To cover all the scenario for ADCS, i separated the article into two parts as the following:
- Installing – Configuring ROOT CA as Offline – Part 1
- Installing – Configuring Subordinate CA as Online Issuing CA – Part 2
As mentioned in Microsoft Certification Authority Guidance, the best practices for implementing a good PKI hierarchy design should contains an Offline Root CA and two or more-tier of online enterprise subordinate CA.
For my needs I will install my own CA, so I can use it to issue any number of certificates to support for the following Servers and Services with free charge.
- VPN
- RD Gateway
- Lync 2013 Internal Access
- Lync 2013 External Access
- Web Server
- Web Services
- SharePoint https access
- Office WebApp
- DirectAccess
This CA removes the cost required to buy a dozen of certificates to support those services
Before I start let’s know what is Certification Authority (CA) and what is the CA main purposes?
Certificate Authority (CA) is well-designed and highly trusted service in an enterprise that is trusted to sign digital certificates. CA verifies identity and legitimacy of company or individual that requested a certificate and if the verification is successful, CA issues signed certificate.
The main purposes of the CA are
- Issue certificates
- Revoke certificates
- Publish AIA and CRL information
By doing this, the CA ensures that users, services, and computers are issued certificates that can be validated.
Before start let`s discuss this diagram 🙂
Enterprise PKI Design
Being diligent, I sketch out what we are about to do first.
My Servers Information
|
Server Name
|
OS
|
Role
|
Workgroup/Domain
|
|
RootCA
|
Windows Server 2012 R2
|
Standalone Offline Root CA
|
Workgroup
|
|
IssuingCA1001
|
Windows Server 2012 R2
|
Enterprise Subordinate CA
|
Domain Joined
|
|
DC01
|
Windows Server 2012 R2
|
Domain Controller
|
|
- DC01 – an active directory domain controller called msallal.com which connected to several machines and will be the central point for distributing the certificates over domain joined machine
- ROOTCA – Standalone offline Root CA which will generate the private key and trust the Issuing CA to generate a certificate after that it will be kept offline for the next 5 years to renew the trust with IssuingCA1001. A Root CA is special in that it`s certificate is self-issued. This mean that the certificate’s issuer name and subject field contain the same distinguished name
- IssuingCA1001 – is an Enterprise Subordinate CA which will issue and revoke the certificates as needed.
Enterprise PKI Deployment
For this scenario I will implement a 2 tier PKI hierarchy which contains offline standard Root CA server and online enterprise subordinate CA.
Prepare your servers with latest update and enforce your organization policy, let`s go…
Installation
- on the ROOTCA server, click Add roles and features… Next – Next – Next – select Active Directory Certificate Services
- Next
- Next
Make sure Certification Authority is selected
- Install
Configuration
- You can configure the AD CS form here or from the server manager
- ROOTCA should not be a domain joined, Local Administrator required
As mentioned above “A Root CA is special in that it`s certificate is self-issued. This mean that the certificate’s issuer name and subject field contain the same distinguished name”
Choose 5 years, so after trusting the sub CA, it will be kept offline for the next 5 years
- Run this command to map the Namespace of Active Directory to an Offline CA’s Registry Configuration
certutil -setreg ca\DSConfigDN “CN=Configuration,DC=corp,DC=msallal,DC=local”
certutil -setreg ca\DSDomainDN “DC=corp,DC=msallal,DC=local”
Configure the CRL and AIA for Root CA
The default CRL and AIA location need to be changed to a place where all the locations need to be accessible by the sub CA server, in my case is IssuingCA1001 server
Remove all of the CRL distribution point locations, except the local CRL distribution point
Add a new CRL Distribution Point (CDP) to the new CA server:
tick the following options, and click Apply:
- Include in the CDP extensions of issued certificates
The reason why we only have two location for the offline Root CA is because since this server is not domain joint and the best practice for location settings is always using HTTP
AIA
the same way for AIA, Remove all of the AIA locations, except the local AIA distribution point
Add a new AIA to the new CA server:
Click Apply (Restart AD CS service) then OK
Change the CRL publish interval
the CRL publish interval is very important, once the CRL is expired, you will need to bring up the offline root CA server and republish the CRL to sub-CA server again.
The default interval is one week, we don`t need to bring the offline server back online every single week.
just change the interval to 5 years and this will leave the root CA server offline for 5 years, the same as private key validity
You can always bring the server online anytime and manually re-publish the CRL if we need to revoke the sub CA certificate.
Click OK
Publish the CRL
!!! Very Important Step
For the time being there is no IssuingCA1001 Server yet, so create folder on RootCA c: drive called ROOTCA and store the certs file certsrv\CertEnroll. we will back to this files later
Subordinate CA
Now we should prepare the Issuing CA as a Subordinate CA and make the ROOT CA trust the issuing CA as a part of hierarchy, check part 2 Configuring Online Subordinate CA
