or stopped
processing. Should this happen, click inside the Windows PowerShell window and
press Enter to refresh the screen. If you are using HTML5 client, a hovering
clipboard may appear at the right-hand corner of the screen when you press
Enter. Close the Clipboard window.

5 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Step 4
Windows PowerShell confirms the successful installation of the Active Directory
Certificate Services and Certification Authority Web Enrollment features.

Keep Windows PowerShell window open.

Figure 1.2 Screenshot of PLABDC01: Windows PowerShell window indicates

a successful installation of features.

Task 2 - Install AD Certificate Enterprise CA and CA Web

Enrollment Service

In the earlier task, you simply added the AD Certificate Services and CA Web
Enrollment. It is essential that those two services be installed and configured with
their respective system settings to make them capable of issuing certificates to a
requesting user, computer or service.

6 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

To install and configure AD Certificate Services and CA Web Enrollment, perform the
following steps:

Step 1
On PLABDC01 server, the Windows PowerShell window is open.

To install AD Certification Authority as an Enterprise Root CA using default settings,

type the following command:

Install-AdcsCertificationAuthority -CAType
EnterpriseRootCA

Press Enter.

On the next prompt, to accept the default settings, type:

Press Enter.

7 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.3 Screenshot of PLABDC01: Windows PowerShell displays the

installation of Certificate Authority.

Step 2
The installation of AD Certification Authority is successfully confirmed with an
ErrorId of “0.”

On the next prompt, to install AD Certification Authority Web Enrollment, type:

Install-AdcsWebEnrollment

Press Enter.

On the next prompt to install AD Certification Authority Web Enrollment with default

8 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

settings, type:

Press Enter.

Figure 1.4 Screenshot of PLABDC01: Windows PowerShell displays a screen

prompt for the installation of Certificate Authority.

Step 3
The installation of AD Certification Authority Web Enrollment is successfully
confirmed with ErrorId of “0.”

Minimize Windows PowerShell window.

9 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.5 Screenshot of PLABDC01: Windows PowerShell displays a

successful installation of certificate authority web enrolment.

Step 4
To verify that AD CS is working, in the Server Manager > Dashboard window, go
to Tools > Certification Authority.

10 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.6 Screenshot of PLABDC01: Server Manager > Dashboard window is

displayed.

Step 5
In the Certification Authority window, expand PRACTICELABS-PLABDC01-
CA node.

Notice that a number of folders related to certificate administration are displayed.

Minimize Certification Authority window.

11 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.7 Screenshot of PLABDC01: Windows PowerShell displays the

successful installation of Certificate Authority.

Task 3 - Install Subordinate CA

A subordinate CA receives authority to issue certificate through its relationship with a

root or parent CA. Many organizations can opt to deploy a subordinate CA to
implement policy restrictions such as having a dedicated CA server to issue certificates
to end users. Setting up at least one subordinate CA can help protect the root or parent
CA from unnecessary exposure.

To install a subordinate CA, perform the following steps:

Step 1
Connect to PLABDM01.

12 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Server Manager > Dashboard window is open.

Click Tools menu and select Windows PowerShell.

Step 2
To install AD Certificate Authority and Certificate Web Enrollment, type the following
command:

Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Web-Enrollment -IncludeManagementTools

Press Enter.

Figure 1.8 Screenshot of PLABDC01: A command is entered to install AD

13 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

certificate services.

Step 3
Please wait while installation of the selected Windows features is in progress. This will
take a few minutes.

Important: You may encounter a bit of a time lag about 2 minutes as the
features are being installed. Installation may seem to have frozen or stopped
processing. Should this happen, click inside the Windows PowerShell window and
press Enter to refresh the screen.

Step 4
Windows PowerShell confirms the successful installation of the Active Directory
Certificate Services and Certification Authority Web Enrollment features.

Keep Windows PowerShell window open.

14 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.9 Screenshot of PLABDC01: Windows PowerShell indicate a

successful installation of AD Certificate services.

Task 4 - Install AD Certificate Subordinate CA and CA Web

Enrollment Service

In an earlier task, you simply added the AD Certificate Services and CA Web
Enrollment using Windows PowerShell.

It is essential that those two services be installed with their respective system settings
to make them capable of issuing certificates to a requesting user, computer or service.

To install subordinate CA and CA Web Enrollment, perform the following steps:

Step 1
The root or parent CA in PLABDC01 must be reachable on the network to ensure a
successful deployment of a subordinate CA.

15 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

On PLABDM01, Windows PowerShell is open.

To install the subordinate CA of PRACTICELABS-PLABDC01-CA, type the

following command:

Install-AdcsCertificationAuthority -CAType
EnterpriseSubordinateCA -ParentCA
plabdc01.practicelabs.com\PRACTICELABS-PLABDC01-CA

Press Enter.

On the next prompt, to configure the subordinate CA with default system settings,
type:

Press Enter.

16 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.10 Screenshot of PLABDC01: Windows PowerShell displays a

prompt to confirm the installation of AD Certificate services.

Step 2
Windows PowerShell confirms the successful installation of the subordinate CA, as it
displayed an ErrorId of “0.”

In the next prompt, to configure AD Certificate Web Enrollment type the following
command:

Install-AdcsWebEnrollment

Press Enter.

17 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

On the next prompt, type:

Press Enter.

Figure 1.11 Screenshot of PLABDC01: A command is entered to confirm the

installation of AD Certificate services.

Step 3
As before, Windows PowerShell will display ErrorId “0” indicating a successful
installation.

Minimize Windows PowerShell window.

18 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.12 Screenshot of PLABDC01: Windows PowerShell indicate a

successful installation of the AD Certificate services.

Step 4
To verify that subordinate CA is working, in Server Manager > Dashboard
window, click Tools menu and select Certification Authority.

Step 5
In the Certification Authority window, click then expand PRACTICELABS-
PLABDM01-CA node.

Then right-click PRACTICELABS-PLABDM01-CA and select Properties.

19 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.13 Screenshot of PLABDC01: Certification Authority window is

displayed.

Step 6
In the PRACTICELABS-PLABDM01-CA Properties dialog box, from the
General tab, click View Certificate.

20 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.14 Screenshot of PLABDC01: The PRACTICELABS-PLADM01-CA

Properties dialog box is displayed.

Step 7
In the Certificate dialog box, click Certification Path folder tab.

Step 8
The Certification Path tab displays the relationship between PRACTICELABS-
PLABDC01-CA which is the Root or Parent CA with PRACTICELABS-
PLABDM01-CA which is the Subordinate CA.

Click OK to close Certificate dialog box.

Similarly, click OK to close PRACTICELABS-PLABDM01-CA dialog box.

21 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Then minimize Certification Authority window.

Figure 1.15 Screenshot of PLABDC01: The Certificate dialog box is displayed.

Task 5 - Disable Server Auto Login

By default, when you connect to a device in Practice Labs you are automatically logged
in - usually as the administrator. For this task, you will need to disable this feature and
log in manually.

Step 1
On the Practice Labs web page, click the Access your settings tab.

Under the Device heading there is an option named Server auto login, click the
Disable button.

Please note that this Server auto login setting is saved in your profile and will apply

22 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

in EVERY lab session that you will perform with Practice Labs.

At a later time, you can set the Server auto login back to Enable if you want to log
in to your devices automatically in the succeeding exercises.

Task 6 - Request user certificate from subordinate CA

To request a certificate from a subordinate CA, perform the following steps:

Step 1
Connect to PLABWIN10.

If the PRACTICELABS\administrator account is signed in, right-click Start and

point to Shut down or sign out and select Sign out.

Step 2
Connect again to PLABWIN10.

In the sign-on screen, click Other user.

Step 3
Click in the Username text box, type:

matthew.bernstein

Click in the Password text box, type:

Passw0rd
Press Enter.

23 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.16 Screenshot of PLABWIN10: The Windows logon screen is

displayed.

Step 4
Click Agree when presented with the BGInfo License Agreement message box.

If the Application Install - Security Warning message box appears, click the [x]
Close button.

Step 5
When signed on, right-click Start and from the shortcut menu, select Run.

24 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.17 Screenshot of PLABWIN10: The Start button shortcut menu is

displayed.

Step 6
In the Run dialog box, type:

mmc

Press Enter.

Step 7
In the Console1 window, click File menu and select Add/Remove Snap-in.

25 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.18 Screenshot of PLABWIN10: The Console1 window is displayed.

Step 8
In the Add or Remove Snap-in dialog box, under the Available snap-ins box,
click Certificates and click Add.

26 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.19 Screenshot of PLABWIN10: The Add or Remove Snap-ins is

displayed.

Step 9
In the Add or Remove Snap-ins dialog box, you have added the Certificates
-Current User snap-in.

Click OK.

Step 10
Since the Certificate Authority (CA) servers were installed at the beginning of this
exercise, client workstations such as PLABWIN10 will have issues detecting the
presence of the CA servers.

Therefore, you need to restart PLABWIN10.

27 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Before restarting, you need to save Console1.

In the Console1 window, click File menu and select Save.

Figure 1.20 Screenshot of PLABWIN10: The Console1 window is displayed.

Step 11
In the Save As dialog box, click Desktop.

Keep the File name as it is.

Click Save.

28 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.21 Screenshot of PLABWIN10: The Save As dialog box is displayed.

Step 12
Close Console1 window.

Right-click Start on the taskbar, point to Shut down or sign out and select Restart
or Update and restart - whichever command is available to restart this computer.

29 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.22 Screenshot of PLABWIN10: The Start button shortcut menu is

displayed.

Step 13
Please wait for 5 minutes before reconnecting back to PLABWIN10. This will give the
said device sufficient time to install any pending updates and complete its restart.

Step 14
After 5 minutes, connect to PLABWIN10.

On the sign-on page, click Other user.

Step 15

30 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

In the Username text box, type:

matthew.bernstein

In the Password text box, type:

Passw0rd
Press Enter.

Step 15
When signed on, launch Console1 from the desktop.

Click Yes if the User Account Control message box appears.

Step 16
In the Console1 window, expand Certificates - Current User and click Personal.

Right-click Personal, point to All Tasks and select Request New Certificate.

31 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.23 Screenshot of PLABWIN10: The Start button shortcut menu is

displayed.

Step 17
The Certificate Enrollment window opens.

In the Before you begin page, click Next.

Step 18
In the Select Certificate Enrollment Policy page, click Next.

Step 19
In the Request Certificates page, select User check box.

32 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Then click down arrow beside the Details button to expand it.

Click Properties.

Figure 1.24 Screenshot of PLABWIN10: The Request Certificates page is

displayed with the corresponding settings.

Step 20
In the Certificate Properties dialog box, click Certification Authority tab.

Step 21
Under the Certification Authority tab, notice the two CA servers that were installed
earlier.

Clear PRACTICELABS-PLABDC01-CA check box.

33 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

By clearing the check box above, this means that PRACTICELABS-PLABDM01-CA

will issue the user certificate for Matthew Bernstein.

Click OK.

Figure 1.25 Screenshot of PLABWIN10: The Certificate Properties dialog box

is displayed.

Step 22
Back in the Request Certificates page, click Enroll.

34 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.26 Screenshot of PLABWIN10: The Request Certificates page is

displayed.

Step 23
There will be a momentary pause while enrollment for the user is being processed.

Then in the Certificate Installation Results page, indicate STATUS: Succeeded.

Click Finish.

35 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.27 Screenshot of PLABWIN10: The Certificate Installation Results

page is displayed.

Step 24
Back in Console1 window, under Certificates - Current User node > Personal,
click Certificates folder.

In the details pane at the right, notice the certificate issued to Matthew Bernstein by
PRACTICELABS-PLABDM01-CA which is the subordinate CA in the domain.

Minimize Console1 window.

36 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 1.28 Screenshot of PLABWIN10: The Console1 window is displayed

with the new user certificate.

Keep all devices powered on in their current state and proceed to the next
exercise.

Exercise 2 - Configure Certificate Revocation

Lists (CRLs)
All certificates issued by a certification authority are recorded in the Issued Certificates
folder within the Certification Authority (CA) console. Certificate Revocation List
(CRL) is a list of certificates that have been revoked or canceled due to security-related
issues that were identified by the Certification Authority administrator. Certificates
can be canceled by the certificate administrator in cases where the computer that hosts

37 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

the certificate is stolen or when the smartcard-based certificate is lost by a user. CRLs
are normally published through IIS which can be accessed by all computers with a web
browser and network connection.

When a user certificate is revoked by an administrator regardless of the reason, the

Certificate Server records that cancellation to prevent a user from reusing a revoked
certificate. In a large network, the revocation of the certificate must be replicated to
other CA servers to prevent canceled certificates from being used to access network
resources.

In this exercise, you will configure certificate revocation lists in Certificate Services.

To learn more about setting up Certificate Revocation Lists among certificate authority
servers, please refer to your course material or use your preferred search engine to
research this topic in more detail.

Task 1 - Change CRL Properties

In this task, you will change the CRL properties to see how certification authorities
propagate information about revoked certificates in the organization.

To change the CRL properties, perform the following steps:

Step 1
Connect to PLABDC01.

Restore Certification Authority console which you minimized earlier.

Step 2
In the Certification Authority console, under PRACTICELABS-PLABDC01-CA
node, right-click Revoked Certificates and select Properties.

38 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.1 Screenshot of PLABDC01: The Certification Authority window is

displayed.

Step 3
The Revoked Certificates Properties dialog box is open.

You will now change the CRL publication interval to lower values to see how CRLs
work between CA servers.

Under CRL Publishing Parameters tab, in the CRL publication interval box,
type:

39 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Then change the units to Hours.

Verify that Publish Delta CRLs check box is selected.

In the Publication interval section, change the value to:

30

Change the units to Minutes.

Click Apply.

Then click View CRLs folder tab.

Figure 2.2 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

40 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Step 4
In the View CRLs folder tab, notice the current date and time displayed as a result of
the change in the value introduced in the previous step.

Click OK.

Figure 2.3 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

Step 5
Connect to PLABDM01.

Restore Certification Authority console window if not yet open.

In the Certification Authority window, right-click Revoked Certificates folder

and select Properties.

41 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.4 Screenshot of PLABDC01: The Certification Authority window is

displayed.

Step 6
You will apply the same CRL settings as configured earlier in PLABDC01 CA server.

The Revoked Certificates Properties dialog box is open.

You will now change the CRL publication interval to lower values to see how CRLs
work between CA servers.

Under CRL Publishing Parameters tab, in the CRL publication interval box,
type:

42 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Then change the units to Hours.

Verify that Publish Delta CRLs check box is selected.

In the Publication interval section, change the value to:

30

Change the units to Minutes.

Click Apply.

Click View CRLs folder tab.

43 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.5 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

Step 7
In the View CRLs folder tab, the date and time settings are displayed as a result of the
change in CRLs.

Click OK.

Keep Certification Authority console window open.

44 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.6 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

Task 2 - Revoke Issued Certificate

In this task, you will revoke the certificate issued to a user named Matthew Bernstein.

Step 1
On PLABDM01 and the Certification Authority console window is open.

Expand PRACTICELABS-PLABDM01-CA node and click Issued Certificates.

In the details pane at the right, notice the user certificate that was issued earlier to
Matthew Bernstein.

45 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.7 Screenshot of PLABDC01: The Certification Authority dialog box

is displayed.

Step 2
Right-click on the certificate issued to Matthew Bernstein, point to All Tasks and
select Revoke Certificate.

46 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.8 Screenshot of PLABDC01: The Certification Authority is displayed

with a certificate to be revoked.

Step 3
In the Certificate Revocation dialog box, access the Reason code drop-down list
and select Certificate Hold and then click Yes to proceed.

A Certificate Hold reason can be applied to a user account; this is useful if the user
has gone on extended leave and will report back to the organization at a later date.

Note: If Reason code for certificate revocation is Certificate Hold, it can be

unrevoked by the administrator.

47 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.9 Screenshot of PLABDC01: The Certificate Revocation dialog box is

displayed.

Step 4
On the Certification Authority console window, notice that the certificate issued to
Matthew Bernstein is not available anymore.

Click Revoked Certificates folder.

Matthew Bernstein’s certificate is now moved to Revoked Certificates folder.

A certificate that was revoked for reasons of “Certificate Hold” can be unrevoked.

Right-click the user certificate and point to All Tasks and select Unrevoke
Certificate.

48 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.10 Screenshot of PLABDC01: The Certification Authority is

displayed and shows how to unrevoked a certificate.

Step 5
Notice that the certificate was removed from Revoked Certificates folder.

Click Issued Certificates folder.

49 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.11 Screenshot of PLABDC01: The Certification Authority console

window is displayed,

Step 6
The Issued Certificates folder now contains Matthew Bernstein’s user certificate.

To revoke the certificate, right-click again on the certificate and point to All Tasks >
Revoke Certificate.

50 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.12 Screenshot of PLABDC01: The Certification Authority console

window is displayed and a certificate is to be revoked.

Step 7
In the Certificate Revocation dialog box, access the Reason code drop-down list
and select Key Compromise.

Click Yes.

51 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.13 Screenshot of PLABDC01: The Certificate Revocation dialog box

is displayed.

Step 8
As before, the issued certificate will be moved to Revoked Certificates folder.

Click Revoked Certificates folder.

Step 9
In the Revoked Certificates folder, right-click the certificate and point to All Tasks
and select Unrevoke Certificate.

52 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.14 Screenshot of PLABDC01: The Certification Authority is

displayed and shows to unrevoke a certificate.

Step 10
In the Microsoft Active Directory Certificate Services message box, the system
indicates that it was unable to unrevoke the certificate because of the reason code that
was selected earlier.

Click OK.

Keep Certification Authority console window open.

53 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.15 Screenshot of PLABDC01: The Microsoft Active Directory

Certificate Services is displayed indicating that a cancelled certificate
couldn’t be unrevoked.

Task 3 - Publish CRL

In this task, you will publish the revoked certificates to other CA servers. To publish
CRL to other CA servers, perform the following steps:

Step 1
On PLABDM01, the Certification Authority window is open.

Right-click on Revoked Certificates folder and point to All Tasks and select
Publish.

54 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.16 Screenshot of PLABDC01: The Certification Authority is

displayed and shows how publish Revoked Certificate.

Step 2
In the Publish CRL dialog box, verify that New CRL option button is selected.

This is the first time a CRL will be published. Therefore this option is the logical
choice.

Click OK.

55 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.17 Screenshot of PLABDC01: The Publish CRL dialog box is

displayed.

Step 3
Right-click on Revoked Certificates folder and select Properties.

56 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.18 Screenshot of PLABDC01: The Certification Authority console

window is displayed.

Step 4
The CRL Publishing Parameters tab displays the publication interval for New CRL
and Delta CRLs (recent updates of revoked certificates).

Click View CRLs tab.

57 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.19 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

Step 5
The View CRLs tab displays publication status of CRLs.

Click View CRL.

58 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.20 Screenshot of PLABDC01: The Revoked Certificates Properties

dialog box is displayed.

Step 6
The Certificate Revocation List dialog box displays information about the newly
created CRL.

Click OK.

Similarly, click OK on the Revoked Certificates Properties dialog box.

Keep the Certification Authority console window open.

59 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 2.21 Screenshot of PLABDC01: The Certificate Revocation List dialog

box is displayed.

Keep the devices you have powered on in their current state and proceed to the
next exercise.

Exercise 3 - Backup and Restore of Active

Directory Certificate Services
If Certificate Services fails to start on the server, no certificate can be issued to a user
or computer and certificate revocation lists (CRLs) cannot be published among CA
servers in the network. It is essential that you become familiar with different ways to
backup and restore AD Certificate Services.

60 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

To learn more about providing backing up and restoring AD Certificate Services, please
refer to your course material or use your preferred search engine to research this topic
in more detail.

Task 1 - Manual Backup using AD Certificate snap-in

To do a manual backup of AD Certificate services, perform the following steps:

Step 1
Connect to PLABDC01.

Since Server auto login was disabled earlier, you may be asked to sign back in.

If asked for credentials, the username is PRACTICELABS\administrator.

The password is:

Passw0rd
Press Enter.

Step 2
When signed in, launch File Explorer from the taskbar.

Navigate to Local Disk C drive.

Create two folders called BackupCA1 and BackupCA2.

61 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.1 Screenshot of PLABDC01: File Explorer window is displayed with

the newly created folders.

Step 3
Restore Server Manager from taskbar.

In the Server Manager > Dashboard window, click Tools menu and select
Certification Authority.

Step 4
Right-click on PRACTICELABS-PLABDC01-CA and choose All Tasks > Back up
CA

62 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.2 Screenshot of PLABDC01: The Certification Authority window is

displayed and the Back up CA command is selected.

Step 5
In the Welcome to the Certification Authority Backup Wizard page, click
Next.

Step 6
In Items to Back Up page, check the following boxes:

Private key and CA certificate

Certificate database and certificate database log

Click Back up to this location text box and type:

63 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

c:\BackupCA1

Choose Next.

Figure 3.3 Screenshot of PLABDC01: The Certification Authority Backup

Wizard - Items to Backup Up is displayed.

Step 7
To protect the keys from being restored by non-authorised users, a password must be
set.

In the Select a Password page, in the Password and Confirm password text
boxes, type:

64 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Passw0rd

Click Next.

Figure 3.4 Screenshot of PLABDC01: The Select a Password page is displayed

and the required password is entered.

Step 8
When Completing the Certification Authority Backup Wizard page appears,
click Finish to proceed with the backup.

65 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.5 Screenshot of PLABDC01: The Completing the Certification

Authority Backup Wizard page is displayed with a summary of settings.

Step 9
The backup process message box will display momentarily and close itself when it is
successfully completed.

Step 10
When the backup is complete, launch File Explorer from the taskbar.

Navigate to Local Disk C drive then click the BackupCA1 folder.

Notice the DataBase folder and private key are saved in the folder.

Close File Explorer window.

66 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Then minimize Certification Authority console window.

Figure 3.6 Screenshot of PLABDC01: File Explorer window is displayed

showing the backed up certification authority components.

Step 11
If time permits, perform the same task of backing up the enterprise subordinate CA in
PLABDM01 server.

Please note that you need to create first a destination folder in PLABDM01 where the
backup files will be saved.

First, you need to connect to PLABDM01 server then perform Step 3 to Step 9 to
back up the Certificate service.

Task 2 - Backing up using Certutil

67 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Another method to backup keys in Certification Authority server is via the command
line using certutil.exe tool.

To use certutil command to back up Certification Authority, do the following steps:

Step 1
Connect to PLABDC01.

Right-click Start button and select Command Prompt (Admin) from the shortcut
menu.

Step 2
In the command prompt window, type the following command:

certutil -backup c:\BackupCA2

Press Enter.

In the Enter new password and Confirm new password prompts, type:

Passw0rd
Press Enter.

68 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.7 Screenshot of PLABDC01: The Command Prompt window is

displayed showing the certutil command for backing up and password is
entered.

Step 3
The backup is successfully completed.

Keep the command prompt window open.

69 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.8 Screenshot of PLABDC01: File Explorer window is displayed

showing the backed up certification authority components.

Step 4
After the keys and database have been backed up, you also need to export the
configuration of CA server.

In the next prompt, type the following command:

reg export "HKLM\System\CurrentControlSet\Services

\CertSvc\Configuration" c:\BackupCA2\CAConfig.reg

Press Enter.

70 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.9 Screenshot of PLABDC01: Command prompt window indicates a

command to backup certificate configuration settings.

Step 5
The backup of the configuration is successfully completed.

Close the command prompt window.

71 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.10 Screenshot of PLABDC01: Command prompt window indicate a

successful operation.

Step 6
Launch File Explorer from the taskbar.

Verify that CAConfig registration file is saved in the target folder called
c:\BackpCA2.

Minimize File Explorer window.

72 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.11 Screenshot of PLABDC01: File Explorer window is displayed

showing the backed up certification authority components.

Task 3 - Restore Certificate Services

To restore Certificate Services, perform the following steps:

Step 1
On PLABDC01, click Certificate Authority console from the taskbar to restore it.

Step 2
In the Certification Authority console window, right-click PRACTICELABS-
PLABDC01-CA, point to All Tasks and select Restore CA.

73 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.12 Screenshot of PLABDC01: The Certification Authority window

shows how to restore backup.

Step 3
In the Certification Authority Restore Wizard message box, click OK.

74 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.13 Screenshot of PLABDC01: The Certification Authority Restore

Wizard message box is displayed.

Step 4
In the Welcome to the Certification Authority Wizard page, click Next.

Step 5
In the Items to Restore page, select Private key and CA certificate and
Certificate database and certificate database log check boxes.

In the Restore from this location text box, type:

75 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

C:\BackupCA1

Click Next.

Figure 3.14 Screenshot of PLABDC01: The Items to Restore page is displayed

with the required settings selected.

Step 6
In the Provide Password page, in the Password text box, type:

Passw0rd
Click Next.

76 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.15 Screenshot of PLABDC01: The Provide Password page is

displayed and a password is entered.

Step 7
In the Completing the Certification Authority Restore Wizard page, a
summary of settings is displayed.

Click Finish.

77 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.16 Screenshot of PLABDC01: The Completing the Certification

Authority Restore Wizard page is displayed with a summary of settings.

Step 8
The restore progress will briefly display.

In the Certification Authority Restore Wizard message box, click Yes.

78 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.17 Screenshot of PLABDC01: The Completing the Certification

Authority Restore Wizard message box is displayed.

Step 9
The Active Directory Certificate services will be successfully started.

Minimize Certification Authority console window.

79 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.18 Screenshot of PLABDC01: The Certification Authority window is

displayed.

Task 4 - Restore CA using certutil

Certutil.exe is the alternative to using the Certification Authority console to restore CA

service.

To restore the CA server using certutil, perform the following steps:

Step 1
On PLABDC01, right-click Start button and select Command Prompt (Admin)
from shortcut menu.

Step 2

80 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

To stop the Certification Authority service, type:

net stop certsvc

Press Enter.

Step 3
Please wait while the Active Directory Certificate Services is stopping.

After a few seconds the service will be stopped successfully.

Figure 3.19 Screenshot of PLABDC01: A command is entered to stop

Certificate Services.

81 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Step 4
On the next prompt, to use certutil.exe to restore the CA server, type the following
command:

cd\

Press Enter.

certutil -f -v -restore c:\BackupCA2

Press Enter.

When prompted for the PFX password, type:

Passw0rd
Press Enter.

82 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.20 Screenshot of PLABDC01: The command prompt window

prompts for a password.

Step 5
You get a confirmation that the restoration of the Certificate Services was successfully
completed.

On the next prompt, type:

net start certsvc

Press Enter.

83 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.21 Screenshot of PLABDC01: The command prompt confirms the

successful execution of a command.

Step 6
The Active Directory Certificate Services is successfully started.

84 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

Figure 3.22 Screenshot of PLABDC01: The command prompt confirms the

successful execution of a command.

Task 5 - Enable Server Auto Login

By default, when you connect to a device in Practice Labs you are automatically logged
in - usually as the administrator. For this task, you will need to re-enable this feature
and so you will be logged in automatically in the next exercise.

Step 1
On the Practice Labs web page, click the Access your settings tab.

Under the Device heading there is an option named Server auto login, click the
Enable button.

Result - You have successfully completed the essential tasks for installing and

85 of 86 24-01-2020, 15:11
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx

configuring Enterprise Root CA.

Shutdown all virtual machines used in this lab by using the power functions
located in the Tools bar, before proceeding to the next module. Alternatively, you
can log out of the lab platform.

Summary
You have successfully completed the following exercises in this module:

Install AD Certificate Services

Configure Certificate Revocation Lists (CRLs)
Backup and Restore of Active Directory Certificate Services

86 of 86 24-01-2020, 15:11