In this Tutorial we’re going to configure a Two-Tier Enterprise PKI with Microsoft Server 2019. The advantage of a Two-Tier Enterprise PKI Hierarchy is that clients only trust the Root CA. So if a Subordinate server gets compromised the Root CA does not have to be replaced. During normal operation the Root CA will be offline and Certificate requests are handled by the Subordinate CA. The Root CA is a non-domain joined device and will only be turned on issue a certificate for the Subordinate CA or to update the Certificate Revocation List (CRL).
The Tutorial consists out of 5 parts
- part 1. This overview
- part 2. Setup Standalone Root CA
- part 3. Setup Enterprise Subordinate CA
- part 4. Setup Group policy
- part 5. Deploy Policy Templates
In this setup we are going to build this setup.
Before you start with this tutorial create the following servers and install them with Microsoft Server 2019. In this tutorial we are only configuring the servers.
|DC01||MS Server 2019||Domain Controller|
|OFFENT-CA01||MS Server 2019||Offline Standalone Root CA||non-domain joined|
|SUBENT-CA02||MS Server 2019||Online Enterprise Subordinate CA||Domain joined|
Let’s get started!
Next: Offline Root CA