For the last few weeks, we’ve been looking at Microsoft AD Certificate Services PKI. Last week, we went over how to set up an offline Root CA. This week, we’ll get an intermediate Issuing CA set up and ready to issue certificates.
Setting Up the Issuing CA
For the issuing CA, you’ll need a domain-joined server running Windows Server 2016. Go ahead and log on to that server with domain admin credentials. Open Server Manager, and choose Tools > Add Roles and Features. Just like for the root CA, we’ll choose the Active Directory Certificate Services role. However, on the Role Services page, select both Certification Authority and Certification Authority Web Enrollment.
On the Configure Role Services page, select both of these roles to configure them now. This time, we’ll select Enterprise CA, since this CA will be integrated with Active Directory. On the next page, select Subordinate CA. This will configure the server as an intermediate, issuing CA, rather than the Root CA we already configured.
For the cryptography settings, make sure that these settings match what you chose for the root CA.
Then, choose a Common Name (CN) for this CA. This name will be attached to all certificates issued by this CA, so it’s good to make it something unique and easily identifiable in your PKI landscape. The DN suffix will be generated for you based on your AD domain name.
Then, we’ll need to generate a Certificate Signing Request (CSR) for this CA. We’ll copy this over to the Root CA so that it can issue a certificate. Choose “Save a certificate request file” and select a place to store the CSR file. Click Next twice, and then Configure to set up the new CA.
Install Root Certificates for the Issuing CA
Next, we’ll need to copy a few things over from the Root CA to the Issuing CA in order to make them available to the Issuing CA while the Root CA is offline.
First, copy the AIA and CRL files from the root CA to the issuing CA. These are located in C:\Windows\System32\CertSrv\CertEnroll, and you just need to copy them to the same location on the issuing CA.
Then, we need to export the root certificate and install it on the issuing CA. On the root CA, open the Certification Authority MMC, right click on the server, and choose Properties, then click View Certificate. From there, you can export it to a DER-encoded X.509 CER file. Then, copy it over to the intermediate CA and install it in the Root Certification Authorities store. (This will also need to be installed on all clients that are using your CA).
Finally, we’re ready to issue the certificate for the intermediate CA. Again in the Certification Authority MMC, right-click on the server and choose All Tasks > Submit new request. Choose the CSR file that you exported earlier. Then, in the Pending Requests folder, find the request, right click, and choose Issue. That will move it to Issued Certificates, where you can right-click and Copy to File, saving it as a .P7B with all certificates in the certificate chain.
Then, copy the resulting file back to the issuing CA. In the Certification Authority MMC, right-click on the server name and choose All Tasks > Install CA Certificate.
Final Setup Steps
The last thing needed on the issuing CA is to configure the AIA and CDP locations. These will be the same steps used on the root CA, except performed on the Intermediate CA. Open MMC and add the Certificate Services snap-in.
Right-click on the CA and choose Properties. On the Extensions tab, select CRL Distribution Point (CDP). Add a new path that points to your web server, like so:
https://webserver/CertEnroll/.crl
Do the same for the Authority Information Access (AIA) extension:
https://webserver/CertEnroll/_.crt
Click Apply, and then restart the certificate service.
Then, to verify that everything is working as it should, launch pkiview.msc. This will give you a hierarchical overview of your PKI, with your root CA at the top, and the intermediate CA under it.
If everything looks good, then your PKI is set up! You can use the Certificate Templates MMC snap-in to create custom certificate templates that meet your needs. This will let you configure validity periods, key lengths, and whether to make the template available in AD or via web enrollment. Then, your clients will be able to request certificates from your PKI and begin using them.
Need IT help with PKI or other cybersecurity solutions? E-N Computers is here to meet the technology needs of businesses in Virginia, Maryland and Washington, D.C. Contact us today to find out how we can help your business get the IT solution it needs.
