Part 2 - Deploying Enterprise PKI on Windows Server 2012 R2 with the 2 tier hierarchy - Offline Root CA and Online Subordinate CA - Step by Step - Part 2

Today I’m glad to continue our journey on the Enterprise Subordinate CA deployment "Installing - Configuring Subordinate CA as Online Issuing CAas mentioned in DEPLOYING ENTERPRISE PKI ON WINDOWS SERVER 2012 R2 WITH THE 2 TIER HIERARCHY - OFFLINE ROOT CA AND ONLINE SUBORDINATE CA - STEP BY STEP - PART 1
let me start by explaining a little bit about Enterprise CA
For my needs I will install my own CA, so I can use it to issue any number of certificates to support for the following Servers and Services with free charge.

  • VPN
  • RD Gateway
  • Lync 2013 Internal Access
  • Lync 2013 External Access
  • Web Server
  • Web Services
  • SharePoint https access
  • Office WebApp
  • DirectAccess

This CA removes the cost required to buy a dozen of certificates to support those services

Before I start let's know what is Certification Authority (CA) and what is the CA main purposes?

Certificate Authority (CA) is well-designed and highly trusted service in an enterprise that is trusted to sign digital certificates. CA verifies identity and legitimacy of company or individual that requested a certificate and if the verification is successful, CA issues signed certificate.
The main purposes of the CA are
  • Issue certificates
  • Revoke certificates
  • Publish AIA and CRL information
By doing this, the CA ensures that users, services, and computers are issued certificates that can be validated.
Before start let`s discuss this diagram :)
Enterprise PKI Design
Being diligent, I sketch out what we are about to do first.
My Servers Information

Server Name
OS
Role
Workgroup/Domain
RootCA
Windows Server 2012 R2
Standalone Offline Root CA
Workgroup
IssuingCA1001
Windows Server 2012 R2
Enterprise Subordinate CA
Domain Joined
DC01
Windows Server 2012 R2
Domain Controller


 
  • DC01 - an active directory domain controller called msallal.com which connected to several machines and will be the central point for distributing the certificates over domain joined machine
  • ROOTCA - Standalone offline Root CA which will generate the private key and trust the Issuing CA to generate a certificate after that it will be kept offline for the next 5 years to renew the trust with IssuingCA1001. A Root CA is special in that it`s certificate is self-issued. This mean that the certificate's issuer name and subject field contain the same distinguished name
  • IssuingCA1001 - is an Enterprise Subordinate CA which will issue and revoke the certificates as needed.
Phase 1: Enterprise PKI Deployment - Subordinate CA
For this scenario I will complete the implementation of 2 tier PKI hierarchy which contains offline standard Root CA server and online enterprise subordinate CA.

Prepare your servers with latest update and enforce your organization policy and make sure to join IssuingCA1001 to the DC. let`s go...

Installation
  • on the IssuingCA1001 server, click Add roles and features… Next - Next  - Next - select Active Directory Certificate Services 

  • Next
  • Make sure Certification Authority and Certification Authority Web Enrollment are selected
  • Install

Configuration

You can start configuring the AD CS form here or from the server manager notification


  • IssuingCA1001 should be a domain joined, user with domain Admin privilege required
  • Next

  • Choose Enterprise CA
  • Next
  • Choose Subordinate CA
  • Next
  • create a new private key
  • Next


  • Save the certificate request file, which will be imported to the Root CA to trust the subordinate, we will use it in phase 2 
  • Next
  • Configure


Phase 2: Trust Subordinate CA by Root CA

to make the subordinate server responsible for issuing a certificates for your organization you should make trust between Root CA and Subordinate CA, by submitting the request file that created in subordinate configuration above to Root CA and get back the resulted certificate to the subordinate.

go to the offline ROOTCA server - open Certificate Authority - All Tasks- Submit new request


choose the .req file created while configuring subordinate CA phase 1 - open



the certification trust now is done, but in pending state, we should issue that certificate

All tasks - Issue

now its in issued certificates list


double click at the certificate, it should look like this


go to certification path to view the certificate server hierarchy, it should have two level hierarchy Root CA at the Top - Sub CA (Issuing CA) under RootCA


 now we need to export the trusted certificate back into the subordinate server - choose Copy to File



Choose .P7B and tick Include all certificates in the certification path if possible



save the file - and copy it to the IssuingCA1001 server (Subordinate server) and move on 



in IssuingCA1001 server open Certification Authority - All Tasks Install CA Certificate, choose the exported certificate that come from Root CA



Certificate service now is in running state, You should see the small green icon for the sub-CA certificate authority now.


If not, go back to check the CRL and AIA settings, again, all of the location defined in CRL and AIA must be accessible in server IssuingCA1001 server, which means you should have a copy of the CRL files in C:\Windows\System32\CertSrv\CertEnroll and the IIS site as well.





checking the CRL and AIA status 
  • Run pkiview.msc




Finally, we done for now and at this moment, we have deployed and configured an enterprise subordinate CA…


Share on Google Plus

About Mohamad A Sallal

A Highly Experienced and Accomplished Senior SharePoint Specialist, Architect, Designer and Developer, with Significant Experience Providing Full Life-Cycle Solutions and Project Management. Web Application Professional Experienced with Diverse Web Technologies. Knowledge of Current Microsoft Technologies, Leveraging the .NET Platform. Broad knowledge Technical Combined with Project Leadership Ability and Creative Problem Solving Skills in both Strategic and Tactical Areas. Specialties: Developing on the Microsoft .NET platform
    Blogger Comment
    Facebook Comment

3 comments:

  1. Very good idea you've shared here, from here I can be a very valuable new experience. all things that are here will I make the source of reference, ,servicenow training in hyderabad

    ReplyDelete
  2. Useful and all started so well, shame you couldn't finish what you started, no part 3?

    ReplyDelete
  3. where is part 3 I need part 3... lol.

    this is great and well written article. please upload part 3.

    ReplyDelete