Two-Tier CA Hierarchy - Installing Root CA Windows Server 2012 R2 (Part I)

  • Article

In this series, I'll focus on Two-Tier CA installation with Windows Server 2012 R2 and this article covers installation of a Root CA server with Powershell in Windows Server 2012 R2.

PKI Two-Tier CA Infra details,

  • One Root CA server – Server is not joined to domain
  • One Subordinate Enterprise CA server (Issuing CA) – Server is joined to domain
  • Active Directory Domain Name: Test.co.nz

Step 1: Create CAPolicy.inf file

  • Create and Save CAPolicy.inf file under c:\Windows on the Root CA server and enter the following content in the file.

[Version]

Signature="$Windows NT$"

[Certsrv_Server]

RenewalKeyLength=2048

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=20

CRLPeriod=weeks

CRLPeriodUnits=26

CRLDeltaPeriod=Days

CRLDeltaPeriodUnits=0

LoadDefaultTemplates=0

 

Note: Ensure you change Audit Object Access security policy setting on Root CA server - Open the local security policy and modify the Audit Object Access to record Success and Failures

Step 2: Installation of Certificate Authority

  • Use the following Windows PowerShell commands to Install Active Directory Certificate Authority on Standalone Root CA

Add-WindowsFeature Adcs-Cert-Authority –IncludeManagementTools

Install-ADcsCertificationAuthority -CACommonName "RootCA" -CAType StandaloneRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20

Step 3: Configure Root CA

  • Run Command prompt in Administrative mode and execute following commands to configure Root CA server,

certutil.exe -setreg ca\DSConfigDN "CN=test,DC=co,DC=nz"

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:https://pki.test.co.nz/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:https://pki.test.co.nz/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 6

certutil -setreg CA\CRLPeriod "Months"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

net stop certsvc

net start certsvc

certutil –CRL

 

Step 4: Publish Root CA certificate in Active Directory

  • Logon to Subordinate Enterprise Issuing CA with Enterprise Admin credentials.
  • Copy <servername>_RootCA.crt and RootCA.crl files (C:\Windows\system32\certsrv\certenroll is the default location for this file) from Root CA server to the Issuing CA server.
  • Open Command prompt in administrative mode and execute the following commands

certutil –dspublish –f <ServerName>_RootCA.crt RootCA
certutil –addstore –f root <ServerName>_RootCA.crt
certutil –addstore –f root RootCA.crl

PKI PowerShell References,

https://technet.microsoft.com/en-us/library/hh848390

https://pspki.codeplex.com/

 

Enjoy reading !!

Sumit