Tech Thursday: How To Configure Microsoft Certificate Services PKI

Tech Thursday: How To Configure Microsoft Certificate Services PKI

For the last few weeks, we’ve been looking at digital certificates and the Public Key Infrastructure (PKI) that makes them work. Last week, we looked at some design considerations for a Microsoft AD Certificate Services PKI. If you’ve decided to go ahead and set up your own in-house PKI, then this article will help you get started!

This week we will cover setting up the offline root CA. Then next week we’ll finish up with configuring an issuing CA and making sure that the certs and CRL are published so that your clients can use them.

Preparing the Servers to Install PKI

To configure AD CS, you’ll need to have a functioning Active Directory domain. Additionally, you’ll need two Windows servers. One of them will be set up as your offline root CA. This one should not be joined to the domain, and is normally left offline and secured. It would only need to be used if you need to make changes to the Issuing CAs -- adding, renewing or revoking an Issuing CA certificate.

The other server should be a standard domain-joined server. It will house the issuing CA as well as the web server that distributes the Authority Information Access (AIA) and CRL Distribution Point (CDP). However, if you’d like to configure these two items on a separate Web server, that is fine too. Either way, go ahead and install IIS on the server that you plan to use for this purpose.

Installing the Root CA

Once your servers are prepped, it’s time to start configuring the offline root CA. First, log in to that server with the local administrator account. Open Server Manager, and choose Tools > Add Roles and Features. In the Server Roles list, choose Active Directory Certificate Services, and then click Next until you reach the Role Services screen. There, select Certification Authority. Click through to complete the installation.

Once the install is complete, click “Configure Active Directory Certificate Services on the destination server”. This will launch a wizard to configure the root CA.

On the Setup Type screen, choose “Standalone CA” (this is the only option that will be available on a non-domain-joined server). Then, for “Specify the type of CA”, choose “Root CA”, then choose “Create a new private key”.

Then, you’ll be presented with some important cryptographic options. Enter the key length that you decided on -- 2048 is typically the standard now. Also, make sure that you’ve selected a secure hash algorithm. SHA1 is no longer considered secure, so SHA256 or better should be used.

After you click next, enter the validity period for your root CA. This will normally be very long -- 20 years is a typical value.

Click Next twice, and then click Configure to set up your root CA.

Configuring the Root CA to work with AD

Next, there are a few configuration changes that you’ll need to make on the root CA.

First, you’ll need to tell your root CA which AD domain to publish certificates to. To do this, you’ll use certutil.exe at the command prompt.

Open a command prompt window and enter the following commands, replacing “example” and “com” with the DC of your domain:

certutil.exe -setreg ca\DSConfigDN CN=Configuration,DC=example,DC=com

certutil.exe -setreg ca\DSDomainDN “DC=example,DC=com

Next, we’ll configure the AIA and CDP. On your IIS server, create a new virtual directory called “CertEnroll”. Then, back on the Root CA, open MMC and add the Certificate Services snap-in.

Right-click on the CA and choose Properties. On the Extensions tab, select CRL Distribution Point (CDP). Add a new path that points to your web server, like so:


Do the same for the Authority Information Access (AIA) extension:


Click Apply, and then restart the certificate service.

Finally, you’ll need to change the validity period for the CRL. The CRL will be need to be updated earlier than this interval, meaning you’ll need to boot up the root CA and publish a new CRL at that point. Since this is a root CA, you don’t want to have to do this very often. So, back in the Certificates MMC, right-click on Revoked Certificates and choose Properties. Change this value to 20 years.

Finally, right-click on Revoked Certificates and choose Publish.

And that completes the installation of the root CA! Next week, we’ll look at how to configure the Issuing CA and actually issue some certificates.


E-N Computers can help your business to protect itself against today’s security threats. Contact us today to find out why leading companies in Virginia, Washington, D.C. and Maryland trust their computer security to us.