Create and use intermediate certificate authority on Windows Server 2012?

certificate-authority windows-server-2012
23,236

I recently went through the process of migrating from an Enterprise Online Root CA to a two tier PKI. Generally the process you will want to follow will contain these steps:

  1. Provision a server that will not be joined to your domain and Install Active Directory Certificate Services. Configure it as a standalone offline root certificate.
  2. Publish your Root CA to the forest.
  3. Provision a second server online and domain joined. Configure that as your intermediate Certificate Authority.
  4. Create a CSR from your intermediate CA and go through the process of issuing a cert from your offline root CA.
  5. Migrate the Certificate templates to the new Intermediate CA and remove the templates from your original PKI. (This will only start issuing new certs from your Intermediate CA NOT invalidating certs issued from your original CA.)
  6. From here you can decide to leave your old CA up until all certs expire or go through the process of forcing your network systems to re-enroll on the new PKI.

The Directory Services Team at Microsoft has a nice high level walkthrough for this.

For more in depth information, here is the walkthrough I followed.

Additionally, here is a Technet Guide and some planning information on the process.

Share:
23,236

Related videos on Youtube

DeepSpace101
Author by

DeepSpace101

Updated on September 18, 2022

Comments

  • DeepSpace101
    DeepSpace101 almost 2 years

    Background: Server OS is Windows Server 2012. GUI is installed as we come upto speed with powershell. Setup is staging, not production (yet).

    We have our (internal, domain limited) Root CA installed. I would like to take the Root CA offline to secure storage but before that I'd like to setup an intermediate CA which can take over actual live, online (int-RA-net) functionality

    How can I do the above? I assume a complete answer would cover

    • creating the intermediate CA certificate request
    • installing the intermediate CA certificate on domain controller (certification authority role already installed with Root CA online right now)
    • use the intermediate CA to generate a certificate (any use certificate, just for demonstration purposes)

    Obviously this certification chain would be invalid on computers outside our domain (self trusted root - our root certificate is NOT from common 3rd parties). This last point is NOT a problem.

    • Lewis
      Lewis over 11 years
      Is your Root CA installed on a domain joined server or in a workgroup? If it's an Enterprise Root CA (domain joined) then you can't really take it offline since it will be listed in the Enrollment Services container meaning it's selectable by Users or Computers requesting and issuing certificates. Ideally it should be configured as a standalone root CA and you'd create additional enterprise (domain joined) issuing CAs which have signed CA certificate issued by the root CA.
    • DeepSpace101
      DeepSpace101 over 11 years
      It is a domain joined root CA and the same box also performs other functions. In theory couldn't I a) create the root cert b) remove CA role, move root cert offline, reinstall CA role c) provide the offline root CA to assign newly installed role (on same machine) to now make it an intermediate CA? d) move the root cert offline again Now all certificate requests would be handled by the intermediate CA?
    • DeepSpace101
      DeepSpace101 over 11 years
      Ran into technet.microsoft.com/en-us/library/hh831348.aspx but seems a bit excessively involved ...
    • Lewis
      Lewis over 11 years
      Nobody said installing a proper CA hierarchy was easy :) Depending on how well used the CA is, I would be tempted to decommission it properly (that includes revoking all currently issued certificates)
  • Snowlockk
    Snowlockk almost 10 years
    “While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.”
  • Byron C.
    Byron C. almost 10 years
    @Jacob Thanks for the tip. I'll be more thorough in the future. Edited to include more descriptive steps.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Certificate revocation check fails for non-domain guest in spite of accessible CRL
No Certificate Templates in Certification Authority
Where to access "Share folder" on Remote Desktop host?
OpenSSL Verify Peer (Client) Certificate in C++
New-Object : The term New-Object is not recognized as the name of a cmdlet
Creating subdomains and A records to servers in Windows Server DNS
"Object named IIS_IUSRS could not be found" when adding user to PHP sessions directory iis 8
Where does bitbucket server store the repository?
How handle Application Error Exception code: 0xc00000fd
Powershell: Permanently Modify Path, "Requested registry access is not allowed."