Setup Server 2019 Enterprise CA 1/5: Overview

      1 Comment on Setup Server 2019 Enterprise CA 1/5: Overview

In this Tutorial we’re going to configure a Two-Tier Enterprise PKI with Microsoft Server 2019 intended for Lab use. The advantage of a Two-Tier Enterprise PKI Hierarchy is that clients only trust the Root CA.  So if a Subordinate server gets compromised the Root CA does not have to be replaced. During normal operation the Root CA will be offline and Certificate requests are handled by the Subordinate CA. The Root CA is a non-domain joined device and will only be turned on issue a certificate for the Subordinate CA or to update the  Certificate Revocation List (CRL).


The Tutorial consists out of 5 parts




In this setup we are going to build this Lab setup.



Before you start with this tutorial create the following servers and install them with Microsoft Server 2019. In this tutorial we are only configuring the servers.

Servername OS Role Notes
DC01 MS Server 2019 Domain Controller
OFFENT-CA01 MS Server 2019 Offline Standalone Root CA non-domain joined
SUBENT-CA02 MS Server 2019 Online Enterprise Subordinate CA Domain joined


Let’s get started!

Next: Offline Root CA



1 thought on “Setup Server 2019 Enterprise CA 1/5: Overview

  1. Gilles

    first thank you for your work. I follow your guide but on the step 39 when choose the req file i get an error “the request certificate template is not supported by this ca 0x80094800” itry several time to restart the installation but every time the same issue. Do you have somme idea ?


Leave a Reply

Your email address will not be published. Required fields are marked *