Setup Subordinate issuing CA(Certificate Authority)
Publish the Root CA Certificate and CRL
In my LAB, Domain controller is also acting Subordinate Certificate Authority. Please refer Part 1 to understand the LAB scenario.
Login into server that is running Windows Server 2012 and connected to domain network. We have to import the below two files that has been taken from ROOT CA. Run the below command lines.
certutil –dspublish –f ROOTCA_ROOTCA.crt RootCA
- Publish the ROOTCA Certificate in Active Directory
- Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy
–addstore –f root ROOTCA_ROOTCA.crt
(Add the ROOTCA Certificate to Local Store)
certutil –addstore –f root ROOTCA.crl
(Add the certificate revocation list to Local store)
Now you can see the ROOTCA certificate and CRL in the Local Store.
Install Subordinate Issuing CA
Now we have to install Subordinate issuing CA. Open Server Manager . Select Active Directory Certificate Services and Click Next.
On Role Services Page, select Certification Authority and click Next
Installation completed. Click on Configure Active Directory Certificate Services
Now we should select Subordinate CA and click Next
Select to Create a new private key and key length to 4096
Leave the existing entry for Common name for this CA and other values
- Note – Distinguished Name Suffix is automatically populated and should not be modified.
Save the certificate request file to a particular location and copy this later to ROOT CA and obtain a certificate inorder to make Subordinate CA operational.
Copy the AD01.KARTHI.COM_KARTHI-AD01-CA.req file to Offline ROOTCA using removable Disks.
Submit the Request and Issue Certificate
Login into Offline ROOTCA Server,
Open Power shell with admin privilege and run the below command line.
certreq -submit “c:\certreq\AD01.KARTHI.COM_KARTHI-AD01-CA.req” and click OK.
Open Certificate Authority using mmc console and you can see under Pending Requests.
- Note: Pay attention to the RequestID number that is displayed after you submit the request. You will use this number when retrieving the certificate.
Right click on request you just submitted and then click Issue.
This is now moved under Issued Certificates and run the below command line to retrieve the certificate.
You can change the Certificate name as your wish while retrieving.
Pay attention to the RequestID number
And then click OK.
The certificate will be saved to the given location and then copy that to any removable disk and paste it to Subordinate CA. Henceforth Offline ROOT CA is not needed
Install retrieved Certificate on Subordinate CA Server
Login into Subordinate CA running server. Open Certificate Authority console. Right click and install CA Ccertificate
Select the cert file that has been retrieved from Offline ROOT CA and click Open.
click All Tasks, and then click Start Service.
Here is the short summary of what we have done so far,
1. Published ROOT CA certificate and CRL to Active Directory and to the Subordinate CA.
2.We have installed a subordinate CA and made a certificate request and then imported that to the Root CA and issued the request.
3. Installed retrieved certificate in the Subordinate CA
What it basically does is that the
Sub-CA says to the Root CA “I have a request, I wish to issue certificates” and then the
Root CA says to the Subordinate CA. “I trust you, here is your certificate so now you can issue certificates on my behalf”
Since all the domain computers get the Root CA certificate in the trusted root certificate authorities, they will automatically trust all the certificates that the Subordinate CA issues to the domain.
Next post will be SCCM Part.