Category Archives: Uncategorised

Build a Certificate Authority, Step By Step

I have just had to do this so I thought I’d make the most of the ordeal by documenting. I make no apologies here – I am giving you the bare minimum click-by-click. I’m not attempting to tell you what you’re doing along the way as this post will just be too long. As long as you do everything as indicated and don’t take any shortcuts, you should be fine. If you previously had a CA in place, I recommend you fully uninstall them before starting.

You will need two VMs, one domain joined (IssuingCA) and the other just in a workgroup (RootCA). In my example below, my rootCA is and my Issuing CA is These names make up some of the cert names in the instructions below so please ensure you substitute as appropriate for your environment. One final caveat : this was put together on Windows 2012 R2 so there maybe one or two minor changes to the interface in places but honestly not much has changed in years…


  1. Workgroup computer, Install cert services
  2. Go thru config wizard, Select:
    a Cert Authority
    b Standalone CA
    c Root CA
    d New private key
    e All default crypto options
    f Default names
    g Default Validity (5 years)
    h Default db locations
    i Click CONFIGURE
  3. Open Cert Authority > Properties > Extensions > CRL Distribution Point (CDP)
    a Click Add.. and under location type :<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl (replace with your issuing CA)
    b Check Include in CRLs…
    c Check Include in CDP extension…
    d Select AIA from cbobox > Add AIA
    e<ServerDNSName>_<CaName><CertificateName>.crt (note the crt extension and the underscores for AIA).
    f Check ‘Include in the AIA extension…’
    g Restart services when prompted.
  4. Publish CRL by going to Revoked certificates node | right click > all tasks > Publish
  5. crl and crt published at C:\Windows\system32\CertSrv\CertEnroll. Copy this path to clipboard.
  6. ROOTCA properties > General > View Certificate #0 > Details > Copy to file > Next DER Encoded > Next > save as C:\Windows\system32\CertSrv\CertEnroll\RootCACert.cer
  7. Browse to \IssuingCA\C$\Temp\Certs and drop the three certs in the folder


  1. Open the GPMC, open default domain policy (or some other if preferred)
    a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
    b Right-click > Import > Next > browse to \IssuingCA\C$\Temp\Certs\RootCACert.cer > Next > Finish
  2. Run GPUpdate /force and you should see your new certificate appear under ‘Trusted Root Cert Authorities’ in Certificate manager MMC.


  1. Install Certificate Authority with all Role Services
  2. Once complete, in SVRMGR click the yellow triangle for post config.
  3. Specify creds or leave default | Next
  4. Select Cert Auth, Cert Auth Web Enrollment | Next
  5. Select Enterprise | Next
  6. Subordinate CA | Next
  7. Create a new private key | Next
  8. All default crypto options | Next
  9. All default names | Next
  10. Default req filename and location (C:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req) | Next
  11. Default db location | Next | Configure | OK. Don’t configure additional roles when prompted for our purposes here.


  1. On the root CA, browse to \\IssuingCA\C$ and copy c:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req locally.
  2. In CA MMC console > | Right click > All Tasks > Submit New Request > Select SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req > OK
  3. Go to Pending Node to see the new certificate. Right-click > All Tasks > Issue
  4. Under ‘Issued Certificates’ node, right-click > Open > Details tab > Copy to file > Next
  5. Select Cryptographic Message Syntax Std (.P7b) and select ‘Include all certs in path’. | Next
  6. Open Browse and you should be in the CertEnroll directory. Call the cert ‘IssuingCACert’ | Next | Finish | OK | OK
  7. Copy the new .p7b certificate to the \IssuingCA\C$\Temp\Certs\ location.


  1. Create a new folder at C:\inetpub\wwwroot\CertData
  2. Copy the .crt file and the .crl file from C:\Temp\Certs to C:\inetpub\wwwroot\CertData
  3. Open the CA console on the Issuing CA. Right-click servername > All Tasks > Install CA Certificate. Select The new p7b certificate.
  4. Start the CA service from the MMC console. You will probably get a message about an untrusted root certificate. Just click OK. If you get an error (CRYPT_E_REVOCATION_OFFLINE) see
  5. Switch off the root CA!


  1. Create two service accounts, domain users only, CESvcCert and NDESvcCert and add these to the local IIS_IUSRS group
  2. Click the yellow triangle in svrmgr and check all the unchecked roles | Next
  3. Under Service account for NDES, enter the NDES svc Account | Next
  4. Use defaults for RA Information | Next
  5. Use defaults for Crypto | Next
  6. Under CA for CES, keep defaults | Next
  7. For Auth type, select User name and password | Next
  8. Under Service Account for CES, enter the CESvcCert Account | Next
  9. For Auth type, select User name and password | Next
  10. For Key-bases renewal for CEP check Enable key-based renewal | Next | Configure

You’re all done for the CA. Now for the certs…see next post!

Sign PDF Documents with the Surface Pen

In my occasional series on Microsoft Surface-related posts, I thought I’d just do a quick one on signing a document. This seems like the type of thing you’d want to use the Surface pen for, right? Well it’s probably the single most useful thing I would want to use it for anyway. The trouble is, by default at least, when you open a PDF it opens up in Edge and you are unable to use the pen to sign with…

You’ll also probably find it doesn’t seem to work in Adobe Reader and many other PDF readers. However not to worry – there is a built in reader app that can help with this very task! I feel a little stupid for only just realising this but try opening the app in Drawboard PDF and you can make adjustments with your pen to your heart’s content – and then save them. Great.

You’re probably thinking I can’t believe he only just found that out and frankly, after owning my Surface for 10 months I’m kind of thinking the same. I can only assume that I’m not the only one to realise this late in the day and hopefully I can help others see the light.