Setup Server 2019 Enterprise CA 3/5: Subordinate CA

Previous: Offline Root CA

Updated 11-12-2020: Added missing role service “Basic Authentication” step 14.

With the Offline Root CA completed, we can now setup of the Subordinate CA server. This server is authorized by the Root CA to issue the certificates. During the setup the CA role will be added and configured. The server will also be authorized by the Root CA  The Subordinate CA Server is the SUBENT-CA02. Make sure that the server Subordinate server is domain joined before you start with the ADCS setup and that you have a domain account which is member of the Enterprise admins group.

 

Setup Subordinate CA

 

1. Start the Server manager and select “Add roles and features”

 

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

 

3. Select “Role-based or feature-based installation” and press “Next”

 

4. Use the default settings and press “Next” to continue.

 

5. Select “Active Directory Certificate Services”

 

6. A pop-up will appear, press “Add Features” to continue.

 

7. Select “Web Server (IIS)

 

8. A pop-up will appear, press “Add Features” to continue.

 

9. Press “Next” to continue

 

10. Press “Next” to continue.

 

11. Check if the Servername before you start, this cannot be changed after the AD CS role has been installed and press “Next” to continue.

 

12. Keep the default role services (Certication Authority) and press “Next”

 

13. On the Web Server Role (IIS) page press “Next”

 

14. On the Role Services page select “Basic Authentication” and “Windows Authentication”. Press “Next” to continue.

 

15. In the confirmation screen press “Install” to start the installation.

 

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

 

17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press “Next” to continue.

 

18. Select the box “Certification Authority” and press “Next” to continue.

 

19. Select “Enterprise CA” and press “Next” to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials entered in step 17)

 

20. Select “Subordinate CA” and press “Next” to continue.

 

21. Select “Create a new private key” and press “Next”.

 

22. Use the default settings and press “Next” to continue.

 

23. Use the default settings and press “Next” to continue

 

24. Select the folder to save the Certificate Request and press “Next” to continue. (default is “c:\”)

 

25. Use the default settings and press “Next” to continue.

 

26. Press “Configure” to apply the configuration.

 

27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained and applied to the subordinate ca the Configuration is not completed.

 

28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder “c:\windows\system32\certsrv\certenroll”. There should be three files, select and copy all files.

 

29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder “c:\windows\system32\certsrv\certenroll”. Paste all the files copied in the previous step.

 

30. Rightclick the Root CA certificate which you just copied and select “Install Certificate”

31. Select “Local Machine” and press “Next”

 

32. Press “Browse” and select the “Trusted Root Certification Authorities” store. Press “Next” to continue.

 

33. Press “Finish” to continue.

 

34. After some time a popup will appear when the import has finished. Press “OK” to continue

 

35. Create a new folder in “C:\inetpub\wwwroot” with the name “CertEnroll”

 

36. Copy the RootCA Certificate and Certifate Revocation List from “C:\Windows\System32\CertSrv\CertEnroll” to “C:\inetpub\wwwroot\CertEnroll”

 

37. Browse to the location entered in step 20 (default “c:\”) and copy the “*.Req” file to the C: Drive on RootCA server.

 

38. On the Root CA Server open ” Certification Authority” rightclick the servername and select “All Tasks” -> Submit new request…”

 

39. Browse to the request file on the C: driver and press “Open”

 

40. Select “Pending Requests”. Rightclick the pending request and select “All Tasks” -> “Issue”

 

41. Select “Issued Certificates”. Rightclick the issued certificate and select “Open”

 

42. Select “Details” and press “Copy to file…”

 

43. Press “Next” to continue

 

44. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” and check the box “Include all certificates in the certification path if possible”. Press “Next” to continue.

 

45. Press “Browse…”

 

46. Enter a name for the certificate and press “Save” (the default location is the Documents folder)

 

47. Press “Next” to continue.

 

48. Press “Finish” to export the CA Certificate.

 

49. After some time a popup will appear when the export has finished. Press “OK” to continue.

 

50. Copy the CA Certificate from the RootCA ( step 46) and switch to the subordinate server to paste the file.

 

51. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select “All Tasks” -> “Install CA Certificate”

 

52. Select the copied CA Certificate and press “Open”

 

53. Rightclick the Servername and select “All Tasks” -> “Start Service”

 

The setup of the Subordinate CA is now completed

Next: Setup Group Policy

51 thoughts on “Setup Server 2019 Enterprise CA 3/5: Subordinate CA

  1. Mike

    Within the folder “c:\windows\system32\certsrv\certenroll” on the Offline Root CA I have only two files – the .crt file is missing. I followed exactly your previous steps. Any ideas?

    Reply
    1. Aad Lutgert Post author

      Hi Mike,

      I think you forgot step 32 in the setup of the Root CA (2/5). In this step you edit the location where the *.crt file is stored.

      regards,
      Aad

      Reply
  2. shawn

    Is this step 3 done on an already Domain Joined server?

    When I try to copy from the workgroup machine (ROOT), to the domain joined (SUBORDINATE), I am not given permission to copy to the certenroll folder on the Domain Joined cerver…even though I am logged in as the domain admin.

    Do I need to be a member of any specific groups?

    Reply
    1. Aad Lutgert Post author

      Hi Shawn,

      The Enterprise Subordinate CA is has to be AD joined before you start. You can check https://vmlabblog.com/2019/09/setup-server-2019-enterprise-ca-1-5-overview for the details.

      How did you perform the copy of the files. Did you browse to the folder on the SUBORDINATE from the Root machine? If you browse from the SUBORDINATE to the ROOT using File Explorer, it should work. I copied the files using an Remote Desktop Connection (Enable “Clipboard” option) from my pc to both Servers.

      Administrators have full control in the folder c:\inetpub\wwwroot\CertEnroll, you don’t need any additional rights if you are logged in as Domain Admin.

      Hope this will help you.

      Reply
      1. Shawn

        I was able to figure it out. RDP wouldn’t let me copy from the WORKGROUP server to the DOMAIN server.

        So I used file explorer in the WORKGROUP server, to copy and paste the ROOT CA files to the DOMAIN subordinate server (\\SUBENT-CA02\c$\Windows\System32\certsrv\certenroll).

        It prompted me for domain admin creds and then proceeded to allow me to copy into the subordinate servers file system.

        Thanks again

        Reply
  3. Olli Keutel

    I was under the assumption that CRL and AIA must be configured on the sub ca as well?
    Thanks in advance for clearifying
    Olli

    Reply
    1. Aad Lutgert Post author

      Hi Olli,

      By default the serverdns will be used for the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. If you want to use an alternative location (for example: if you publish the server to the internet or in a load balancing scenario) you will need to adjust the settings.

      Reply
  4. Ned

    Hey Sean,

    Very much appreciate this guide so first of all thank you.

    Upon starting the service it says that my subordinate is missing, is this the right behaviour or has the step previous of installing the CA failed somehow.

    Cheers,

    Ned

    Reply
    1. Ned

      Hey Sean,

      Very much appreciate this guide so first of all thank you.

      Upon starting the service it says that my subordinate is missing its CA, is this the right behaviour or has the step previous of installing the CA from root failed somehow.

      Cheers,

      Ned

      Reply
        1. Ned Dunningham

          Hey Aad,

          Sorry for calling you Sean, not sure where I got that from.

          I’ve tried step 50 multiple times, it appears to install but then when starting the service the prompt comes up saying the CA is missing. Is there perhaps another step I missed that would cause this.

          Thanks for the reply.

          N

          Reply
          1. Aad Lutgert Post author

            Hi Ned,

            I think something went wrong with the creation of the certificate for the Subordinate CA. I would suggest to first check the application log in the eventviewer on the Subordinate, sometimes you can find more details about the error which is displayed.

            Did you add the correct Subordinate dns during the configuration of the root ca (https://vmlabblog.com/2019/09/setup-server-2019-enterprise-ca-2-5-offline-root-ca/ step 30/33). You can also open the certificate you are trying to import on the Subordinate server (*.P7B see step 39) and check if the certificates are issued to the correct servers and if the CDP and AIA are using the correct URL’s.

            regards,
            Aad

  5. Scott

    Server 2019, I had to be logged in as an Enterprise Admin and use the Enterprise Admin account in step 17. Domain Admin did not work.

    Reply
    1. Aad Lutgert Post author

      Hi Scott,

      That’s correct this is also displayed in the credentials screen which is displayed. (see screenshot step 17)

      “To install the following role services you must belong to the Enterprise Admins group.”

      regards,
      Aad

      Reply
  6. DanielW.

    Hi Aad,

    In the step 28 of this procedure, when I go to the Offline Root CA and browse to “c:\windows\system32\certsrv\certenroll” I find a few .crt and .crl files but I cannot find the .cer file.

    How could I find this file?

    Reply
  7. Ned Dunningham

    Hey Aad,

    Thanks again for engaging here in the comments, just thought I would let you know I was not running with an appropriate domain user on the sub and this guide has been very helpful.

    Cheers,

    Ned

    Reply
  8. zed

    the Subordinate CA has a expiry period of 1 year by default
    How to you change this period to be longer?

    Reply
    1. Aad Lutgert Post author

      Hi Zed,

      You can extend the validity period by executing the following lines. In this example I extend set the period to 10 years”.

      certutil -setreg ca\ValidityPeriod "Years"
      certutil -setreg ca\ValidityPeriodUnits 10
      net stop certsvc && net start certsvc

      You need to execute these lines on the CA that is issuing certificates. For example: to extend the validity of the Subordinate CA you need to execute this on the offline RootCA and renew the certificate of the Subordinate CA.

      Reply
      1. Mach

        Hello Lutgert,

        I am trying to extend the Certificate validity period and I have run below commands on RootCA (Offline) but subordinate Server keep issuing the certificate with 1 year validity. unable to get the cert with 10 years validity. Which step I have to follow after I ran below commands? Really appreciate your response on this. Please.
        certutil -setreg ca\ValidityPeriod “Years”
        certutil -setreg ca\ValidityPeriodUnits 10
        net stop certsvc && net start certsvc

        Reply
  9. Chris

    Aad,

    Great guide! Thank you! I did notice on step 10. You have:
    “10. Keep the default role services (Certication Authority) and press “Next””

    You must also select Certificate Enrollment Web Service as well on the Subordinate CA. I didn’t notice it in any of the other comments. You will get to step 31 and have no C:\inetpub\wwwroot folders. (and no way to enroll).

    Thanks again!

    Reply
    1. Aad Lutgert Post author

      Hi Chris,

      I’ve added the installation of the Web Server. I prefer the installation of the Web Server role over the AD CS Certificate Enrollment Web Service role, because this role also contains additional “load” which you may not need.

      Thanks for your feedback!

      Reply
  10. Amarvir

    Hi Aad,

    Once again great write up and explanation during each step of the guide.

    I have a question regarding CS Web Enrollment (CSWE). Is there a way to configure one instance of this service to manage two/three subordinate CA’s for certsrv? I’m trying to avoid installing IIS on each SUB CA, and at the same time don’t want a separate severs for each CSWE?

    Any guidance would be appreciated. You seem to know a lot about PKI

    Reply
  11. Mario

    Many thanks for the excellent guide.
    I attempèted to follow each step, but when I try to start the cervice on the subordinate CA I get an error saying that “The revocation function was unable to check revocation because the revocation server was offline.”.
    Am I missing any step on the root CA?
    Should I have installed IIS on the root CA?
    How can I troubleshoot this issue?
    Regards
    marius

    Reply
    1. Mario

      Bingo!
      In module 2 I mispelled the path of the CRL Distribution Point (CDP) using the DNS name of the root CA instead of the subordinate CA.
      After fixing the error (and starting module 3 from scratch) everything works.
      RegARDS AND THANKS AGAIN.
      Mario

      Reply
  12. Mr Khan

    Hi
    Nice Doc. After step 52, i get a revocation error message, and then when i start the services in step 53, i get “The revocation function was unable to check revocation because the revocation server was offline”

    Did i miss something?
    Appreciate it

    Reply
  13. Ananth

    Hi

    We built Offline Root CA & 6 issuing CAs (2019), now we want to replicate CDP & CRT folders among these 6 CAs…we don;t have DFS platform, hence I need any other automation to accomplish this (powersheel script?), will you able to advice me

    Thanks
    VAR

    Reply
  14. Rob

    Hi Aad,

    In some other guides, “2016s,” I see they are setting up a share to a virtual directory and enabling Directory Browsing, and Allow Double Escaping under request filtering. I noticed you didn’t do this. Is it because you are installing the web service locally or something that changed between 2016 and 2019?

    Also, you mention that you set this all up for a lab so you kept it simple, is there anything you would do differently if this was production. Mind you, this is NOT public facing. I don’t need anyone outside my domain to trust these certs so I don’t care about the OID. I just see myself using it for Client Certs, Web Certs for MECM, MBAM and code signing.

    Thanks!

    Reply
    1. Rob

      As part of my previous question I see people creating the share to the Virtual directory and give Certificate Publishers modify rights. Is this not necessary for some reason?

      Reply
      1. Aad Lutgert Post author

        Hi Rob,

        I wanted to create a guide for a simple Two tier PKI. The guide includes only necessary steps for a working setup to use for testing. The guide does not include hardening of the servers like disabling services which are not used, adding MFA, disabling guest accounts and local accounts, Firewall configuraiton and other steps you need to perform to secure the server. You also need to implement RBAC to allow certain only certain AD groups to perform actions. The guide also does not include best practices, which you may want to implement in a production environment.

        best regards,
        Aad

        Reply
        1. Rob

          Thanks, Aad,

          Do you know of any straightforward resources besides Docs.m$ that I could use for my use case?

          Reply
          1. Rob

            I’m really just looking for something that is a reasonable starting point. In short, I want to “right-size.” Something that is not so complicated that it prevents me from moving forward, while not locking me into mistakes. My understanding that it is better to have PKI than to not. I came across this blog that goes into a bit more detail, but still considers the setup “basic” (https://www.tech-coffee.net/public-key-infrastructure-part-9-management-accounts/). My criteria is as such, I don’t care if another living soul outside my domain has to see or interact with my PKI, but we are also having to support a lot of remote users due to COVID. Frankly, we were looking to ditch our longstanding self-run domain for a centrally managed one in the coming year. However, I do not want to unwittingly open up a security hole, or limit myself in the process.

  15. Mohammed Nashu

    I’ve tried different methods from several resources, this one is the only one that works for me.
    Thank you very much.

    Reply
  16. Mach

    Hello Lutgert,

    I am trying to extend the Certificate validity period and I have run below commands on RootCA (Offline) but subordinate Server keep issuing the certificate with 1 year validity. unable to get the cert with 10 years validity. Which step I have to follow after I ran below commands? Really appreciate your response on this. Please.
    certutil -setreg ca\ValidityPeriod “Years”
    certutil -setreg ca\ValidityPeriodUnits 10
    net stop certsvc && net start certsvc

    Reply
  17. Tristan

    Great article.

    If we are using multiple subordinates, do we just repeat this process (create a request on the Root for each subortinate)?

    Reply
  18. Utami

    Hi Aad,

    Thank you for a great step-by-step document!
    I have gone through the steps and seemed to go through the steps ok. Can you please advise how to check if I configured everything correctly and the setup works.
    I ran pkiview.msc MMC snap-in to check CDP/AIA URL availability and whether the published files are correct, but the output was different than I expected ( as per this link; https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx)
    On the root CA I get an error: ‘Enterprise PKI – Error’
    An Enterprise CA cannot be located. Verify that an Enterprise CA exists in your forest
    On the SubCA the status of AIA location is Unable to download.
    How do I fix this?
    Also, can you please elaborate on why you installed IIS role on the SubCA server?

    Thank you! much appreciated

    Reply
  19. vbBeaucoupTropDeChiffres

    Hi

    I had an issue at step 51-52 (right click on the CA and click on Install certificate) : instead of showing the file chooser, the MMC kept reloading (both my CA are 2022 core servers).
    The only solution was to run the following command on the sub CA :
    certutil.exe -installcert \\path\to\rootCA\response.p7b
    Everything else was possible from a remote MMC and server manager, but not this step.

    Regards,

    Reply
  20. Jose

    Thanks for this. Do we need to update the CRL DP and AIA on the Extensions of the subordinate CA before issuing certs?

    Reply
  21. Imran Pasha

    Hi Mate,

    Thanks for a article, Could you please help me to issue the Sub CA certificate from root ca for 10 years as currently am able to issue the certificate cert for Sub ca only for 1 year.

    I have update the capolicy.inf under c:\windows on Sub ca server but still able to generate for 1 year.

    [Version]
    Signature= “$Windows NT$”

    [certsrv_server]
    renewalkeylength=2048
    RenewalValidityPeriodUnits=10
    RenewalValidityPeriod=years

    :: Do not load the default templates
    LoadDefaultTemplates=0

    Your assistance will be appreciated.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *