Build a Certificate Authority, Step By Step

I have just had to do this so I thought I’d make the most of the ordeal by documenting. I make no apologies here – I am giving you the bare minimum click-by-click. I’m not attempting to tell you what you’re doing along the way as this post will just be too long. As long as you do everything as indicated and don’t take any shortcuts, you should be fine. If you previously had a CA in place, I recommend you fully uninstall them before starting.

You will need two VMs, one domain joined (IssuingCA) and the other just in a workgroup (RootCA). In my example below, my rootCA is SVR-CA-01.bondynet.org and my Issuing CA is SVR-CA-02.bondynet.org. These names make up some of the cert names in the instructions below so please ensure you substitute as appropriate for your environment. One final caveat : this was put together on Windows 2012 R2 so there maybe one or two minor changes to the interface in places but honestly not much has changed in years…

ROOTCA

  1. Workgroup computer, Install cert services
  2. Go thru config wizard, Select:
    a Cert Authority
    b Standalone CA
    c Root CA
    d New private key
    e All default crypto options
    f Default names
    g Default Validity (5 years)
    h Default db locations
    i Click CONFIGURE
  3. Open Cert Authority > Properties > Extensions > CRL Distribution Point (CDP)
    a Click Add.. and under location type : http://svr-ca-02.bondynet.org/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl (replace with your issuing CA)
    b Check Include in CRLs…
    c Check Include in CDP extension…
    d Select AIA from cbobox > Add AIA
    e http://svr-ca-02.bondynet.org/CertData/<ServerDNSName>_<CaName><CertificateName>.crt (note the crt extension and the underscores for AIA).
    f Check ‘Include in the AIA extension…’
    g Restart services when prompted.
  4. Publish CRL by going to Revoked certificates node | right click > all tasks > Publish
  5. crl and crt published at C:\Windows\system32\CertSrv\CertEnroll. Copy this path to clipboard.
  6. ROOTCA properties > General > View Certificate #0 > Details > Copy to file > Next DER Encoded > Next > save as C:\Windows\system32\CertSrv\CertEnroll\RootCACert.cer
  7. Browse to \IssuingCA\C$\Temp\Certs and drop the three certs in the folder

PUBLISH ROOT CA IN AD

  1. Open the GPMC, open default domain policy (or some other if preferred)
    a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
    b Right-click > Import > Next > browse to \IssuingCA\C$\Temp\Certs\RootCACert.cer > Next > Finish
  2. Run GPUpdate /force and you should see your new certificate appear under ‘Trusted Root Cert Authorities’ in Certificate manager MMC.

ISSUING CA

  1. Install Certificate Authority with all Role Services
  2. Once complete, in SVRMGR click the yellow triangle for post config.
  3. Specify creds or leave default | Next
  4. Select Cert Auth, Cert Auth Web Enrollment | Next
  5. Select Enterprise | Next
  6. Subordinate CA | Next
  7. Create a new private key | Next
  8. All default crypto options | Next
  9. All default names | Next
  10. Default req filename and location (C:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req) | Next
  11. Default db location | Next | Configure | OK. Don’t configure additional roles when prompted for our purposes here.

REQUEST CERT FROM PARENT CA

  1. On the root CA, browse to \\IssuingCA\C$ and copy c:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req locally.
  2. In CA MMC console > | Right click > All Tasks > Submit New Request > Select SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req > OK
  3. Go to Pending Node to see the new certificate. Right-click > All Tasks > Issue
  4. Under ‘Issued Certificates’ node, right-click > Open > Details tab > Copy to file > Next
  5. Select Cryptographic Message Syntax Std (.P7b) and select ‘Include all certs in path’. | Next
  6. Open Browse and you should be in the CertEnroll directory. Call the cert ‘IssuingCACert’ | Next | Finish | OK | OK
  7. Copy the new .p7b certificate to the \IssuingCA\C$\Temp\Certs\ location.

INSTALL & CONFIGURE CERT ON ISSUING CA

  1. Create a new folder at C:\inetpub\wwwroot\CertData
  2. Copy the .crt file and the .crl file from C:\Temp\Certs to C:\inetpub\wwwroot\CertData
  3. Open the CA console on the Issuing CA. Right-click servername > All Tasks > Install CA Certificate. Select The new p7b certificate.
  4. Start the CA service from the MMC console. You will probably get a message about an untrusted root certificate. Just click OK. If you get an error (CRYPT_E_REVOCATION_OFFLINE) see https://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/
  5. Switch off the root CA!

INSTALL THE REST OF THE ROLES

  1. Create two service accounts, domain users only, CESvcCert and NDESvcCert and add these to the local IIS_IUSRS group
  2. Click the yellow triangle in svrmgr and check all the unchecked roles | Next
  3. Under Service account for NDES, enter the NDES svc Account | Next
  4. Use defaults for RA Information | Next
  5. Use defaults for Crypto | Next
  6. Under CA for CES, keep defaults | Next
  7. For Auth type, select User name and password | Next
  8. Under Service Account for CES, enter the CESvcCert Account | Next
  9. For Auth type, select User name and password | Next
  10. For Key-bases renewal for CEP check Enable key-based renewal | Next | Configure

You’re all done for the CA. Now for the certs…see next post!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.