Condividi tramite


Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part V, Installing an Enterprise Subordinate Certification Authority and Web Enrollment with PowerShell

In the previous blog postings for this series I covered installing the Root Certification Authority, configuring the Root Certification Authority, and publishing the Root CA Certificate and CRL to Active Directory.  In this installment I am going to cover installing an Enterprise Subordinate CA with PowerShell. 

In this example I am going to install a Certification Authority with the following base configuration:

CA Type: Enterprise Subordinate CA

Common Name: FourthCoffee Issuing Certification Authority 01

Key Storage Provider: RSA#Microsoft Software Key Storage Provider

Public Key Algorithm: RSA

Hashing Algorithm: SHA1

Key Length: 2048

Validity Period: 10 years

Additional Role Services: Web Enrollment

I will be installing the ADCS Role with PowerShell.  Additional documentation for these steps can found https://technet.microsoft.com/en-us/library/hh848390 and https://technet.microsoft.com/en-us/library/hh848389.

Configuring CAPolicy.inf

The CAPolicy.inf is an optional file that is read during the installation of Certificate Services.  Typically for an Enterprise CA, the LoadDefaultTemplate=0 option is used to suppress the loading of the default Certificate Templates.  This allows the CA to be installed with no certificate templates available, and in that way the administrator can later add just the certificate templates that are needed.

I will copy the following text to a text file named CAPolicy.inf, and then copy that file to the C:\Windows directory:

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
LoadDefaultTemplates=0

Launching PowerShell

The first step of course is to launch PowerShell.  This can be accomplished by starting a command prompt and typing powershell and pressing the Enter key or by clicking on the PowerShell icon on the taskbar.

image

Import Server Manager Module

The first step is to import the Server Manager Module for PowerShell which will then allow you to add the ADCS feature.  To import the Server Manager Module for Powershell type: Import-Module ServerManager and press Enter .

Installing ADCS Binaries

The next step is to install the ADCS binaries so that we can install ADCS.  To install the ADCS binaries type: Add-WindowsFeature Adcs-Cert-Authority and press Enter.

Installing ADCS Web Enrollment Binaries

Since, I will be installing the Web Enrollment Role Services, I need to load the binaries for ADCS Web Enrollment as well.  To install the ADCS Web Enrollment binaries type: Add-WindowsFeature Adcs-Web-Enrollment

Install Certification Authority Role

To install the Certification Authority Role you will need to use the Install-AdcsCertificationAuthority cmdlets.  The options for the Install-AdcsCertificationAuthority cmdlets is available here: https://technet.microsoft.com/en-us/library/hh848390.aspx

Below is the entire command that I will be using to install Active Directory Certificate Services in my environment:

Install-ADcsCertificationAuthority -CACommonName "FourthCoffee Issuing Certification Authority 01" -CAType EnterpriseSubordinateCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048

I am using the CACommonName option to specify a Common Name of “FourthCoffee Issuing Certification Authority 01”.  Then I am specifying the CAType option to set the CA Type to a Enterprise Subordinate CA.  Next I am selecting my Key Storage Provider of “RSA#Microsoft Software Key Storage Provider” with the CryptoProviderName option.  I have decided to use SHA1 as the hashing algorithm and therefore am using SHA1 with the HashAlgorithmName option.  Then I am setting the RSA Key Length to 2048-bit with the KeyLength  option.

After you run the Install-AdcsCertificationAuthority cmdlet you will be prompted to accept the changes as seen in the screenshot below:

image

Also, you will notice a Warning and Error ID of 398.  This is just informing me that installation of the CA is incomplete.  Installation is incomplete because I have to have to submit the request to the Root CA, receive the resulting certificate, and load the certificate on the Issuing (Subordinate) CA.

Installing the Certification Authority Management Tools

To Install the Certification Authority Management Tools type the following command in PowerShell and hit enter: Install-WindowsFeature RSAT-ADCS-Mgmt.

Submitting the Request

Next you will need to submit the request to the Root CA.  So, first copy the request file from the C:\ directory on the Issuing CA to a file location on the Root CA.

On the Root CA, start the Certification Authority MMC (Certsrv.msc).  Right click on the CA Name node, select All Tasks, then Submit new request…

image

Next, select the Request File that you copied from the Subordinate CA and click Open

image

If you would like to review the request before approving the request, go to the Pending Requests container.  Then right-click on the request, select View Attributes/Extensions…

image

You will then be prompted for the type of binary data, select Binary Request, make sure View formatted text version of data is selected, and click OK

image

You can then review the request file.

image

To approve the request, right-click on the request, select All Tasks, then Issue

 

image

You can then review the resulting certificate, by going to the Issued Certificates view, and double-clicking on the certificate

image

You can then review the certificate to ensure it is configured as desired.  I usually at least spot check the CRL Distribution Points and Authority Information Access extensions.

 

image

You then need to copy the certificate to a file.  So, on the Details tab, click on Copy to File…   This will open the Certificate Export Wizard.  On the Export File Format page of the wizard, you can select any format, I chose P7B.  After selecting the file format, click Next.  Now, on the File to Export page of the wizard you will need to click Browse…, select a location, typed the desired name of the file (I chose “CACert”), and then click the Save button.  To complete the File to Export task, click on the Next button. Finally, click the Finish button on the Completing the Certificate Export Wizard page of the wizard, click OK when prompted that The export was successful.

Completing Installation of Certificate Services

First copy the Certificate that was issued from the Root CA to the Subordinate CA. To complete the installation of Certificate Services, open the Certification Authority MMC (certsrv.msc).  Then right-click on the CA Name, select All Tasks, and then Start Service.

image

You will then be prompted to install the certificate, select Yes.

image

Browse to the certificate file

image

The CA Service will no start.

image

Installing Web Enrollment

To install Web Enrollment, run the following powershell command: Install-AdcsWebEnrollment.  An error ID of 0 indicates that the Role Service was installed successfully.

image

Conclusion

During this blog posting, I installed my Subordinate CA and installed Web Enrollment.  I have not configured the Subordinate CA.  So, stay tuned, in an upcoming blog posting, I will cover the steps necessary to configure the Subordinate CA.