Latest Posts

Part 3 – Setup CA server and deploy PKI(Public Key Infrastructure) certificates for SCCM 2012

Setup Subordinate issuing CA(Certificate Authority)

Publish the Root CA Certificate and CRL

In my LAB, Domain controller is also acting Subordinate Certificate Authority. Please refer Part 1 to understand the LAB scenario.

Login into server that is running  Windows Server 2012 and connected to domain network. We have to import the below two files that has been taken from ROOT CA. Run the below command lines.

certutil –dspublish –f ROOTCA_ROOTCA.crt RootCA 

  • Publish the ROOTCA Certificate in Active Directory
  • Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy

certutil –addstore –f root ROOTCA_ROOTCA.crt (Add the ROOTCA Certificate to Local Store)
certutil –addstore –f root ROOTCA.crl (Add the certificate revocation list to Local store)


Now you can see the ROOTCA certificate and CRL in the Local Store.




Install Subordinate Issuing CA

Now we have to install Subordinate issuing CA. Open Server Manager . Select Active Directory Certificate Services and Click Next.


On Role Services Page, select Certification Authority and click Next


Click Install.


Installation completed. Click on Configure Active Directory Certificate Services

7On Role services page, Select Certification Authority

Now we should select Subordinate CA and click Next


Select to Create a new private key and key length to 4096

12 13

Leave the existing entry for Common name for this CA and other values

  • Note – Distinguished Name Suffix is automatically populated and should not be modified.


Save the certificate request file to a particular location and copy this  later to ROOT CA and obtain a certificate inorder to make Subordinate CA operational.

Copy the AD01.KARTHI.COM_KARTHI-AD01-CA.req file to Offline ROOTCA using removable Disks.

15 17


Submit the Request and Issue Certificate

Login into Offline ROOTCA Server, 

Open Power shell with admin privilege and run the below command line.

certreq -submit “c:\certreq\AD01.KARTHI.COM_KARTHI-AD01-CA.req” and click OK.


Open Certificate Authority using mmc console and you can see under Pending Requests.

  • Note: Pay attention to the RequestID number that is displayed after you submit the request. You will use this number when retrieving the certificate.


Right click on request you just submitted and then click Issue.


This is now moved under Issued Certificates and run the below command line to retrieve the certificate.


Note :

You can change the Certificate name as your wish while retrieving.

Pay attention to the RequestID number

And then click OK.

The certificate will be saved to the given location and then copy that to any removable disk and paste it to Subordinate CA. Henceforth Offline ROOT CA is not needed



Install  retrieved Certificate on Subordinate CA Server

Login into Subordinate CA running server. Open Certificate Authority console. Right click and install CA Ccertificate



Select the cert file that has been retrieved from Offline ROOT CA and click Open.


click All Tasks, and then click Start Service.



Here is the short summary of what we have done so far,

1. Published ROOT CA certificate and CRL to Active Directory and to the Subordinate CA.

2.We have installed a subordinate CA and made a certificate request and then imported that to the Root CA and      issued the request.

3. Installed retrieved certificate in the Subordinate CA

What it  basically does is that the

Sub-CA says to the Root CA “I have a request, I wish to issue certificates” and then the
Root CA says to the Subordinate CA. “I trust you, here is your certificate so now you can issue certificates on my behalf”

Since all the domain computers get the Root CA certificate in the trusted root certificate authorities, they will automatically trust all the certificates that the Subordinate CA issues to the domain.

Next post will be SCCM Part.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: