Test Lab Guide: Converting a Single-Tier PKI CA Hierarchy to a Two-Tier PKI Hierarchy
Under construction: This guide is a work in progress and is not complete. The original author will remove this note when the guide is ready for use.
Applies to Windows Server 2008 R2, Windows 7
**** NEED TO INCORPORATE ADVICE FROM http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx ****
Topic Overview
This topic describes how to move from using a single online root certification authority to a two-tier public key infrastructure (PKI) hierarchy. The new two-tier PKI hierarchy will have an offline root certification authority (CA) and an enterprise subordinate CA.
Test Lab Overview
This topic contains instructions for setting up a test lab based on the Base Configuration TLG for Windows Server 2008 R2 and deploying <product/technology> using three (3) server computers and one (1) client computers. The resulting test lab demonstrates how to move from a single-tier PKI hierarchy to a two-tier PKI hierarchy with an offline root CA.
Important The following instructions are for configuring a this test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
The computers from the Base Configuration TLG that are used in this lab include:
- DC1 - This computer will have the enterprise root CA removed from it.
- APP1 - This computer will become the enterprise subordinate certification authority.
- EDGE1 - This computer is only used for receiving a new certificate.
- Client1 - This computer is only used for receiving a new certificate.
This lab will extend the test lab guide configuration by adding an offline root certification authority named ORCA1.
Step 1: Base Configuration test lab
Set up the base configuration test lab with the instructions found in Base Configuration TLG (Download Center).
Step 2: Configure ORCA1
ORCA1 will be the new root certification authority for Contoso.
The configuration steps for ORCA1 consist of the following procedures.
- Install the operating system for ORCA1
- Configure TCP/IP for ORCA1
- Configure a CAPolicy.inf for ORCA1
- Install Active Directory Certificate Services on ORCA1
- Configure the Offline Root CRL and AIA on ORCA1
Install the operating system on ORCA1
<description and procedure>
Configure TCP/IP for ORCA1
<description and procedure>
Configure a CAPolicy.inf for ORCA1
<description and procedure>
Install Active Directory Certificate Services on ORCA1
<description and procedure>
Configure the Offline Root CRL and AIA on ORCA1
<description and procedure>
Step 3: Remove the Enterprise Root CA from DC1
To ensure that the offline root CA is the authoritative CA, you must remove the root CA from DC1
Step 4: Distribute the root CA certificate via Group Policy
<Description and procedures>
Tip: If you are using Hyper-V as the host for your lab environment, you can use the instructions in the article Creating, Using, and Transferring Files using Virtual Floppy Disks for creating the removable media needed to move the certificate from one virtual machine to another.
Step 5: Reconfiguring the Web Server to host the CRL and AIA
<Description and procedures>
Step 6: Configure APP1 as an Enterprise Subordinate CA
<Description and procedures>
Step 7: Verify Certificate Distribution
<Description and procedures>