Microsoft PKI – Start Here

This page is intended to be the master table of contents to all of the Microsoft PKI pages within this blog. It will also provide additional information that may help in understanding how to read through these pages, provide outside links, and provide other pertinent info for the Microsoft PKI.

These pages are mostly about building a MS PKI, not managing templates and certificates. I may add some of that later, but it probably will not consist of too much.

This group of pages exists because anyone who has set out to learn the Microsoft PKI will surely have had an abundance of frustration.

For one, finding information is hard. Most of the stuff the Microsoft has published has been moved, superseded, or contains errors. In fact, at this point very little Microsoft published PKI documentation exists for Server 2016 and up. However, most of the published information for Server 2003 and up is still mostly applicable. But I have also found very little help in the PKI pages published outside of Microsoft. A proper PKI is complicated to learn, I suspect that I have a few screw-ups in my pages as well.

Second, the topic of PKI is large. If you don’t understand what a PKI is and the purpose of the servers, you will have a hard time getting a PKI setup and properly working. Do yourself a big favor and first learn as much as possible about certificates and how they are used in an IT infrastructure. Then learn how a PKI works to fill this need. These two things will take time but will also help you get to the point where the instructions contained in these pages start to make sense.

Speaking of making sense of these pages, no attempt was made here to explain things in which a novice can learn from. These were put together as a way for me to remember how to do things. Most of the instructions in these pages I wrote out as I worked with my test bed, trying to learn how to do a proper PKI within the Microsoft world. I do a lot of shortcuts here but anyone with Microsoft server management time should be able to follow along, especially if they followed my suggestions in the paragraph above.

There are a large number of PKI topics and configurations that exist but are not cover here in the blog, such as three tier deployment, OCSP, and web enrollment, just to name a few. Likewise, my notes on certificate management are limited. You get the idea. If you do the learning as suggested above, you will see how much is not covered here, but you will also have an easier time learning the topics not covered here.

PKI Setup Process Order

Using the Microsoft Documentation, here is the order of setup used for both a single tier and a two tier PKI:

Single Tier – From: https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

  1. Install Active Directory Forest
  2. Prepare HTTP Web Server for CDP and AIA Publication
  3. Install Enterprise Root CA
  4. Perform Post Installation Configuration On Enterprise Root CA
  5. Install and Configure Online Responder (OCSP Responder)
  6. Verify PKI Hierarchy Health

Two Tier – From: https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

  1. Install the Active Directory Forest
  2. Prepare the web server for CDP and AIA publication
  3. Install the standalone offline root CA
  4. Perform post installation configuration steps on the standalone offline root CA
  5. Install Subordinate Issuing CA
  6. Perform the post installation configuration on the subordinate issuing CA
  7. Install and configure the online responder
  8. Verify the PKI hierarchy health

Links to pages within this blog:

A list of the more important links: 
https://www.binaryrecon.net/microsoft-pki-my-master-links-to-documentation
Firewall requirements:
https://www.binaryrecon.net/microsoft-pki---port-requirements-for-firewalls
Build out a stand-alone test PKI server using the command line:
https://www.binaryrecon.net/microsoft-pki---single-tier-server-command-line-setup
Build out a stand-alone test PKI server using the graphical interface:
https://www.binaryrecon.net/microsoft-pki---single-tier-server-graphical-setup
Build out a two tier PKI: 
https://www.binaryrecon.net/microsoft-pki---two-tier-configuration
Use pkiview to check for a proper configuration:
https://www.binaryrecon.net/microsoft-pki---pki-health-pkiview
Decommission a CA server that is being replaced:
Note: this does not consider all possibilities. Make sure you understand 
what you need to do beforehand:
https://www.binaryrecon.net/microsoft-pki-decommission-ca-server