Setup Server 2019 Enterprise CA 3/5: Subordinate CA

Previous: Offline Root CA

Updated 07-08-2020: Fixed some text and replaced screenshots, Added installation Web Server.

With the Offline Root CA completed, we can now setup of the Subordinate CA server. This server is authorized by the Root CA to issue the certificates. During the setup the CA role will be added and configured. The server will also be authorized by the Root CA  The Subordinate CA Server is the SUBENT-CA02. Make sure that the server Subordinate server is domain joined before you start with the ADCS setup and that you have a domain account which is member of the Enterprise admins group.

 

Setup Subordinate CA

 

1. Start the Server manager and select “Add roles and features”

 

2. The “Add Roles and Features Wizard” will start, press “Next” to continue.

 

3. Select “Role-based or feature-based installation” and press “Next”

 

4. Use the default settings and press “Next” to continue.

 

5. Select “Active Directory Certificate Services”

 

6. A pop-up will appear, press “Add Features” to continue.

 

7. Select “Web Server (IIS)

 

8. A pop-up will appear, press “Add Features” to continue.

 

9. Press “Next” to continue

 

10. Press “Next” to continue.

 

11. Check if the Servername before you start, this cannot be changed after the AD CS role has been installed and press “Next” to continue.

 

12. Keep the default role services (Certication Authority) and press “Next”

 

13. On the Web Server Role (IIS) page press “Next”

 

14. On the Role Services page select “Windows Authentication” and press “Next”

 

15. In the confirmation screen press “Install” to start the installation.

 

16. When the installation has completed, press the link “Configure Active Directory Certificate Services on the destination server”

 

17. Make sure your Domain credentials have been entered and not your local admin credentials. Otherwise you will not be able to configure a Enterprise CA. Press “Next” to continue.

 

18. Select the box “Certification Authority” and press “Next” to continue.

 

19. Select “Enterprise CA” and press “Next” to continue. (if Enterprise CA is not available check if the server is domain joined and the credentials entered in step 17)

 

20. Select “Subordinate CA” and press “Next” to continue.

 

21. Select “Create a new private key” and press “Next”.

 

22. Use the default settings and press “Next” to continue.

 

23. Use the default settings and press “Next” to continue

 

24. Select the folder to save the Certificate Request and press “Next” to continue. (default is “c:\”)

 

25. Use the default settings and press “Next” to continue.

 

26. Press “Configure” to apply the configuration.

 

27. When the configuration has succeeded a warning is shown. This is just a notification that the untill a certificate of the RootCA has been obtained and applied to the subordinate ca the Configuration is not completed.

 

28. Switch over to the Offline Root CA (OFFENT-CA01) and browse to the folder “c:\windows\system32\certsrv\certenroll”. There should be three files, select and copy all files.

 

29. Switch back to the Subordinate CA (SUBENT-CA02) and browse to the folder “c:\windows\system32\certsrv\certenroll”. Paste all the files copied in the previous step.

 

30. Rightclick the Root CA certificate which you just copied and select “Install Certificate”

31. Select “Local Machine” and press “Next”

 

32. Press “Browse” and select the “Trusted Root Certification Authorities” store. Press “Next” to continue.

 

33. Press “Finish” to continue.

 

34. After some time a popup will appear when the import has finished. Press “OK” to continue

 

35. Create a new folder in “C:\inetpub\wwwroot” with the name “CertEnroll”

 

36. Copy the RootCA Certificate and Certifate Revocation List from “C:\Windows\System32\CertSrv\CertEnroll” to “C:\inetpub\wwwroot\CertEnroll”

 

37. Browse to the location entered in step 20 (default “c:\”) and copy the “*.Req” file to the C: Drive on RootCA server.

 

38. On the Root CA Server open ” Certification Authority” rightclick the servername and select “All Tasks” -> Submit new request…”

 

39. Browse to the request file on the C: driver and press “Open”

 

40. Select “Pending Requests”. Rightclick the pending request and select “All Tasks” -> “Issue”

 

41. Select “Issued Certificates”. Rightclick the issued certificate and select “Open”

 

42. Select “Details” and press “Copy to file…”

 

43. Press “Next” to continue

 

44. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” and check the box “Include all certificates in the certification path if possible”. Press “Next” to continue.

 

45. Press “Browse…”

 

46. Enter a name for the certificate and press “Save” (the default location is the Documents folder)

 

47. Press “Next” to continue.

 

48. Press “Finish” to export the CA Certificate.

 

49. After some time a popup will appear when the export has finished. Press “OK” to continue.

 

50. Copy the CA Certificate from the RootCA ( step 46) and switch to the subordinate server to paste the file.

 

51. On the Subordinate CA open the Certification Authority. Rightclick the Servername and select “All Tasks” -> “Install CA Certificate”

 

52. Select the copied CA Certificate and press “Open”

 

53. Rightclick the Servername and select “All Tasks” -> “Start Service”

 

The setup of the Subordinate CA is now completed

Next: Setup Group Policy

22 thoughts on “Setup Server 2019 Enterprise CA 3/5: Subordinate CA

  1. Mike

    Within the folder “c:\windows\system32\certsrv\certenroll” on the Offline Root CA I have only two files – the .crt file is missing. I followed exactly your previous steps. Any ideas?

    Reply
    1. Aad Lutgert Post author

      Hi Mike,

      I think you forgot step 32 in the setup of the Root CA (2/5). In this step you edit the location where the *.crt file is stored.

      regards,
      Aad

      Reply
  2. shawn

    Is this step 3 done on an already Domain Joined server?

    When I try to copy from the workgroup machine (ROOT), to the domain joined (SUBORDINATE), I am not given permission to copy to the certenroll folder on the Domain Joined cerver…even though I am logged in as the domain admin.

    Do I need to be a member of any specific groups?

    Reply
    1. Aad Lutgert Post author

      Hi Shawn,

      The Enterprise Subordinate CA is has to be AD joined before you start. You can check https://vmlabblog.com/2019/09/setup-server-2019-enterprise-ca-1-5-overview for the details.

      How did you perform the copy of the files. Did you browse to the folder on the SUBORDINATE from the Root machine? If you browse from the SUBORDINATE to the ROOT using File Explorer, it should work. I copied the files using an Remote Desktop Connection (Enable “Clipboard” option) from my pc to both Servers.

      Administrators have full control in the folder c:\inetpub\wwwroot\CertEnroll, you don’t need any additional rights if you are logged in as Domain Admin.

      Hope this will help you.

      Reply
      1. Shawn

        I was able to figure it out. RDP wouldn’t let me copy from the WORKGROUP server to the DOMAIN server.

        So I used file explorer in the WORKGROUP server, to copy and paste the ROOT CA files to the DOMAIN subordinate server (\\SUBENT-CA02\c$\Windows\System32\certsrv\certenroll).

        It prompted me for domain admin creds and then proceeded to allow me to copy into the subordinate servers file system.

        Thanks again

        Reply
  3. Olli Keutel

    I was under the assumption that CRL and AIA must be configured on the sub ca as well?
    Thanks in advance for clearifying
    Olli

    Reply
    1. Aad Lutgert Post author

      Hi Olli,

      By default the serverdns will be used for the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. If you want to use an alternative location (for example: if you publish the server to the internet or in a load balancing scenario) you will need to adjust the settings.

      Reply
  4. Ned

    Hey Sean,

    Very much appreciate this guide so first of all thank you.

    Upon starting the service it says that my subordinate is missing, is this the right behaviour or has the step previous of installing the CA failed somehow.

    Cheers,

    Ned

    Reply
    1. Ned

      Hey Sean,

      Very much appreciate this guide so first of all thank you.

      Upon starting the service it says that my subordinate is missing its CA, is this the right behaviour or has the step previous of installing the CA from root failed somehow.

      Cheers,

      Ned

      Reply
        1. Ned Dunningham

          Hey Aad,

          Sorry for calling you Sean, not sure where I got that from.

          I’ve tried step 50 multiple times, it appears to install but then when starting the service the prompt comes up saying the CA is missing. Is there perhaps another step I missed that would cause this.

          Thanks for the reply.

          N

          Reply
          1. Aad Lutgert Post author

            Hi Ned,

            I think something went wrong with the creation of the certificate for the Subordinate CA. I would suggest to first check the application log in the eventviewer on the Subordinate, sometimes you can find more details about the error which is displayed.

            Did you add the correct Subordinate dns during the configuration of the root ca (https://vmlabblog.com/2019/09/setup-server-2019-enterprise-ca-2-5-offline-root-ca/ step 30/33). You can also open the certificate you are trying to import on the Subordinate server (*.P7B see step 39) and check if the certificates are issued to the correct servers and if the CDP and AIA are using the correct URL’s.

            regards,
            Aad

  5. Scott

    Server 2019, I had to be logged in as an Enterprise Admin and use the Enterprise Admin account in step 17. Domain Admin did not work.

    Reply
    1. Aad Lutgert Post author

      Hi Scott,

      That’s correct this is also displayed in the credentials screen which is displayed. (see screenshot step 17)

      “To install the following role services you must belong to the Enterprise Admins group.”

      regards,
      Aad

      Reply
  6. DanielW.

    Hi Aad,

    In the step 28 of this procedure, when I go to the Offline Root CA and browse to “c:\windows\system32\certsrv\certenroll” I find a few .crt and .crl files but I cannot find the .cer file.

    How could I find this file?

    Reply
  7. Ned Dunningham

    Hey Aad,

    Thanks again for engaging here in the comments, just thought I would let you know I was not running with an appropriate domain user on the sub and this guide has been very helpful.

    Cheers,

    Ned

    Reply
  8. zed

    the Subordinate CA has a expiry period of 1 year by default
    How to you change this period to be longer?

    Reply
    1. Aad Lutgert Post author

      Hi Zed,

      You can extend the validity period by executing the following lines. In this example I extend set the period to 10 years”.

      certutil -setreg ca\ValidityPeriod "Years"
      certutil -setreg ca\ValidityPeriodUnits 10
      net stop certsvc && net start certsvc

      You need to execute these lines on the CA that is issuing certificates. For example: to extend the validity of the Subordinate CA you need to execute this on the offline RootCA and renew the certificate of the Subordinate CA.

      Reply
  9. Chris

    Aad,

    Great guide! Thank you! I did notice on step 10. You have:
    “10. Keep the default role services (Certication Authority) and press “Next””

    You must also select Certificate Enrollment Web Service as well on the Subordinate CA. I didn’t notice it in any of the other comments. You will get to step 31 and have no C:\inetpub\wwwroot folders. (and no way to enroll).

    Thanks again!

    Reply
    1. Aad Lutgert Post author

      Hi Chris,

      I’ve added the installation of the Web Server. I prefer the installation of the Web Server role over the AD CS Certificate Enrollment Web Service role, because this role also contains additional “load” which you may not need.

      Thanks for your feedback!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *