Hello all,

In this post, I will show you how to install Certification Authority in Windows Server 2016 in two-tier hierarchy. Based on hierarchy, you need to install offline root CA and least one subordinate CA and configure it. Although offline CA can be domain member, installing on a server that is a domain member can cause problems with a secure channel. It is highly recommended to install offline root on standalone machine as Standalone CA.

Office Root CA

Installation is straightforward process, but for configuration you need to perform following steps.

  • On page Credentials, define credentials that will be used during configuration
  • On page Role Services, check role services that is installed and need to be configured
  • On page Server Type, select Standalone CA
  • On page CA Type, select Root CA
  • On page Private key, select Create a new private key
  • On page Cryptography, specify the cryptographic options
  • On page CA Name, specify the name of the CA
  • On page Validity period, specify the validity period
  • On page Certificate Database, specify the database location
  • On page Confirmation, click Configure

Once you have installed and configured Standalone Root CA, you need to configure new location for Certification Revocation List (CRL) and Authority Information Access (AIA), because Offline Root CA is designed to be offline. To change these settings, you need to follow next steps:

  • Open Certificate Authority console
  • Right click to CA server name and select Properties
  • Select tab Extensions
  • Click to Add for CRL Distribution Point extension

  • In Location add file://\\SubortinateFQDN\CertData\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl and click OK
  • Check Include in the CDP extension of issued certificates and Include in CRLs. Clients use this to find Delta CRL locations checkboxes and click
  • In Select Extension drop-down menu select Authority Information Access (AIA) and click Add

  • In Location add file://\\SubordinateFQDN\CertData\<ServerDNSName>_<CaName><CertificateName>.crt and click OK
  • Check Include in the AIA extension of issued certificates checkbox, click OK and select Yes to restart AD CS service.

Once you changed CDP and AIA locations, you need to export root certificate to DER encoded binary X.509 (.CER) format and copy to subordinate CA. Also, you need to copy files from C:\Windows\System32\CertSrv\CertEnroll to Subordinate CA.

Subordinate CA

Process of installation Enterprise Subordinate CA is same as all other CA installation. Can be done using Server Manager console or using PowerShell. Configuration is different, and you need to follow provided steps:

  • On page Credentials, define credentials that will be used during configuration
  • On page Role Services, check role services that is installed and need to be configured
  • On page Server Type, select Enterprise CA
  • On page CA Type, select Subordinate CA
  • On page Private key, select Create a new private key
  • On page Cryptography, specify the cryptographic options
  • On page CA Name, specify the name of the CA
  • On page Certificate Request, select Save a certificate request to file on the target machine specify the location
  • On page Certificate Database, specify the database location
  • On page Confirmation, click Configure

Then you need to install root certificate in Trusted Root Certification Authorities, that are previously exported from Offline Root CA server. All, files that are copied from C:\Windows\System32\CertSrv\CertEnroll need to be moved to shared folder that is previously created and configured as a CDP and AIA location.

The last step in configuring Subordinate CA is obtaining valid certificate from root CA, by using previously created certificate request file. To do this, you need to perform following steps on root CA.

  • Open Certificate Authority
  • Right click to root CA server, click to All tasks and select Submit new request
  • Click to Pending Request, right click on certificate, click to All tasks and select Issue

After 15-20 seconds, certificate will be issues to Subordinate CA. As a final step, you need to export issued certificate as PKCS #7 Certificates (.P7B) format with select option Include all certificates in the certification path if possible. Exported certificate need to be copied to Subordinate CA and installed by using Certificate Authority console.

  • Open Certificate Authority console
  • Right click on Subordinate CA, click on All tasks and select Install CA certificate
  • Select certificate that is exported and copied from root CA and click Open

After 20-30 seconds, Subordinate CA will be up and running.

Once you have installed and configured two-tier hierarchy, Root CA can be turned off.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.