Thanks for this. Previous IT guy installed ADCS on a DC that was due for a replacement, and I ended up completely breaking the DC while removing the AD roles. I’ve been trying to figure out how to do this for a few days now and you’ve really helped out.
This is exactly how a live demonstration in classroom should look like. I watched your video a couple of years ago and helped me for academic purposes. Now that I have to actually work with certificates I have a better picture. Thank you so much, you excel at explaining concepts. Just a couple of questions, if you have the time to reply: what happens if after installing the certificates signed by the internal CA I decide to use a different web browser such as Firefox or Chrome? Do I have to manually install the certificate on the workstation even if I have 100 computers?
Hi Andrew Sir, I hope you're doing well. I wanted to check if the video mentioned above can guide me in installing it on my existing infrastructure. My main server isn't responding well, so I plan to set up another primary server and transfer the FSMO role to the secondary one. After that, I'm looking to install the AD DC certificate. Could you confirm if this is the right approach?
All of the web services or stuff like IPMI need a private key alongside the certificate- How do you get that one? Could not find any information about it
Thanks very much for the clear and informative video! I wanted to add that after setting all this up, the certificate I issued in my home lab for my Nginx Linux reverse proxy was failing until I added subjectAltName to the certificate request. Hopefully, this can save someone experiencing the same issue from the hours of aggravation I had! I did have a follow-up question. I added the CA roles to a headless VM (Windows Server 2019 Standard) and I don't get the Certificate Authority tooling as a result. I tried adding the feature to my Hyper-V host server, but it throws an error on start, and it isn't an option for the CA server. Is there a way to get the tooling working? Thanks again!
yes, it also depends on how headless you are.. if you included powershell and other management tools, then its likely just the windows server manager that needs to be added.. otherwise you'll have to add the dependancy roles for server manager.
Hey Professor, thank you for your truly enlightening videos! As a recent graduate, I'm currently assisting an enterprise client on a private isolated network. They have Windows Server 2019 and Windows 10 workstations, and they're eager to enhance their network security and encrypt the traffic. I've configured Active Directory, user accounts, and security policies, but I'm unsure about encrypting the traffic between clients and the server. Can AD CS help in my case , what are your recommendations ? Thank you in advance for your valuable advice!
Sorry for the late response. Yes AD CS can assist in this but it’s probably beyond the scope of what can be done through comments in UA-cam. Hopefully you were able to do more research and testing to find your answers.
yea.. the answer is NO. encrypting client data purely depends on the application and protocol your attempting to encrypt. some requires a cert, some dont. some can use a self signed, some cant. its a pretty big world when it comes to encrypted vs non. some non-encrypted comminications is encrypted, but just on the data layer and not the protocol layer. WinRM is a perfect example of this, it uses TLS to encrypt the data being sent over a http non-encrypted protocol.
Thanks for your informative video. Question: Are there any security concerns about installing ADCS on a DC? The DC doesn't give you any warnings when you try to do so. I have read different views on this online. Please advise. Thanks
I would absolutely avoid putting ADCS on a DC for a number of reasons. I definitely prefer to keep services on separate servers, especially since virtualization makes it cheaper and easier to manage. In the AWS environment we use for our classes we have a limited number of servers and frequently install multiple services on the same server.
yes, dont do it.. DC's are busy enough, dont give them more work. a DC should just be doing DC.. nothing else. the last thing you ever want is to have a bad DC that your trying to demote and there's a tun of other stuff on it. like a root CA, would be a nightmare.
@@firaschahine8484 I tried to creat certificate from IIS but chrome didn’t accept it even if Internet Explorer accepted it . I tried in linux ubuntu server with openssl but doesn’t work!!
Sorry about the delayed response. The server (running IIS or Linux) doesn't need to a member, it just needs to get the certificate from a server that the web client trusts. In a Domain environment, the Windows computer and therefore IE will trust the Cert Server. Chrome doesn't use the Windows Trusted Certificate Server list so the AD CS server would need to be manually added.
i followed your part, but each time for example when we try in the IE browser to go to the link what is running on XAMP it still says not secured. and then when viewing the certificate it is the localhost and not the certificate, how to change this?? having several virtual machines. dc01 (ad-ds) dc02 (ca etc) file01 (fileserver) srv-app (xamp running with web application) and the web application when we go through our network the link is not secured. have tried to import it as well via mmc on the srv-app from the file01 since it is a shared folder it sees the certnew ....
Sorry for the delayed response. I'm guessing that your xampp configuration is pointing to your self-signed certificate instead of the new one you created.
i know your a professor and all, but did you choose AD integrated because your relying on windows integrated auth? because you really didn't use any of the other features of AD integration, such as "Request Domain Cert" which, i may add, will handle RENEWALS for you automatically.. as opposed to your manual request, wich will require you to manually renew. or am i really off base here?
The purpose of the video is to show some basics so students can see it in use. AD integrated puts the CA in the Microsoft Browser’s trusted roots so you can see it work. Going into other features is further than we go in this class. It’s a walk before you run situation.
They use their own certificate stores. You could individually add the CA or use a policy to configure it for all users but that's beyond the scope of what I cover in this lab.
Thanks for the feedback. I try to balance what I'm showing based on what type of screen the viewer will see the video. I'll keep this in mind going forward.
our domain computer keeps installing internet certificate when they are connected outside the LAN. When they return back to the LAN the internet certificate block them from accessing the LAN unless you delete. How best can I handle this?
Thanks a lot for that nice demonstration and explanation. :-) You mentioned that FireFox and Chrome use their own certificate stores. But what about Edge.? My expectation would be that Edge clients in the same domain would also trust the domain generated certificate automatically since it is also a MS product and IE is basically dead especially since Win 11. Can you confirm that?
Sorry, I don't have a system to confirm that and I try to avoid edge as much as possible. I assume that edge would use the Windows Certificate Store. If I have things set up at some point I'll try to verify.
@@phungn02 Yes, I would like to know this as well. I started a new job about month ago and they have it working (and I am new to AD CS). Maybe @ProfessorAndrew can answer. I will try and figure it out and report back.
I think I have a found a workaround for Chrome and Firefox to trust the certificate. The default certificated created in AD CS doesn't have a SAN which is needed to validate by the browsers. You just need to manually create a certificate request through MMC (Certificates) and add an attribute for DNS and that should work for Chrome, Edge and FireFox.
I have to balance a useful resolution with being able to show my students what they need to see. That said, I will keep this in mind for future videos.
Hey, very nice video but I am stuck on something and I can't seem to find a solution. I am running my AD and CS service on the same server (just for testing since my hardware resources are limited) and after following your steps I can successfully visit the site via https ON THE SERVER itself but as soon as I try this on a computer, which is joined the domain, I get an error that the site is unsecure. I tried importing the ca.cert again in the trusted root ca's on the windows machine but despite that it still gives me the same error. Could you, or someone else, help me figure this out because I don't know what to do anymore. I'm pretty new to the certificate stuff as well.
Sorry for the late response. On the client computer only Edge (or Internet Explorer) will use the system trusted Certs. If you are using another browser you will need to add the trusted root in that store.
Question it appears the MS Certificate Service only works to clients on the domain. If I use it for outside public internet I get a Cert Error? Does this mean we have to pay for Certs?
That is correct. The purpose of a Certificate is to prove the system you are connecting to is who they claim to be. That means the issuer of the Certificate needs to be trusted. For public systems you would need to purchase a cert from an authority that it publicly trusted.
@@ProfessorAndrew That’s one use of a CERT, the other is to provide HTTPS - so it’s unless you are doing E-commerce a trusted cert is really pointless. If you want to just encrypt traffic then it’s needed. Most users are clueless as to how it works. To my knowledge it’s not possible to write your own cert to decrypt or spy.
@@SnakePlissken1 Public Key Certificates (X.509) include verified identity using a digital signature. The only way the identity can be trusted is if the issuer (or issuer of the issuer, or root CA, etc.) is trusted by the system viewing the certificate. Web browsers are configured to provide significant warnings (errors) when an untrusted certificate is encountered. Within a domain you can control the clients so you can configure them to trust your certificate. On a system that is not under your control you need to use a certificate that will be trusted by that system in order to avoid the errors.
@@ProfessorAndrew As I said before, a Cert does 2 things. The most important is allows encryption over 443. Second may or may not tell someone it’s a valid company for e-commerce which is debatable since anyone can pay for a stupid key. Those of us who only need to use encryption over 443 really could care less if key comes from Joe blow. In the USA we use Dun & Bradstreet !!! Popping up a stupid box telling users key doesn’t match is stupid. Your data is still encrypted!!!
@@SnakePlissken1 Without being able to confirm who you're talking to, what is the point of encryption? You can be talking to Eve who is claiming to be Bob or you could be talking to Bob with Eve acting as a man in the middle. In both cases your data is encrypted but can be decrypted by Eve (the attacker). This is why Public Key certificates require trusted identity.
!!Excelente Contenido muy bien explicado saludos de Guate
Thanks for this. Previous IT guy installed ADCS on a DC that was due for a replacement, and I ended up completely breaking the DC while removing the AD roles. I’ve been trying to figure out how to do this for a few days now and you’ve really helped out.
Glad it to hear it was helpful.
Finally !!! Someone doing it right ! In every single video I've seen so far CA was being installed on the DC 😵😵
Thank you. In a practice environment you sometimes have to work with extremely limited resources. Luckily I had multiple servers in this case.
Awesome content, very clear and precise. You indeed explained it like a professor but nailed it like a rockstar! :)
That's very kind, thank you for the feedback.
I am very grateful sir, you just saved my job. God, or whoever you believe in, bless you !
Thank for the kind words.
thanks, that explaned my problem to get my sertificate to work. (install domain before sertificate) now it work.
Thank you for the feedback.
I cant believe this is free. Thank you.
I'm glad it was helpful. You're welcome!
Amazing video you have created, very detailed and simple explanation. thank you sir.
Thank you for the kind words.
Thank you so much. I was over-thinking my setup. I was using the wrong choice in the CSR request. Duh for me. Thanks for clarifying!!!!!!
Glad it helped!
Hey Professor, keep up the good work!
Thank you for the encouragement.
Really nice ..explained
Great video!!
thanks , it is a very clear explaination
You are welcome, Thanks for the feedback.
Very helpful! A bit ironic that you are showing how to do Windows infrastructure from a Mac! LOL
I have a much longer history with Windows than with Macs.
Well explained
Its nice and wonderful explanation how certificate works
Thank you for the feedback.
Thank you for This VDO.
You’re welcome
This is exactly how a live demonstration in classroom should look like. I watched your video a couple of years ago and helped me for academic purposes. Now that I have to actually work with certificates I have a better picture. Thank you so much, you excel at explaining concepts. Just a couple of questions, if you have the time to reply: what happens if after installing the certificates signed by the internal CA I decide to use a different web browser such as Firefox or Chrome? Do I have to manually install the certificate on the workstation even if I have 100 computers?
Hi Andrew Sir,
I hope you're doing well. I wanted to check if the video mentioned above can guide me in installing it on my existing infrastructure. My main server isn't responding well, so I plan to set up another primary server and transfer the FSMO role to the secondary one. After that, I'm looking to install the AD DC certificate. Could you confirm if this is the right approach?
Thanks for your tutorial. How could I get p12 of the p7b certificates downloaded?
All of the web services or stuff like IPMI need a private key alongside the certificate- How do you get that one? Could not find any information about it
Thanks for the tutorial Professor!
Is this the same setting for authenticating outlook app using CBA? is there more videos on this subject
Sorry for the late reply. That's not something I've done so I can't offer any guidance.
Thanks very much for the clear and informative video! I wanted to add that after setting all this up, the certificate I issued in my home lab for my Nginx Linux reverse proxy was failing until I added subjectAltName to the certificate request. Hopefully, this can save someone experiencing the same issue from the hours of aggravation I had!
I did have a follow-up question. I added the CA roles to a headless VM (Windows Server 2019 Standard) and I don't get the Certificate Authority tooling as a result. I tried adding the feature to my Hyper-V host server, but it throws an error on start, and it isn't an option for the CA server. Is there a way to get the tooling working?
Thanks again!
yes, it also depends on how headless you are.. if you included powershell and other management tools, then its likely just the windows server manager that needs to be added.. otherwise you'll have to add the dependancy roles for server manager.
Hey Professor, thank you for your truly enlightening videos!
As a recent graduate, I'm currently assisting an enterprise client on a private isolated network. They have Windows Server 2019 and Windows 10 workstations, and they're eager to enhance their network security and encrypt the traffic. I've configured Active Directory, user accounts, and security policies, but I'm unsure about encrypting the traffic between clients and the server. Can AD CS help in my case , what are your recommendations ? Thank you in advance for your valuable advice!
Sorry for the late response. Yes AD CS can assist in this but it’s probably beyond the scope of what can be done through comments in UA-cam. Hopefully you were able to do more research and testing to find your answers.
yea.. the answer is NO. encrypting client data purely depends on the application and protocol your attempting to encrypt. some requires a cert, some dont. some can use a self signed, some cant. its a pretty big world when it comes to encrypted vs non. some non-encrypted comminications is encrypted, but just on the data layer and not the protocol layer. WinRM is a perfect example of this, it uses TLS to encrypt the data being sent over a http non-encrypted protocol.
Thanks for your informative video. Question: Are there any security concerns about installing ADCS on a DC? The DC doesn't give you any warnings when you try to do so. I have read different views on this online. Please advise. Thanks
I would absolutely avoid putting ADCS on a DC for a number of reasons. I definitely prefer to keep services on separate servers, especially since virtualization makes it cheaper and easier to manage. In the AWS environment we use for our classes we have a limited number of servers and frequently install multiple services on the same server.
yes, dont do it.. DC's are busy enough, dont give them more work. a DC should just be doing DC.. nothing else. the last thing you ever want is to have a bad DC that your trying to demote and there's a tun of other stuff on it. like a root CA, would be a nightmare.
it is a very clear explanation. thank you, sir.
Do we need to add the centos to DC server as a member ?
You can request a digital certificate for non-Windows servers using either the manual or Web-enrolment.
@@firaschahine8484 I tried to creat certificate from IIS but chrome didn’t accept it even if Internet Explorer accepted it . I tried in linux ubuntu server with openssl but doesn’t work!!
Sorry about the delayed response. The server (running IIS or Linux) doesn't need to a member, it just needs to get the certificate from a server that the web client trusts. In a Domain environment, the Windows computer and therefore IE will trust the Cert Server. Chrome doesn't use the Windows Trusted Certificate Server list so the AD CS server would need to be manually added.
i followed your part, but each time for example when we try in the IE browser to go to the link what is running on XAMP it still says not secured. and then when viewing the certificate it is the localhost and not the certificate, how to change this??
having several virtual machines.
dc01 (ad-ds)
dc02 (ca etc)
file01 (fileserver)
srv-app (xamp running with web application)
and the web application when we go through our network the link is not secured.
have tried to import it as well via mmc on the srv-app from the file01 since it is a shared folder it sees the certnew ....
Sorry for the delayed response. I'm guessing that your xampp configuration is pointing to your self-signed certificate instead of the new one you created.
i know your a professor and all, but did you choose AD integrated because your relying on windows integrated auth? because you really didn't use any of the other features of AD integration, such as "Request Domain Cert" which, i may add, will handle RENEWALS for you automatically.. as opposed to your manual request, wich will require you to manually renew. or am i really off base here?
The purpose of the video is to show some basics so students can see it in use. AD integrated puts the CA in the Microsoft Browser’s trusted roots so you can see it work. Going into other features is further than we go in this class. It’s a walk before you run situation.
Have you cover the case with Chrome and Firefox?
They use their own certificate stores. You could individually add the CA or use a policy to configure it for all users but that's beyond the scope of what I cover in this lab.
Good video. Next time enlarge windows for better visualization.
Thanks for the feedback. I try to balance what I'm showing based on what type of screen the viewer will see the video. I'll keep this in mind going forward.
our domain computer keeps installing internet certificate when they are connected outside the LAN. When they return back to the LAN the internet certificate block them from accessing the LAN unless you delete. How best can I handle this?
Sorry for the delayed response. That seems like too specific an issue to troubleshoot here.
Thanks a lot for that nice demonstration and explanation. :-)
You mentioned that FireFox and Chrome use their own certificate stores. But what about Edge.?
My expectation would be that Edge clients in the same domain would also trust the domain generated certificate automatically since it is also a MS product and IE is basically dead especially since Win 11.
Can you confirm that?
Sorry, I don't have a system to confirm that and I try to avoid edge as much as possible. I assume that edge would use the Windows Certificate Store. If I have things set up at some point I'll try to verify.
@@ProfessorAndrew Why would Chrome and Edge work with the certificate generated but only IE? What do we need to do to get Chrome and Edge to work?
@@phungn02 Yes, I would like to know this as well. I started a new job about month ago and they have it working (and I am new to AD CS). Maybe @ProfessorAndrew can answer. I will try and figure it out and report back.
@@phungn02 I'd like to ask if you have any updates on the issue with Chrome and Edge?
I think I have a found a workaround for Chrome and Firefox to trust the certificate. The default certificated created in AD CS doesn't have a SAN which is needed to validate by the browsers. You just need to manually create a certificate request through MMC (Certificates) and add an attribute for DNS and that should work for Chrome, Edge and FireFox.
Sir, please use lower resolution on your computer, I am trying to watch this video on my small-screen laptop, can't see your screen well
I have to balance a useful resolution with being able to show my students what they need to see. That said, I will keep this in mind for future videos.
Hey, very nice video but I am stuck on something and I can't seem to find a solution. I am running my AD and CS service on the same server (just for testing since my hardware resources are limited) and after following your steps I can successfully visit the site via https ON THE SERVER itself but as soon as I try this on a computer, which is joined the domain, I get an error that the site is unsecure. I tried importing the ca.cert again in the trusted root ca's on the windows machine but despite that it still gives me the same error. Could you, or someone else, help me figure this out because I don't know what to do anymore. I'm pretty new to the certificate stuff as well.
Sorry for the late response. On the client computer only Edge (or Internet Explorer) will use the system trusted Certs. If you are using another browser you will need to add the trusted root in that store.
can you teach a web server access algorithm via pki or fingerprint
It's not something in my plans right now but I'll keep it in mind.
hi Professor
Question it appears the MS Certificate Service only works to clients on the domain. If I use it for outside public internet I get a Cert Error?
Does this mean we have to pay for Certs?
That is correct. The purpose of a Certificate is to prove the system you are connecting to is who they claim to be. That means the issuer of the Certificate needs to be trusted. For public systems you would need to purchase a cert from an authority that it publicly trusted.
@@ProfessorAndrew That’s one use of a CERT, the other is to provide HTTPS - so it’s unless you are doing E-commerce a trusted cert is really pointless. If you want to just encrypt traffic then it’s needed. Most users are clueless as to how it works. To my knowledge it’s not possible to write your own cert to decrypt or spy.
@@SnakePlissken1 Public Key Certificates (X.509) include verified identity using a digital signature. The only way the identity can be trusted is if the issuer (or issuer of the issuer, or root CA, etc.) is trusted by the system viewing the certificate. Web browsers are configured to provide significant warnings (errors) when an untrusted certificate is encountered. Within a domain you can control the clients so you can configure them to trust your certificate. On a system that is not under your control you need to use a certificate that will be trusted by that system in order to avoid the errors.
@@ProfessorAndrew As I said before, a Cert does 2 things. The most important is allows encryption over 443. Second may or may not tell someone it’s a valid company for e-commerce which is debatable since anyone can pay for a stupid key. Those of us who only need to use encryption over 443 really could care less if key comes from Joe blow. In the USA we use Dun & Bradstreet !!! Popping up a stupid box telling users key doesn’t match is stupid. Your data is still encrypted!!!
@@SnakePlissken1 Without being able to confirm who you're talking to, what is the point of encryption? You can be talking to Eve who is claiming to be Bob or you could be talking to Bob with Eve acting as a man in the middle. In both cases your data is encrypted but can be decrypted by Eve (the attacker). This is why Public Key certificates require trusted identity.
Hey Professor, Do you offer your tech expertise as a freelancer..
I'm always willing to listen but my day job keeps me pretty busy.
@@ProfessorAndrew I am setting up an ADFS server and stuck with a issue. Lemm know if u can help with this.
@@shajiljohn Do you still need help?
How to import 3rd party certificates
From a public certificate vendor? You would need to create a CSR, submit it to the vendor, and then use the resulting certificate on your own server.
please