Ads Top

Part 2 - Deploying Enterprise PKI on Windows Server 2012 R2 with the 2 tier hierarchy - Offline Root CA and Online Subordinate CA - Step by Step - Part 2

Today I’m glad to continue our journey on the Enterprise Subordinate CA deployment "Installing - Configuring Subordinate CA as Online Issuing CAas mentioned in DEPLOYING ENTERPRISE PKI ON WINDOWS SERVER 2012 R2 WITH THE 2 TIER HIERARCHY - OFFLINE ROOT CA AND ONLINE SUBORDINATE CA - STEP BY STEP - PART 1
let me start by explaining a little bit about Enterprise CA
For my needs I will install my own CA, so I can use it to issue any number of certificates to support for the following Servers and Services with free charge.

  • VPN
  • RD Gateway
  • Lync 2013 Internal Access
  • Lync 2013 External Access
  • Web Server
  • Web Services
  • SharePoint https access
  • Office WebApp
  • DirectAccess

This CA removes the cost required to buy a dozen of certificates to support those services

Before I start let's know what is Certification Authority (CA) and what is the CA main purposes?

Certificate Authority (CA) is well-designed and highly trusted service in an enterprise that is trusted to sign digital certificates. CA verifies identity and legitimacy of company or individual that requested a certificate and if the verification is successful, CA issues signed certificate.
The main purposes of the CA are
  • Issue certificates
  • Revoke certificates
  • Publish AIA and CRL information
By doing this, the CA ensures that users, services, and computers are issued certificates that can be validated.
Before start let`s discuss this diagram :)
Enterprise PKI Design
Being diligent, I sketch out what we are about to do first.
My Servers Information

Server Name
Windows Server 2012 R2
Standalone Offline Root CA
Windows Server 2012 R2
Enterprise Subordinate CA
Domain Joined
Windows Server 2012 R2
Domain Controller

  • DC01 - an active directory domain controller called which connected to several machines and will be the central point for distributing the certificates over domain joined machine
  • ROOTCA - Standalone offline Root CA which will generate the private key and trust the Issuing CA to generate a certificate after that it will be kept offline for the next 5 years to renew the trust with IssuingCA1001. A Root CA is special in that it`s certificate is self-issued. This mean that the certificate's issuer name and subject field contain the same distinguished name
  • IssuingCA1001 - is an Enterprise Subordinate CA which will issue and revoke the certificates as needed.
Phase 1: Enterprise PKI Deployment - Subordinate CA
For this scenario I will complete the implementation of 2 tier PKI hierarchy which contains offline standard Root CA server and online enterprise subordinate CA.

Prepare your servers with latest update and enforce your organization policy and make sure to join IssuingCA1001 to the DC. let`s go...

  • on the IssuingCA1001 server, click Add roles and features… Next - Next  - Next - select Active Directory Certificate Services 

  • Next
  • Make sure Certification Authority and Certification Authority Web Enrollment are selected
  • Install


You can start configuring the AD CS form here or from the server manager notification

  • IssuingCA1001 should be a domain joined, user with domain Admin privilege required
  • Next

  • Choose Enterprise CA
  • Next
  • Choose Subordinate CA
  • Next
  • create a new private key
  • Next

  • Save the certificate request file, which will be imported to the Root CA to trust the subordinate, we will use it in phase 2 
  • Next
  • Configure

Phase 2: Trust Subordinate CA by Root CA

to make the subordinate server responsible for issuing a certificates for your organization you should make trust between Root CA and Subordinate CA, by submitting the request file that created in subordinate configuration above to Root CA and get back the resulted certificate to the subordinate.

go to the offline ROOTCA server - open Certificate Authority - All Tasks- Submit new request

choose the .req file created while configuring subordinate CA phase 1 - open

the certification trust now is done, but in pending state, we should issue that certificate

All tasks - Issue

now its in issued certificates list

double click at the certificate, it should look like this

go to certification path to view the certificate server hierarchy, it should have two level hierarchy Root CA at the Top - Sub CA (Issuing CA) under RootCA

 now we need to export the trusted certificate back into the subordinate server - choose Copy to File

Choose .P7B and tick Include all certificates in the certification path if possible

save the file - and copy it to the IssuingCA1001 server (Subordinate server) and move on 

in IssuingCA1001 server open Certification Authority - All Tasks Install CA Certificate, choose the exported certificate that come from Root CA

Certificate service now is in running state, You should see the small green icon for the sub-CA certificate authority now.

If not, go back to check the CRL and AIA settings, again, all of the location defined in CRL and AIA must be accessible in server IssuingCA1001 server, which means you should have a copy of the CRL files in C:\Windows\System32\CertSrv\CertEnroll and the IIS site as well.

checking the CRL and AIA status 
  • Run pkiview.msc

Finally, we done for now and at this moment, we have deployed and configured an enterprise subordinate CA…

Powered by Blogger.