Setup Server 2019 Enterprise CA 3/5: Subordinate CA

Posted on: September 25, 2019, by :
Previous: Offline Root CA

 

With the Offline Root CA completed, we can now setup of the Subordinate CA server. This server is authorized by the Root CA to issue the certificates. During the setup the CA role will be added and configured. The server will also be authorized by the Root CA  The Subordinate CA Server is the SUBENT-CA02.

 

Setup Subordinate CA

 

1. Start the Server manager and select “Add roles and features”

 

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

 

 

3. Select “Role-based or feature-based installation” and press “Next”

 

4. Use the default settings and press “Next” to continue.

 

5. Select “Active Directory Certificate Services”

 

6. A pop-up will appear, press “Add Features” to continue.

 

7. Press “Next” to continue

 

8. Press “Next” to continue.

 

9. Check if the Servername is correct and press “Next” to continue.

 

10. Check the box “Certification Authority Web Enrollment”

 

11. A popup will appear, press “Add Features” to continue.

 

12. The  “Certification Authority” and “Certification Authority Web Enrollment” are now selected. press “Next” to continue

 

13. Press “Next” to continue.

 

14. Use the default settings and press “Next” to continue.

 

15. In the confirmation screen press “Install” to start the installation.

 

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

 

17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press “Next” to continue.

 

18. Select the boxes “Certification Authority” and “Certification Authority Web Enrollment” press “Next” to continue.

 

19. Select “Enterprise CA” and press “Next” to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials in step 17)

 

20. Select “Subordinate CA” and press “Next” to continue.

 

21. Select “Create a new private key” and press “Next”

 

22. Use the default settings and press “Next” to continue

 

23. Use the default settings and press “Next” to continue

 

24. Select the folder to save the Certificate Request and press “Next” to continue.

 

25. Use the default settings and press “Next” to continue.

 

26. Press “Configure” to apply the configuration.

 

27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained the Configuration is not completed.

 

28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder “c:\windows\system32\certsrv\certenroll”. There should be three files, select and copy all files.

 

29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder “c:\windows\system32\certsrv\certenroll”. Paste all the files copied in the previous step.

 

30. Rightclick the Root CA certificate which you just copied and select “Install Certificate”

 

31. Create a new folder in “C:\inetpub\wwwroot” with the name “CertEnroll”

 

32. Copy the RootCA Certificate and Certifate Revocation List from “C:\Windows\System32\CertSrv\CertEnroll” to “C:\inetpub\wwwroot\CertEnroll”

33. Select “Local Machine” and press “Next”

 

34. Press “Browse” and select the “Trusted Root Certification Authorities” store. Press “Next” to continue.

 

35. Press “Finish” to continue.

 

36. After some time a popup will appear when the import has finished. Press “OK” to continue

 

37. Browse to the location entered in step 24 (default “c:\”) and copy the “*.Req” file to the C: Drive on RootCA server.

 

38. On the Root CA Server open ” Certification Authority” rightclick the servername and select “All Tasks” -> Submit new request…”

 

39. Browse to the request file on the C: driver and press “Open”

 

40. Select “Pending Requests”. Rightclick the pending request and select “All Tasks” -> “Issue”

 

41. Select “Issued Certificates”. Rightclick the issued certificate and select “Open”

 

42. Select “Details” and press “Copy to file…”

 

43. Press “Next” to continue

 

44. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” and check the box “Include all certificates in the certification path if possible”. Press “Next” to continue.

 

45. Enter a name and press “Save” (the default location is the C: drive)

 

46. Press “Next” to continue.

 

 

47. Press “Finish” to export the CA Certificate

 

48. After some time a popup will appear when the export has finished. Press “OK” to continue.

 

49. Copy the CA Certificate from the RootCA and switch to the subordinate server to paste the file.

 

50. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select “All Tasks” -> “Install CA Certificate”

 

51. Select the copied CA Certificate and press “Open”

 

52. Rightclick the Servername and select “All Tasks” -> “Start Service”

 

The setup of the Subordinate CA is now completed

Next: Setup Group Policy

Leave a Reply

Your email address will not be published. Required fields are marked *