Ads Top

Part 1 - Deploying Enterprise PKI on Windows Server 2012 R2 with the 2 tier hierarchy - Offline Root CA and Online Subordinate CA - Step by Step - Part 1

To cover all the scenario for ADCS, i separated the article into two parts as the following:
  1. Installing - Configuring ROOT CA as Offline - Part 1
  2. Installing - Configuring Subordinate CA as Online Issuing CA - Part 2
As mentioned in Microsoft Certification Authority Guidance, the best practices for implementing a good PKI hierarchy design should contains an Offline Root CA and two or more-tier of online enterprise subordinate CA.

For my needs I will install my own CA, so I can use it to issue any number of certificates to support for the following Servers and Services with free charge.

  • VPN
  • RD Gateway
  • Lync 2013 Internal Access
  • Lync 2013 External Access
  • Web Server
  • Web Services
  • SharePoint https access
  • Office WebApp
  • DirectAccess

This CA removes the cost required to buy a dozen of certificates to support those services

Before I start let's know what is Certification Authority (CA) and what is the CA main purposes?

Certificate Authority (CA) is well-designed and highly trusted service in an enterprise that is trusted to sign digital certificates. CA verifies identity and legitimacy of company or individual that requested a certificate and if the verification is successful, CA issues signed certificate.
The main purposes of the CA are
  • Issue certificates
  • Revoke certificates
  • Publish AIA and CRL information
By doing this, the CA ensures that users, services, and computers are issued certificates that can be validated.
Before start let`s discuss this diagram :)
Enterprise PKI Design
Being diligent, I sketch out what we are about to do first.
My Servers Information

Server Name
Windows Server 2012 R2
Standalone Offline Root CA
Windows Server 2012 R2
Enterprise Subordinate CA
Domain Joined
Windows Server 2012 R2
Domain Controller


  • DC01 - an active directory domain controller called which connected to several machines and will be the central point for distributing the certificates over domain joined machine
  • ROOTCA - Standalone offline Root CA which will generate the private key and trust the Issuing CA to generate a certificate after that it will be kept offline for the next 5 years to renew the trust with IssuingCA1001. A Root CA is special in that it`s certificate is self-issued. This mean that the certificate's issuer name and subject field contain the same distinguished name
  • IssuingCA1001 - is an Enterprise Subordinate CA which will issue and revoke the certificates as needed.

Enterprise PKI Deployment
For this scenario I will implement a 2 tier PKI hierarchy which contains offline standard Root CA server and online enterprise subordinate CA.

Prepare your servers with latest update and enforce your organization policy, let`s go...


  • on the ROOTCA server, click Add roles and features… Next - Next  - Next - select Active Directory Certificate Services 

  • Next
  • Next

Make sure Certification Authority is selected

  • Install

  • You can configure the AD CS form here or from the server manager

  • ROOTCA should not be a domain joined, Local Administrator required

As mentioned above "A Root CA is special in that it`s certificate is self-issued. This mean that the certificate's issuer name and subject field contain the same distinguished name"

Choose 5 years, so after trusting the sub CA, it will be kept offline for the next 5 years

  • Run this command to map the Namespace of Active Directory to an Offline CA’s Registry Configuration
certutil -setreg ca\DSConfigDN "CN=Configuration,DC=corp,DC=msallal,DC=local"
certutil -setreg ca\DSDomainDN “DC=corp,DC=msallal,DC=local”

Configure the CRL and AIA for Root CA

The default CRL and AIA location need to be changed to a place where all the locations need to be accessible by the sub CA server, in my case is IssuingCA1001 server
Remove all of the CRL distribution point locations, except the local CRL distribution point

Add a new CRL Distribution Point (CDP) to the new CA server:

tick the following options, and click Apply:
  • Include in the CDP extensions of issued certificates

The reason why we only have two location for the offline Root CA is because since this server is not domain joint and the best practice for location settings is always using HTTP


the same way for AIA, Remove all of the AIA locations, except the local AIA distribution point
Add a new AIA to the new CA server:

Click Apply (Restart AD CS service) then OK

Change the CRL publish interval
the CRL publish interval is very important, once the CRL is expired, you will need to bring up the offline root CA server and republish the CRL to sub-CA server again.
The default interval is one week, we don`t need to bring the offline server back online every single week.

just change the interval to 5 years and this will leave the root CA server offline for 5 years, the same as private key validity
You can always bring the server online anytime and manually re-publish the CRL if we need to revoke the sub CA certificate.

Click OK

Publish the CRL

!!! Very Important Step
For the time being there is no IssuingCA1001 Server yet, so create folder on RootCA c: drive called ROOTCA and store the certs file certsrv\CertEnroll. we will back to this files later

Subordinate CA

Now we should prepare the Issuing CA as a Subordinate CA and make the ROOT CA trust the issuing CA as a part of hierarchy, check part 2  Configuring Online Subordinate CA

Powered by Blogger.