Guide - Deploying a Windows 2012 R2 Root CA and Subordinate CA

In this guide we will deploy a Windows 2012 R2 Root Certificate Authority and a Subordinate Certificate Authority


The Root CA server name is CA01
The Subordinate CA name is CA02

Build a standalone root CA


Deploy Windows 2012 R2 onto you desired physical/virtual server.
Ensure the server is patched with the latest Windows Updates.
Add the Active Directory Certificate Services Roles to the Root CA server and select Next
Accept the defaults and select Add Features
Accept the defaults and select Next
Select Next
Accept the defaults and select Next
Select Install
Once the installation is complete select Configure Active Directory Certificate Services on the destination server
Enter the required username and select Next (this is a workgroup server, best practise is to rename you r administrator account)
Select the Certification Authority and select Next
Select Standalone CA and select Next
Select Root CA and select Next
Select Create a new private key and select Next
Select the required hash algorithm (in this example I have used SHA256 with a key length of 2048) and select Next
Enter the Common Name for this CA and select Next
Select the validity period and select Next
Set the database and log locations and select Next
Review and select  Configure
Select Close once the configuration has completed
Select Close
When the CA configuration is complete we need to configure the CA properties with the information of the new subordinate CA we are going to deploy.
Open the Certificate Authority MMC Snap-in
Right Click the CA and select Properties
Click the Extensions tab and add a CDP pointing to the subordinate CA which will be the one actually distributing certificates.
The following figure shows a target CDP with optional settings is configured as:
http://CA02.domain.internal/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Also a new location for AIA with an optional setting as:
http://CA02.domain.internal/certdata/<ServerDNSName><CaName><CertificateName>.crt
Click OK and Restart the CA Services when prompted.
Now we need to publish the Revocation List. Right Click Revoked Certificates and select All Tasks/Publish
Select New CRL and click OK
Open the Local Computer MMC Certificate Snap-in and Export the Root CA Certificate
Right Click the Certificate and select All Tasks / Export
Select Next
Select No, do not export the private key and click Next
Select DER and click Next
Export the .CER file to a network share and click Next
Click OK
Copy the contents of the C:\Windows\System32\CertSrv\CertEnroll\ Folder to the same network share

Deploy the Enterprise subordinate CA


Deploy Windows 2012 R2 onto you desired physical/virtual server.
Ensure the server is patched with the latest Windows Updates.
Join the server to the required Active Directory domain.
Add the Active Directory Certificate Services Roles to the Root CA server and select Next
Accept the defaults and select Add Features
Accept the defaults and select Next
Accept the defaults and select Next
Select the Certificate Authority and Certificate Authority Web Enrollment and select Next
Accept the defaults and select Add Features
Select Next
Accept the defaults and select Next
Select Install
Once the installation is complete select Configure Active Directory Certificate Services on the destination server
Enter the Domain user credentials and select Next
Select the Certificate Authority and Certificate Authority Web Enrollment and select Next
Select Enterprise CA and click Next
Select Subordinate CA and click Next
Select Create a new private key and click Next
Select the required hash algorithm (in this example I have used SHA256 with a key length of 2048) and select Next
Enter the Common Name for this CA and select Next
Select Save a certificate request to a file on the target machine and click Next
Set the database and log directory and click Next
Review and click Configure
Click Close
You now need to import the Root CA Certificate you exported earlier into the Trusted Root CA certificate Store on the Subordinated CA.
Browse to the network share and Right click the certificate and select Install Certificate
Select Local Machine and click Next
Select Trusted Root Certification Authorities and click OK
Click Next
Click Finish
Click OK
Create the folder C:\inetpub\wwwroot\certdata folder and copy the CRL and CRT that we exported earlier
Now copy the subordinate CA request file from the subordinate CA to the network share folder.
Switch to the Root CA and Submit a new request to the Root CA using the Certificate Authority MMC Snap-in
Once submitted Issue the certificate by right clicking the certificate and selecting Issue
Once issued Export the certificate to a p7b ensure all the certificates in the certification path are included
Select .P7B and ensure that the Include all certificate in the certification path if possible checkbox is selected then click Next
Save the certificate to the network share
Click OK
Open the certificate and ensure all certificates for establishing a trust are included.
Switch back to your Subordinate CA and use the Certificate Authority Console to install the P7b certificate
Start the CA Service

You need to ensure you disable CRL checking for the Sub CA as the Root CA is offline and therefore will not be able to issue updated CRLs. If this is not disabled the CA will fail to start after the initial CRL has expired.

Run the following command from an Administrative command prompt

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Deploy the Root CA Certificate via Group Policy


Open Group Policy Management Console
Select the Default Domain Policy (or the required policy Object)
Under Computer Configuration / Policies / Windows Settings / Security settings / Public Key Policies / Trusted Root Certification Authorities Right click and select Import select the file you save earlier and click Open
Click Finish
Review to ensure the CA certificate is present.


Comments