Setup Server 2019 Enterprise CA 3/5: Subordinate CA

      5 Comments on Setup Server 2019 Enterprise CA 3/5: Subordinate CA
Previous: Offline Root CA

 

With the Offline Root CA completed, we can now setup of the Subordinate CA server. This server is authorized by the Root CA to issue the certificates. During the setup the CA role will be added and configured. The server will also be authorized by the Root CA  The Subordinate CA Server is the SUBENT-CA02.

 

Setup Subordinate CA

 

1. Start the Server manager and select “Add roles and features”

 

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

 

 

3. Select “Role-based or feature-based installation” and press “Next”

 

4. Use the default settings and press “Next” to continue.

 

5. Select “Active Directory Certificate Services”

 

6. A pop-up will appear, press “Add Features” to continue.

 

7. Press “Next” to continue

 

8. Press “Next” to continue.

 

9. Check if the Servername is correct and press “Next” to continue.

 

10. Check the box “Certification Authority Web Enrollment”

 

11. A popup will appear, press “Add Features” to continue.

 

12. The  “Certification Authority” and “Certification Authority Web Enrollment” are now selected. press “Next” to continue

 

13. Press “Next” to continue.

 

14. Use the default settings and press “Next” to continue.

 

15. In the confirmation screen press “Install” to start the installation.

 

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

 

17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press “Next” to continue.

 

18. Select the boxes “Certification Authority” and “Certification Authority Web Enrollment” press “Next” to continue.

 

19. Select “Enterprise CA” and press “Next” to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials in step 17)

 

20. Select “Subordinate CA” and press “Next” to continue.

 

21. Select “Create a new private key” and press “Next”

 

22. Use the default settings and press “Next” to continue

 

23. Use the default settings and press “Next” to continue

 

24. Select the folder to save the Certificate Request and press “Next” to continue.

 

25. Use the default settings and press “Next” to continue.

 

26. Press “Configure” to apply the configuration.

 

27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained the Configuration is not completed.

 

28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder “c:\windows\system32\certsrv\certenroll”. There should be three files, select and copy all files.

 

29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder “c:\windows\system32\certsrv\certenroll”. Paste all the files copied in the previous step.

 

30. Rightclick the Root CA certificate which you just copied and select “Install Certificate”

 

31. Create a new folder in “C:\inetpub\wwwroot” with the name “CertEnroll”

 

32. Copy the RootCA Certificate and Certifate Revocation List from “C:\Windows\System32\CertSrv\CertEnroll” to “C:\inetpub\wwwroot\CertEnroll”

33. Select “Local Machine” and press “Next”

 

34. Press “Browse” and select the “Trusted Root Certification Authorities” store. Press “Next” to continue.

 

35. Press “Finish” to continue.

 

36. After some time a popup will appear when the import has finished. Press “OK” to continue

 

37. Browse to the location entered in step 24 (default “c:\”) and copy the “*.Req” file to the C: Drive on RootCA server.

 

38. On the Root CA Server open ” Certification Authority” rightclick the servername and select “All Tasks” -> Submit new request…”

 

39. Browse to the request file on the C: driver and press “Open”

 

40. Select “Pending Requests”. Rightclick the pending request and select “All Tasks” -> “Issue”

 

41. Select “Issued Certificates”. Rightclick the issued certificate and select “Open”

 

42. Select “Details” and press “Copy to file…”

 

43. Press “Next” to continue

 

44. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” and check the box “Include all certificates in the certification path if possible”. Press “Next” to continue.

 

45. Enter a name and press “Save” (the default location is the C: drive)

 

46. Press “Next” to continue.

 

 

47. Press “Finish” to export the CA Certificate

 

48. After some time a popup will appear when the export has finished. Press “OK” to continue.

 

49. Copy the CA Certificate from the RootCA and switch to the subordinate server to paste the file.

 

50. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select “All Tasks” -> “Install CA Certificate”

 

51. Select the copied CA Certificate and press “Open”

 

52. Rightclick the Servername and select “All Tasks” -> “Start Service”

 

The setup of the Subordinate CA is now completed

Next: Setup Group Policy

5 thoughts on “Setup Server 2019 Enterprise CA 3/5: Subordinate CA

  1. Mike

    Within the folder “c:\windows\system32\certsrv\certenroll” on the Offline Root CA I have only two files – the .crt file is missing. I followed exactly your previous steps. Any ideas?

    Reply
    1. Aad Lutgert Post author

      Hi Mike,

      I think you forgot step 32 in the setup of the Root CA (2/5). In this step you edit the location where the *.crt file is stored.

      regards,
      Aad

      Reply
  2. shawn

    Is this step 3 done on an already Domain Joined server?

    When I try to copy from the workgroup machine (ROOT), to the domain joined (SUBORDINATE), I am not given permission to copy to the certenroll folder on the Domain Joined cerver…even though I am logged in as the domain admin.

    Do I need to be a member of any specific groups?

    Reply
    1. Aad Lutgert Post author

      Hi Shawn,

      The Enterprise Subordinate CA is has to be AD joined before you start. You can check https://vmlabblog.com/2019/09/setup-server-2019-enterprise-ca-1-5-overview for the details.

      How did you perform the copy of the files. Did you browse to the folder on the SUBORDINATE from the Root machine? If you browse from the SUBORDINATE to the ROOT using File Explorer, it should work. I copied the files using an Remote Desktop Connection (Enable “Clipboard” option) from my pc to both Servers.

      Administrators have full control in the folder c:\inetpub\wwwroot\CertEnroll, you don’t need any additional rights if you are logged in as Domain Admin.

      Hope this will help you.

      Reply
      1. Shawn

        I was able to figure it out. RDP wouldn’t let me copy from the WORKGROUP server to the DOMAIN server.

        So I used file explorer in the WORKGROUP server, to copy and paste the ROOT CA files to the DOMAIN subordinate server (\\SUBENT-CA02\c$\Windows\System32\certsrv\certenroll).

        It prompted me for domain admin creds and then proceeded to allow me to copy into the subordinate servers file system.

        Thanks again

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *