Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part V, Installing an Enterprise Subordinate Certification Authority and Web Enrollment with PowerShell

In the previous blog postings for this series I covered installing the Root Certification Authority, configuring the Root Certification Authority, and publishing the Root CA Certificate and CRL to Active Directory.  In this installment I am going to cover installing an Enterprise Subordinate CA with PowerShell. 

In this example I am going to install a Certification Authority with the following base configuration:

CA Type: Enterprise Subordinate CA

Common Name: FourthCoffee Issuing Certification Authority 01

Key Storage Provider: RSA#Microsoft Software Key Storage Provider

Public Key Algorithm: RSA

Hashing Algorithm: SHA1

Key Length: 2048

Validity Period: 10 years

Additional Role Services: Web Enrollment

I will be installing the ADCS Role with PowerShell.  Additional documentation for these steps can found and

Configuring CAPolicy.inf

The CAPolicy.inf is an optional file that is read during the installation of Certificate Services.  Typically for an Enterprise CA, the LoadDefaultTemplate=0 option is used to suppress the loading of the default Certificate Templates.  This allows the CA to be installed with no certificate templates available, and in that way the administrator can later add just the certificate templates that are needed.

I will copy the following text to a text file named CAPolicy.inf, and then copy that file to the C:\Windows directory:

Signature= "$Windows NT$"

Launching PowerShell

The first step of course is to launch PowerShell.  This can be accomplished by starting a command prompt and typing powershell and pressing the Enter key or by clicking on the PowerShell icon on the taskbar.


Import Server Manager Module

The first step is to import the Server Manager Module for PowerShell which will then allow you to add the ADCS feature.  To import the Server Manager Module for Powershell type: Import-Module ServerManager and press Enter.

Installing ADCS Binaries

The next step is to install the ADCS binaries so that we can install ADCS.  To install the ADCS binaries type: Add-WindowsFeature Adcs-Cert-Authority and press Enter.

Installing ADCS Web Enrollment Binaries

Since, I will be installing the Web Enrollment Role Services, I need to load the binaries for ADCS Web Enrollment as well.  To install the ADCS Web Enrollment binaries type: Add-WindowsFeature Adcs-Web-Enrollment

Install Certification Authority Role

To install the Certification Authority Role you will need to use the Install-AdcsCertificationAuthority cmdlets.  The options for the Install-AdcsCertificationAuthority cmdlets is available here:

Below is the entire command that I will be using to install Active Directory Certificate Services in my environment:

Install-ADcsCertificationAuthority -CACommonName "FourthCoffee Issuing Certification Authority 01" -CAType EnterpriseSubordinateCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048

I am using the CACommonName option to specify a Common Name of “FourthCoffee Issuing Certification Authority 01”.  Then I am specifying the CAType option to set the CA Type to a Enterprise Subordinate CA.  Next I am selecting my Key Storage Provider of “RSA#Microsoft Software Key Storage Provider” with the CryptoProviderName option.  I have decided to use SHA1 as the hashing algorithm and therefore am using SHA1 with the HashAlgorithmName option.  Then I am setting the RSA Key Length to 2048-bit with the KeyLength  option.

After you run the Install-AdcsCertificationAuthority cmdlet you will be prompted to accept the changes as seen in the screenshot below:


Also, you will notice a Warning and Error ID of 398.  This is just informing me that installation of the CA is incomplete.  Installation is incomplete because I have to have to submit the request to the Root CA, receive the resulting certificate, and load the certificate on the Issuing (Subordinate) CA.

Installing the Certification Authority Management Tools

To Install the Certification Authority Management Tools type the following command in PowerShell and hit enter: Install-WindowsFeature RSAT-ADCS-Mgmt.

Submitting the Request

Next you will need to submit the request to the Root CA.  So, first copy the request file from the C:\ directory on the Issuing CA to a file location on the Root CA.

On the Root CA, start the Certification Authority MMC (Certsrv.msc).  Right click on the CA Name node, select All Tasks, then Submit new request…


Next, select the Request File that you copied from the Subordinate CA and click Open


If you would like to review the request before approving the request, go to the Pending Requests container.  Then right-click on the request, select View Attributes/Extensions…


You will then be prompted for the type of binary data, select Binary Request, make sure View formatted text version of data is selected, and click OK


You can then review the request file.


To approve the request, right-click on the request, select All Tasks, then Issue



You can then review the resulting certificate, by going to the Issued Certificates view, and double-clicking on the certificate


You can then review the certificate to ensure it is configured as desired.  I usually at least spot check the CRL Distribution Points and Authority Information Access extensions.



You then need to copy the certificate to a file.  So, on the Details tab, click on Copy to File…  This will open the Certificate Export Wizard.  On the Export File Format page of the wizard, you can select any format, I chose P7B.  After selecting the file format, click Next.  Now, on the File to Export page of the wizard you will need to click Browse…, select a location, typed the desired name of the file (I chose “CACert”), and then click the Save button.  To complete the File to Export task, click on the Next button. Finally, click the Finish button on the Completing the Certificate Export Wizard page of the wizard, click OK when prompted that The export was successful.

Completing Installation of Certificate Services

First copy the Certificate that was issued from the Root CA to the Subordinate CA. To complete the installation of Certificate Services, open the Certification Authority MMC (certsrv.msc).  Then right-click on the CA Name, select All Tasks, and then Start Service.


You will then be prompted to install the certificate, select Yes.


Browse to the certificate file


The CA Service will no start.


Installing Web Enrollment

To install Web Enrollment, run the following powershell command: Install-AdcsWebEnrollment.  An error ID of 0 indicates that the Role Service was installed successfully.



During this blog posting, I installed my Subordinate CA and installed Web Enrollment.  I have not configured the Subordinate CA.  So, stay tuned, in an upcoming blog posting, I will cover the steps necessary to configure the Subordinate CA.

Comments (0)