Build an Offline Root CA with a Subordinate CA

Install Root CA

  1. Build new stand-alone root CA, not attached to domain and give unique name.
  2. Log on to the server as the administrator and install Certificate Services to create a stand-alone root certification authority.
    1. Install Certificate Authority service only, IIS is not needed.
    2. Create a new private key
    3. Ensure the common name for the CA is unique.
    4. Change the validity period for the CA’s certificate to 20 years

Install Sub CA

  1. Build new enterprise subordinate CA and add to domain.
    Add the following role services
    1. Certification Authority
    2. Certification Authority Web Enrollment
    3. Online Responder
    4. Certificate Enrollment Policy Web Service (Might need to install this later) 
    5. Setup type is Enterprise, Subordinate CA, create a new key, Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
      Key length: 2048, Hash algorithm SHA1. Common name is the same netbios name as the original enterprise root CA if you are migrating from a stand alone CA, otherwise use a new name. Certificate Request: Save a certificate to file and manually send it later. Server Authentication Certificate: Choose and assign a certificate for SSL later.
    6. Save the certificate request to file and manually send it later to a parent CA.
      • Save this file to a shared location, it will be used later after other configurations need to be done.
    7. For the following few steps we will setup a CRL for the new offline Root CA and change the URL location of the certificate revocation list (CRL) distribution point to a location that is accessible to all users in you organization’s network while the Root CA is offline. It is necessary to do this because the offline root CA’s default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail.
      On the Root CA, Open Certification Authority
    8. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):.
    9. Mark the line begins with “LDAP”, and click ‘Include in the CDP extension of issued certificates’.
      clip_image001
    10. Mark the line begins with “HTTP”, and click remove.
    11. Mark the line begins with “file”, and click remove.
    12. Click on Add -> on the location, put: http://wwwca/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl (where wwwca is the netbios name of the Sub CA server) Tick the following.
      clip_image002
    13. Click on the line begins with “C:\Windows”, and make sure the only options checked are:
      clip_image003
  2. Setup AIA information for the Offline Root CA, On the Extensions tab -> extension type: Authority Information Access (AIA):
    1. Mark the line begins with “LDAP”, and tick the following boxes
      clip_image005
    2. Mark the line begins with “HTTP”, and click remove.
    3. Mark the line begins with “file”, and click remove.
    4. Click on Add -> on the location, put: http://wwwca/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt (where wwwca is the netbios name of the Sub CA). Tick the following boxes.
      clip_image007
    5. Click OK and allow the CA server to restart its service
  3. From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
    1. CRL publication interval: 6 months
    2. Make sure “Publish Delta CRLs” is not checked
    3. Click OK
  4. Setup the root CA to issue certificates with an expiry date of 10 years (will issue to the Sub CA for 10 years)
    1. Change the following registry path on the Root CA -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Root-CA\ValidityPeriodUnits
    2. Change the REG_DWORD decimal value to 10.
    3. This changes it to 10 years, so when the Sub CA gets a certificate, it won’t expire for another 10 years.
    4. Alternatively you can run from the command prompt – certutil -setreg CA\ValidityPeriodUnits 10 & certutil -setreg CA\ValidityPeriod "Years"
  5. Configure the offline root CA to support certificate revocation listing with Active Directory
    1. On the Root CA, Log on to the system as a Certification Authority Administrator.
    2. Open Command Prompt.
    3. Type the following, and then press ENTER. – certutil -setreg ca\DSConfigDN “CN=Configuration,DC=domain,DC=local”
    4. Type the following, and then press ENTER. – certutil -setreg ca\DSDomainDN “DC=domain,DC=local”
    5. Open Certification Authority.
    6. In the console tree, click the name of the certification authority (CA).
      Where?
      • Certification Authority (Computer)/CA name
    7. On the Action menu, point to All Tasks, and click Stop Service to stop the service.
    8. On the Action menu, point to All Tasks, and click Start Service to start the service.
  6. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK

Manual steps to publish the Root CA CRL & AIA

  1. Copy the CRL & CRT file to the Sub CA
    1. On the Root CA, copy the files from C:\Windows\System32\CertSrv\CertEnroll to the same location on the Sub CA
  2. Publish the CRL & Root CA certificate to Active Directory
    For this to work, you need to be a member of the Enterprise Admins group. Information is published to CN=Public Key Services,CN=Services,CN=Configuration,DC=C=domain,DC=local
    1. From the Sub CA, the two files you copied before (.CRT and .CRL need to be used for this)
    2. Publish the Root certificate to AD -  certutil -dspublish -f RootCACertificateFile.crt RootCA
    3. Publish the CRL information to Active Directory – certutil –dspublish -f CACRLFile.crl
  3. Add the Root CA to the AD trusted root area in Group Policy (Not really needed, up to you)
    1. On the DC, Start -> Administrative Tools -> Group Policy Management. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA (C:\Windows\System32\CertSrv\CertEnroll) -> click Open -> click Next twice -> click Finish -> click OK.
  4. Issue the Sub CA a certificate from the Root CA server.
    1. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
    2. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
    3. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID –> double click on the request –> Click the details TAB –> Copy to file –<subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
    4. As an option only, on the SubCA, run the command bellow from command line to avoid offline CRL errors: Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    5. On the Sub CA, from command prompt, run – gpupdate/force
    6. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
    7. Right click on the subordinate CA server name -> All Tasks -> Start Service.
  5. Start -> Administrative Tools -> Group Policy Management.
    1. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
    2. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server (C:\Windows\System32\certsrv\CertEnroll) -> click Open -> click Next twice -> click Finish -> click OK.
    3. Logoff the domain controller.
  6. By default, IIS 7.0 request filtering blocks the plus sign (+), which is used in the URL of delta CRLs. To allow delta CRL retrieval, modify the IIS configuration by setting allowDoubleEscaping=true on the requestFiltering element in the system.web section of IIS configuration. For more information about IIS 7.0 request filter configuration, see IIS 7.0: Configure Request Filters in IIS 7.0.
    appcmd set config /section:requestfiltering /allowdoubleescaping:true
    Appcmd.exe can be found – %windir%\system32\inetsrv

Installing and configuring Online Responder (OCSP)

http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx

Testing CDP, AIA & OCSP information

  1. To Test CRL & AIA on client certificates, export any client certificate to a .CER file. Run the following command against the .CER file –

certutil -url file.cer or certutil -url file.crl

clip_image009
  1. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d98bbcb3-0164-44af-b7d4-d64547479ff3

http://eyalestrin.blogspot.com/2010/07/windows-2008-r2-certification-authority.html
http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/

Leave a Comment

Computers and Internet Uncategorized

50 Comments Leave a comment

  1. Dear Marc,

    Just wanted to thank you from the bottom of my heart. You wrote the far best article about Microsoft CA. It’s amazing how everything is working now. THANKS!

  2. marc, this is a great write-up. Can you clarify a little more about step 7 under Install Sub CA. Or is that an overview of steps 8-14? Or is there something we need to setup under step 7?

  3. Great, concise piece. My question is on step 5 of the “Install Sub CA” procedure, specifically “Common name is the same netbios name as the original enterprise root CA”. So if I install a new root CA, not joined to the domain, with a NetBIOS name of, say RootCA, that the CA name of my subordinate should be “RootCA” as well?

  4. I have updated the documentation about the naming of the Sub CA, step 5 under “Install Sub CA”. This doco was originally written for migrating from a stand-alone CA to a two tier solution.

  5. Pingback: ADCS configuration
  6. This resource was invaluable! Just quickly, after following your guide I am seeing duplicated (x2) RootCA certificates in the trusted root store and likewise duplicated (x2) SubCA certificates in the Intermediate store. Is there any reason this is happening and is it by design?

    • You could probably ignore the duplicates, during the certificate exchange one (at random) will be used. So no harm having more than one. You could delete the duplicate is you like, as long as you’re sure it’s definitely a duplicate.

      Marc

  7. Great article really helped me understand how to setup a true offline root CA. The MS press books do not show you how to do it which is pretty sad. I do have a question though on setting up the CDP and AIA extensions. I saw you used the HTTP to specify where the CRL is located is thier other ways to set it up with HTTP? Also can I use HTTP without installing the webservice? I’ll most likely lab this to find out myself but I’d like to hear your thoughts on it. The most difficult subject in ADCS to me has been confiruing CDP/AIA extensions. Considering ADCS is a big part of the exam I would like to make sure I have a firm grasp on it.

  8. I have been trying to do this reading the white papers from Microsoft, what they left out you highlighted and this into a really nice step by step procedure to follow. Your instructions worked the first time for with no issues.

    Thanks!

  9. Thank you Marc,I will try that- Do you also have good directions on creating auto enrollement for Domain Controller’s and SSL creating SSL templates? Thanks

  10. Hi we are running a multiple domain forest. We currently have 2 domains in our forest. We have a dedicated Forest Root Domain called “X.local”. The other domain “Y.corp” is used for Users, Computers, etc… We want to setup a two tier PKI infrastructure (Stand Alone offline Root CA and subordinate Enterprise CA)
    that will provide certs to users, computers etc.. on the “Y.corp” domain.

    From what I found online the following command needs to be run against namespace of the forest root domain.
    certutil -setreg ca\DSConfigDN “CN=Configuration,DC=X,DC=local”

    As for the following can you tell me against which domain am I supposed to run this against? Is this also for the Forest root domain?
    certutil -setreg ca\DSDomainDN “DC=domain,DC=local”

    • That’s a good question. You are running both (certutil -setreg ca\DSConfigDN “CN=Configuration,DC=X,DC=local”) and (certutil -setreg ca\DSDomainDN “DC=domain,DC=local”). My guess would be to run both against the domain where your users and computers are in the Y.corp domain. This is just a guess though, sorry I am not 100%. I think it all depends which domain the Subordinate CA is a member of.

  11. Very clear and concise article, thankyou. Unfortunately, I had followed another article that advised to remove LDAP from the CDP and AIA on the offline RootCA. Are you able to confirm what the default values are so I can add LDAP back in?

  12. I’ve followed the instructions. However, when I request a certificate using “mmc\certificates\personal” right click and select “Request a Certificate” the enrollment fails. The error says “The RPC server is unavailable”. During the enroll process I looked at the properties and everything looked ok. Any ideas? The domain controller previously had Cert Services installed. But I have since removed them.

  13. Very nice article. just up to the mark. this is wat i required.
    hatts off to you….

    Thanks for sharing such a nice article , very precise and to the point.

  14. Very Good Article, Thanks Marc.

    I am looking to migrate my standalone root CA to Two tier architecture, with offline standalone CA and Enterprise Sub CA. Can you please help me on this.

    Thanks, Vikram

  15. great document. But, i have a question on the command certutil -setreg ca\DSConfigDN “CN=Configuration,DC=domain,DC=local”. what domain i should use for the DC=domain? or should I just type “domain”? your reply is appreciated.

    • I also am trying to see if that is correct. I put “domain”, as stated, and then decided to stop to get clarification on that point. Also, is this line correct: “CN=Public Key Services,CN=Services,CN=Configuration,DC=C=domain,DC=local”, seems like there might be an extra C= in there. Thanks if you can help clear these points up.

  16. Just a quick question, on step 12 of the sub root setup. “Click on Add -> on the location, put: http://wwwca/CertEnroll/.crl (where wwwca is the netbios name of the Sub CA server) Tick the following. ”

    Is there reason you use the NetBios name instead of the FQDN?

  17. What are the steps to add another subCA server at my second location? I already have offline root CA and subCA at the main office.

  18. thx for the article! one question regarding to the offline root ca. i have the same szenario but the point with the cdp/crl is a little but confusing for me.
    so, whtat is best practise? to have a cdp in the root certificate or not? i have also a online sub ca and when i ´ll revoke the sub i need a crl in the root or not? thx and sry for my english :-)

  19. Recently came across this article and it worked great. Good Article. If I want to add a second subordinate ca, do i follow the steps of the root ca (with regards to changing the CDP and AIA locations) for the second sub to see the same files and templates ?

    • Yes, but with two sub CAs, you need to publish the CRL to both sub CAs in case one is offline. Give each their own hostname resolvable internally and externally. You’ll need to publish the two HTTP CRL locations.

  20. Great article.
    Do you know what the possible pitfalls of following this approach when the domain already has an existing enteprise root?
    Currently it has only issued web server certs and the standard certs to the DCs.
    I’m fine with getting the root cert from the new offline root and publishing that to AD as above, and manually to the web servers. However the bit I’m struggling to recreate in a test lab is how the 2 enterprise CAs (one old Root and new Sub-Issuing) sit together in AD. I was hoping to see them both in Enteprise PKI, but I only see the original Root (however I do have an error on Enrollment Services Container as I didn’t do the CRL namespace remapping and it’s 2am now :-)

  21. Everything works so far except for this step:
    3.Publish the CRL information to Active Directory – certutil –dspublish -f CACRLFile.crl

    I am using the name of the crl file. The error I get is:

    ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0 1 access points ref 1: ‘domain.local’
    Certutil: -dspublish command failed: 0x8007202b (Win32: 8235)
    Certutil: A referral was returned from the server.

    I think the problem is the domain.local setting. Is it set that way because the root is not on the “real” domain? That part confused me a little.

    Thanks.

    • FWIW – I just backed up a few steps and put in the domain string instead of domain.local and a new CRL was issued, I copied it over and ran the step above successfully.

  22. Hey Marc
    Brilliant and amazing, a perfect installation, what a pleasure. Am applying it on two separate sites and running the EnterpriseCA machine as a 2nd DNS non-global catalogue domain controller on each the same, and am now going to install Exchange 2007 x64 server with it as well, and deal with the full Online Responder installation later. Am hoping that I can now host an independent email server with acceptable security on the net incorporating own certificate, what do I know, ha ha. Great stuff and so useful, cheers. John

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: