Setup Server 2019 Enterprise CA 2/5: Offline Root CA

Posted on: September 25, 2019, by :
Previous: Overview

 

The Setup will start with the Offline Root CA server. This server will only be used to authorize the Subordinate Server after that it will be turned off and only turned on to renew the Certificate Revocation List (CRL) & Subordinate CA Certificate. The offline CA Server is the OFFENT-CA01 and is a non-domainjoined server.

 

Setup Offline Root CA

 

1. Start the Server manager and select “Add roles and features”

 

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

 

3. Select “Role-based or feature-based installation” and press “Next”

 

4. Use the default settings and press “Next” to continue.

 

5. Select “Active Directory Certificate Services”

 

6. A pop-up will appear, press “Add Features” to continue.

 

7. Press “Next” to continue

 

8. Press “Next” to continue.

 

9. Check if the Servername is correct and press “Next” to continue.

 

10. Use the default settings, for the Root CA only the “Certification Authority” role is needed.

 

11. Press “install” to add the Active Directory Certificate Services to the server.

 

12. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

 

13. Use the default settings and press “Next”

 

14. Select “Certification Authority” and press “Next”

 

15. Because this server is non-domain joined only Standalone CA can be selected. Press “Next” to continue.

 

16. As this server is the root of the PKI hierarchy select “Root CA” and press “Next”

 

17. Select “Create a new private key” and press “Next” to continue.

 

18. Because this is the Root CA Certificate I use a longer Key length of 4096. This will increase the security.

 

19. Use the default settings and press “Next” to continue.

 

20. Because this server will be used in a Test Environment I extend the validity period to 10 years. Press “Next” to continue.

 

21. Use the default settings and press “Next” to continue.

 

22. Press “Configure” to configure the server.

 

23. Press “Close” to continue.

 

24. Press “Tools” in the Server Manager and select “Certification Authority”

 

25. Right click the Servername and select “Properties”

 

26. Select the “Extensions” tab

 

27. In the “Extensions tab” select the location which start with “ldap:///” and clear the checkmark.

 

28. Select the location which start with “file://” and clear the checkmarks.

29. Because this server will be offline it cannot be contacted, therefore a location needs to be added to the subordinate server. Press “Add” to add the CDP on the Subordinate Server.

 

30. Enter the following location “http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl” Replace <serverDNSName> with the dnsname of the Subordinateserver in this demo the location will be: http://SUBENT-CA02.vmlabblog.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl  and press “OK”

 

29. Check the boxes beginning with “Include in CRLs*” and “Include in the CDP*” and press “Apply”

 

32. Press “No” when asked to restart the service.

 

31. Select in “Select extension” the “Authority Information Access (AIA)

 

32. Select the location which start with “file://” and clear the checkmark and press “Add”

 

33. Enter the following location “http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt” Replace <serverDNSName> with the dnsname of the Subordinateserver in this demo the location will be: http://SUBENT-CA02.vmlabblog.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt  and press “OK”

 

34. Check the box “Include in the AIA extension of issued certificates” and press “Apply”

 

35. Press “Yes” when asked to restart the service.

 

36. Right click “Revoked Certificates” and select “Properties”

 

37. The default CRL publication interval is a week for this lab we will increase it to a year and press “OK” (This way the RootCA only needs to be turned on every week to renew the CRL)

 

38. Now publish the CRL with the updated validity of a year. Right click “Revoked Certificates” and select “All Tasks” -> “Publish”

 

39. Select “New CRL” and press “OK”

 

40. The default validity period for certificates issued by the RootCA is 1 year. To extend this period to 5 years use the following command in “Command Prompt”

 

certutil -setreg ca\ValidityPeriodUnits "5"

 

41. After the validityperios has been increased, the Certificate services service needs to be rebooted. This can be done with the command:

 

Net stop certsvc && net start certsvc

 

42. Close the Command Prompt and start “mmc”

 

43. Select “Add/Remove Snap-in…”

 

 

44. Select the “Certificates” snap-in and press “Add”

 

45. Select “Computer account” and press “Next”

 

46. Select “Local computer” and press “Finish”

 

47. Expand “Personal” -> “Certificates” and rightclick the <RootCA certificate> select “All Tasks” -> “Export…”

 

48. Press “Next” in the Welcome screen.

 

49. Select “No, do not export the private key” and press “Next”

 

50.  Select “DER encoded binary X.509 (.CER)” and press “Next”

 

51. In File name enter “C:\Windows\System32\CertSrv\CertEnroll\<CA-NAME>-CA.cer” and press “Next”

 

52. Press “Finish” to export the RootCA Certificate.

 

53. A popup will appear when the export was successful, press “OK” to continue.

 

The setup of the Offline RootCA is now completed.

Next: Subordinate CA Server

 

Leave a Reply

Your email address will not be published. Required fields are marked *