(PKI) Public Key Infrastructure Server Deployment
- Build out a standalone Root CA host
-
Deploy Root CA host from Server 2012 R2 Template
-
Set IP
Add AD CS Roles
-
Add roles and Features > Role-based or feature-based installation>local server>Select Active Directory Certificate Services (AD CS)
-
Certification Authority Role
-
Check Restart automatically if required option and install
Configure CA
-
Click Configure Active Directory Certificates Services on the destination server link
-
Next
-
Check on Certification Authority and Next
-
Select Standalone CA
-
Select Root CA
-
Select Create a new private key
-
Select RSA#Microsoft Software Key Storage Provider with 4096 key length, and SHA1 Hash Algorithm
-
Remove Distinguished name suffix
-
Set Validity Period for 5 years as default
-
Next
-
Configure after reviewing the settings
-
On Server Manager>AD CS>Right Click on Root CA and Select Certificate Authority
-
Expand vmlab-RootCA-CA> and Right click on Revoked Certificates>All Tasks>Publish
-
New CRL
-
Open Run>MMC> Add Certificates Snap-in > Computer Account>Local computer
-
Browse to Certificates>Personal>Certificates, and Export
-
Select No export the private key
-
Keep it as default
-
Create a folder named to RootCA on C Drive and name to save as RootCA-vmlab
-
Finish
-
And open C:\Windows\system32\CertSrv\CertEnroll and copy all to C:\RootCA\ Folder
-
Share C:\RootCA Directory
Install RootCA cert to SQLPKI1
- On SQLPKI1, browse to \\RootCA\RootCA\
-
Install RootCA-vmlab.cer
-
Select local machine
-
Next
-
OK
Configure Subordinate CA on SQLPKI1
-
On SQLPKI1, Add ADCS Role
-
Select Certificate Authority and Certificate Authority Web Enrollment
-
Add IIS Role Services as default as well
-
Review and Install
-
Click Configure AD CS on the destination Server
-
Next
-
Select both Certification Authority and Certification Authority Web Enrollment Services
-
Select Enterprise CA
-
Select Subordinate CA
-
Select create a new private key
-
Change the key length to 4096
-
Next
-
Select Save a Certificate request to file on the target machine as default and Next
-
Next
-
Confirm the settings and Configure
-
Click Close and close
-
Open Explorer and Map Network drive \\RootCA\Rootca
-
Right click on RootCA-vmlab.cer file on the share drive and install Certificate
-
Select Local Machine
-
Place it to Trusted Root Certification Authorities
- Create a new folder and name it Certdata on C:\inetpub\wwwroot\
-
From \\RootCA\RootCA, copy RootCA.vmlab.local_vmlab-ROOTCA-CA.crt and vmlab-ROOTCA-CA.crl files to c:\inetpub\wwwroot\Certdata
-
Open Explorer and C:\ and Copy request cert to \\RootCA\RootCA share folder on RootCA.vmlab.local
Submit a subordinate CA’s Request to the Root CA
-
On the RootCA server, open CA mmc and Right Click vmlab-RootCA-CA>All Tasks>Submit new request
-
Select SQLPKI1.vmlab.local_vmlab-SQLPKI1-CA.req file
-
Go to Pending Requests node and right click on the request file >All Tasks>Issue
-
Go to Issued Certificates node, right click the issued cert and open
-
Go to Details Tab> copy to File
-
Select (.P7B) cert format and include path option
-
Name it and save it to \\RootCA\RootCA share folder
-
Per instruction, I opened the cert and checked all certs for establishing the trust
- Go back to SQLPKI1 host, and open CA mmc.
-
Right Click on vmlab-SQLPKI1-CA>All Tasks>Install CA Certificate
-
Browse to \\RootCA\RootCA share folder and open p7b cert file
-
Click Start Button
-
AD CS Service on SQLPKI1 is now started successfully
Create Distribute Root CA Policy and Apply to the domain
-
Go to DC1, and Open Group Policy Management> right click on vmlab.local and Create a GPO in this domain
-
Name it
-
Right click on the new GPO and edit
-
Browse to Computer Configuration>Policies>Windows Settings>Security Settings>Public Key Policies>Trusted Root Certification Authorities and right click import
-
Select RootCA-vmlab.cer file from \\RootCA\Rootca network share
-
Next
-
Finished
Microsoft Systems Engineer 