Skip to content

Detailed installation instructions

Jump to bottom
Philip Haglund edited this page Jan 23, 2017 · 3 revisions

Installation

  1. Run "Install-ADCSOfflineCA.ps1" on the server dedicated for the Root/Offline CA Role.

Install-ADCSOfflineCA.ps1

  • Company: Used to populate the and AIA/CRL and CA Common names.
  • DomainURL: Used for CDP and AIA publishing.
  • ConfigNC: Used for publishing Root CA in the Active Directory.

Install-ADCSOfflineCA.ps1

  1. Confirm the installation when/if prompted. The installation of the Root/Offline CA Role is now done.

Root CA Installation fininshed

  1. Run "Install-ADCSSubordinateCA.ps1" on the server dedicated for the Enterprise/Subordinate CA Role.

Install-ADCSSubordinateCA.ps1

  • Company: Used to populate the and AIA/CRL and CA Common names.
  • DomainURL: Used for CDP and AIA publishing.
  • SMTPServer: Mail server used to send the PKI maintenance/job reminder.
  • ToAddress: Recipient address for the PKI maintenance/job reminder.
  • FromAddress: Sender address for the PKI maintenance/job reminder.
  • City: Used to populate the ADCS Web Enrollment information template.
  • State: Used to populate the ADCS Web Enrollment information template. *Country is not available as a parameter as of now, default is Sweden. * *ADCS Web Enrollment Template can easily be modified in the $env:WinDir\System32\certsrv\certdat.inc file. *

Install-ADCSSubordinateCA.ps1

Install-ADCSSubordinateCA.ps1

  1. Each next setup provides a prompt that encourages a manual routine / process.

4.1. Create an Internal DNS-Zone and/or an A-record pointed to the Enterprise Subordinate CA server. It's highly recommended to create an external publishing for the $DomainURL so the CDP is reachable from the outside. Create a DNZ-Zone

4.2 Sign/Issue the Enterprise/Subordinate CA Certificate on the Root/Offline CA server. *It's recommended to not have a network connection on the Root/Offline CA Server when running in production. * Issue Subordinate CA

Example Submit request: Example Sign/Issue

Example Sign/Issue

Example Sign/Issue

Example Sign/Issue

Example Sign/Issue

Example Sign/Issue

4.3 Publish a new CRL on the Root/Offline CA server.

enter image description here

Example: Example New CRL Publish

4.4. Rename the Root/Offline CA Certificate to match the AIA location.

Rename Root CA certificate

Rename Root CA certificate

Rename Root CA certificate

4.5. Copy the CRL and CRT files from the Root/Offline CA server to the Enterprise/Subordinate server.

Copy CRL and CRT files

Example:

Example Copy

4.6. Unzip / Move the copied CRL and CRT files (Step 4.5) to the correct paths on the Enterprise/Subordinate CA Server. Move CRL and CRT files

Move CRL and CRT files

Move CRL and CRT files

Move CRL and CRT files

4.7 Automatically trying to add the Root/Offline CA certificate to the Active Directory Configuration.

Add Root CA to Active Directory

View in adsiedit.msc after Step 7.

AD ConfigNC

4.8. Install the Enterprise/Subordinate Certificate.

Install Subordinate Certificate

Example:

Install CA Certificate

Install CA Certificate

4.9. Automatically modifying "certdat.inc" file to match the Company information.

Modify certdat.inc

4.10. Create a Group Policy for Certificate Auto Enrollment (Only recommended).

Create Group Policy

Create Group Policy

Create Group Policy

Create Group Policy

Create Group Policy

Create Group Policy

Installation is now done. Installation finished

Verify the setup in pkiview.msc.

Installation finished

pkivewi.msc

Verify that no default templates are published.

ADCS Templates

Verify that the Scheduled Tasks is created.

Scheduled Tasks

Remove the copied Root/Offline CA Files from the Enterprise/Subordinate CA Server.

Remove Copied files

Verify the physical paths for AIA and CDP locations.

AIA

CDP

Verify the physical paths for the created PowerShell-scripts used in Scheduled Tasks Actions.

Backup Scripts

Clone this wiki locally