In this Tutorial we’re going to configure a Two-Tier Enterprise PKI with Microsoft Server 2019 intended for Lab use. The advantage of a Two-Tier Enterprise PKI Hierarchy is that clients only trust the Root CA. So if a Subordinate server gets compromised the Root CA does not have to be replaced. During normal operation the Root CA will be offline and Certificate requests are handled by the Subordinate CA. The Root CA is a non-domain joined device and will only be turned on issue a certificate for the Subordinate CA or to update the Certificate Revocation List (CRL).
The Tutorial consists out of 5 parts
- part 1. This overview
- part 2. Setup Standalone Root CA
- part 3. Setup Enterprise Subordinate CA
- part 4. Setup Group policy
- part 5. Deploy Policy Templates
In this setup we are going to build this Lab setup.
Before you start with this tutorial create the following servers and install them with Microsoft Server 2019. In this tutorial we are only configuring the servers.
Servername | OS | Role | Notes |
DC01 | MS Server 2019 | Domain Controller | |
OFFENT-CA01 | MS Server 2019 | Offline Standalone Root CA | non-domain joined |
SUBENT-CA02 | MS Server 2019 | Online Enterprise Subordinate CA | Domain joined |
Let’s get started!
Next: Offline Root CA
HI,
first thank you for your work. I follow your guide but on the step 39 when choose the req file i get an error “the request certificate template is not supported by this ca 0x80094800” itry several time to restart the installation but every time the same issue. Do you have somme idea ?
THX