We are setting up a 2-tier CA for our enterprise PKI. The first tier is a standalone CA that should be kept offline while the second tier is the domain CA server that is used for issuing certificates for AD users and computers alike. Basically, these are the steps:
Step 0: If AD levels are below Windows 2008, perform adprep on Schema OM first i.e. "adprep /forestprep" and "adprep /domainprep /gpprep" on \supports\adprep DVD folder.
Step 1: Create CAPolicy.inf and place it on the %systemroot% folder. Optional step for Windows Server 2008 CA.
Step 2: Install standalone offline Root CA (RCA) server.
Step 3: Determine AIA and CDP locations to host CRL from RCA. Configure the necessary extensions.
Step 4: Export out RCA cert and CRL. Publish root CA cert and CRL to Active Directory
Step 5: Setup Subordinate Issuing CA (Sub ICA) server.
Step 6: Create manual ICA cert request to Root CA for issuance. Install ICA cert.
Step 7: Setup Online Responder (OR). Configure OCSP template on ICA. Permit OR to autoenroll. Assign "Full Control" rights to "Network Services" on "Manage Private Key".
Step 8: Configure OR to provide revocation info for CAs. Input sources for CRL info using setup wizard e.g. LDAP etc
Step 9: Create new Cert Template by duplicating sample template for client enrollment
Step 10: Configure Group Policy to facilitate cert enrollment
Step 11: Use PKIView.msc and "certutil -url" to verify and check the health of PKI.
As for creating CAPolicy.inf, there is a good
TechNet blog on its syntax. For Windows 2003 Root CA, CAPolicy.inf is essential to eliminate AIA and CDP extensions, so that applications would not have to validate the CDP of the entire chain, including the Root CA. AIA and CDP are revocation mechanism to verify the legitimacy of the entity, which would be meaningless for Root CA (the Anchor of Trust). For Windows 2008 Root CA, AIA and CDP are omitted by default. Nevertheless, CAPolicy.inf is still useful if you wish to include some policy statements or restricting the CA for certain purposes only, such as Secure Email.
If AIA is specified, Online Responder (new CA role in Windows Server 2008) should be activated for certificate revocation check. More detailed step-by-step guide for Online Responder can be found on
TechNet.
In the
next post, I would mention about publishing offline cert and crl files on Active Directory.