Microsoft PKI – Two Tier Configuration

If you have not already read the first page in this MS PKI series, 
you should do so before continuing.

It is suggested that you read through all of this article prior to doing anything. In fact, you should understand what a “two-tier” PKI is and how it is used before continuing.

The instructions below are broken into two main parts. The first main part is for the root CA server and the second main part is for the issuing servers. Note that issuing server(s) is plural, but only one set of instructions are provided. You must adapt the instructions to each additional server that you build.

Note also that within both sections are configuration items that involve setting up IIS for the CRL/AIA points. You should build the IIS server out as a separate server, not as part of the issuing server as I have done here (to save time and VM resources in my test environment).

Root CA server configuration

Install and setup the base server – BUT DO NOT place it on domain. Also, you cannot change the server name after the role is installed!

Example CAPolicy.inf:

Create and copy CAPolicy.inf BEFORE installing role. “RenewalValidityPeriodUnits” and “CRLPeriodUnits” should be high as this is for a rootCA and it will be offline unless needed.

Signature="$Windows NT$" 

Copy the CAPolicy.inf to C:\windows  (%systemroot%) of root CA server.

Install CA Role:

Standalone root CA (i.e. - not on domain)
"Certification Authority" only.

RootCA – Configure ADCS:

 "Certification Authority"
 "Standalone CA"
 "Root CA"
 "Create Private Key"
  RSA default is ok, key length 4096, SHA256
 Common name
 "Validity period" - should be set by CAPolicy.inf, or equal to. 

After this is complete, check the certificate with MMC CertSRV.  It should match above settings.

 "Server Manger", "Tools", "Certification Authority"
      R-click CA, "Properties", "General" tab, "View Certificate" 

You must do the following (CDP and AIA) before issuing subordinate certificates!

Don’t screw these up or you have to start over because issued root certificates will be bad.

In other words – plan ahead for ALL the required servers! Again, see the top of this page.

NOTE:  I have seen it stated that the AIA/CDP information should not be established on the root server. We will do it here because the MS examples set it up.

 "Server Manger", "Tools", "Certification Authority" (or MMC CertSRV - same thing)
      R-click CA, "Properties", "Extensions" tab 

Add CDP (CRL Distibution Point):

 Click ADD, use as examples and add HTTP path utilizing "Variable" and Insert.<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Check "Include in CRL's", "Include in the CDP extentions of issued certificates"
Remove default ones except C:\windows\... (standalone - so no file, ldap, anyway), or uncheck all boxes for each. 

Add AIA  (Authority Information Access):

 Click ADD, use as examples and add HTTP path utilizing "Variable" and Insert.<ServerDNSName>_<CAName><CertificateName>.crt

 Check "Include in the AIA of issued certificates"
 Remove default ones except C:\windows\... (standalone - so no file, ldap, anyway), or uncheck all boxes for each. 

Publish CRL (certutil -crl):

 R-click "Revoked Certificates"
 All Tasks, Publish

 CD to C:\Windows\system32\certsrv\certenroll
 Copy the CRL and root certificate to c:\pki on subordinate servers (store on usb drive/share to do that later) 

Publish Root Certificate to AD:

 Copy the root certificate to a domain joined server such as the issuing server.
      Open PowerShell terminal as admin.
           certutil -dspublish -f <name>.crt RootCA 

Issuing (subordinate) server configuration

NOTE:  IIS is recommended as the distribution point for the CRL Distribution Point (CDP) and the Authority Information Access (AIA) point. It should typically be a separate server, possibly in the DMZ, depending on the PKI requirements.  Here I am installing it on the issuing server, but this is not recommended.  This can also create problems when later moving to a new PKI system, so just be aware of that.

Subordinate CA’s – Intermediate (policy) and/or issuing CA’s.   Enterprise (on domain) or standalone. We will place ours on the domain.

Setup base server – Place on domain and name it. You cannot change the server name after the role is installed!

Add Root Certificate and Root CRL to the issuing server’s local store:

NOTE: Not totally necessary but this is supposed to help with issuing server setup that follows. Otherwise, the root cert can be obtained via GPO and the root CRL via CDP location if both are configured.

Copy the root certificate and root CRL to the domain joined issuing server.
Open PowerShell terminal as admin.
 certutil -addstore -f root <name>.crt
 certutil -addstore -f root <name>.crl 

NOTE: Not sure if this is necessary or helpful, but I do it anyhow:

Install ROOT-CA certificate on subordinate server:

 D-click ROOT-CA certificate, "Install Certificate". "Local Machine",
      "Place all Certificates in the following store", select "Trusted Root Certification Authority"

 Check in browser that rootCA certificate shows up in the certificate store. 

Create DNS cname for the following in DNS server:  --> 

Install the IIS Role:

Should be obvious to a MS admin.

Setup CDP and AIA distribution point directory for web access:

Create directory: C:\pki
      New-Item -Path C:\pki -type directory

Create a share:
      New-SmbShare -Name pki -Path C:\pki -FullAccess SYSTEM,"contoso\Domain Admins" -ChangeAccess "contoso\Cert   Publishers"
Copy ROOT-CA certificate and Certificate Revocation List to C:\pki 

In IIS – Setup a Virtual Directory:

Sites, r-click "Default Web Site", "Add Virtual Directory"
      Alias = "pki"
      Physical path = "c:\pki"
Select "pki", "Edit permissions", Security tab, edit
      Grant access to "anonymous logon", "Everyone" (read and list)
"Request Filtering", "Edit Feature Settings",  
      Check "Allow Double Escaping"
Restart IIS 

Example CAPolicy.inf:

“RenewalValidityPeriodUnits” cannot be higher than on the rootCA

 Signature="$Windows NT$"  

Copy CAPolicy.inf to C:\windows  (%systemroot%) of the server.

Install CA Role:

NOTE: If you need other roles such as “Certification Authority Web Enrollment” (I don’t yet cover these other roles in the blog), also do them now.

 "Active Directory Certificate Services"
 "Certification Authority"
     Read descriptions for others you may need. 

Configure ADCS Subordinate (Issuing):

What you chose above may also affect the choices here.

 Select "Certification Authority"
 "Enterprise CA"
 "Subordinate CA"
 "Create Private Key"
 RSA default is ok, key length 4096, SHA256
 Common name
 "Request a certificate from parent CA":
      If rootCA online, choose "Send a certificate request to parent CA"
      If rootCA offline, choose "Save a certificate request to file on target machine"
 Finish configuration wizard steps 

Copy the issuing server request to the rootCA.

In root CA MMC certsrv:

 R-click "ROOT-CA", "All Tasks", "Submit new request", select request file
 Open "Pending Requests", R-click, "All tasks", "Issue"
 Open "Issued Certificates", R-click, "Open", "Details", "Copy to file", (.P7B)" 

Copy certificate back to subordinate CA server.

In the issuing server MMC certsrv:

 R-click CA server, "All Tasks", "Install CA Certificate", select certificate
 From C:\pki, copy ROOT-CA certificate and Certificate Revocation List to C:\Windows\system32\certsrv\certenroll
 R-click CA server,  "All Tasks", "Start Service" 

Post Install Configuration:

Set CDP (this is all in one command):

 certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:\n65:file://\\\pki\%3%8%9.crl" 

Set AIA (this is all in one command):

 certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:" 

Additional settings from the command line as administrator: *Set short for testing only*

 Certutil -setreg CA\CRLPeriodUnits 2
 Certutil -setreg CA\CRLPeriod "Days"
 Certutil -setreg CA\CRLDeltaPeriodUnits 1
 Certutil -setreg CA\CRLDeltaPeriod "Days"
 Certutil -setreg CA\CRLOverlapPeriodUnits 3
 Certutil -setreg CA\CRLOverlapPeriod "Hours"
 Certutil -setreg CA\ValidityPeriodUnits 5
 Certutil -setreg CA\ValidityPeriod "Years" 

Copy Issuing CA Certificate to C:\pki AIA Location:

 Copy "C:\Windows\System32\certsrv\certenroll\< Issuing CA Cert>.crt" to C:\pki\ 

Restart service and publish CRLs:

restart-service certsvc
certutil -crl 

Check AIA and CDP PKI health:

 MMC, add snapin "Enterprise PKI" (pkiview.msc)
      AIA location "OK"
      CDP location "OK" 

View AIA and CDP settings:

 certutil -getreg CA\CACertPublicationURLs
 certutil -getreg CA\CRLPublicationURLs
 Open "Tools", "Certification Authority" (MMC CertSRV), "Properties", "Extensions" tab