Microsoft Pki Installation' title='Microsoft Pki Installation' />PKI Part 3 implement a PKI with Active Directory Certificate Services. In this part Im going to install a Public Key Infrastructure consists of an offline Root CA and an online Sub CA. The offline Root CA will be installed on a server that is not member of Active Directory and will be shut down after installation. The Sub CA will be an enterprise CA because it is joined to Active Directory and always online. My Root CA server is called VMPKI0. Sub CA server is called VMPKI0. This topic is part of a series of articles about Public Key Infrastructure. TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/91/74/metablogapi/image_1EEC0503.png' alt='Microsoft Pki Installation' title='Microsoft Pki Installation' />If you are not comfortable with AIA, CA, CDP and anything about PKI I recommend you to read previous parts of this series. Active Directory Certificate Services role installation. This part is run on every Certificate Authority server VMPKI0. VMPKI0. 2. First, open the Server Manager and select Add Roles and Features as below. When you are on Select Server Roles screen, select Active Directory Certificate Services. On Select role services screen, select only Certification Authority. To finish click on install. Root CA configuration VMPKI0. Certification authority service configuration. Open the Server Manager and click on the flag. VERISIGN/ALL_OTHER/Symantec/SO21592%20/services.PNG' alt='Microsoft Pki Installation' title='Microsoft Pki Installation' />Select Configure Active Directory Certificates Services as below. Of Adobe Flash Player For Android 4.2.2 on this page. On the first screen of the AD CS Configuration, It informs you that install a Standalone Certification Authority, you need an account member of the Administrators group. Tick the Certification Authority check box and click next. On the Setup Type screen, you have no choice  you must select Standalone CA. On the CA Type screen, select Root CA and click next. On Private Key screen, select Create a new private key. DigiCert Instructions SSL Certificate Installation for Microsoft IIS 5. Tell me about the issue and Ill help you find the solution you need. The TechNet Library contains technical documentation for IT professionals using Microsoft products, tools, and technologies. DigiCert Instructions SSL Certificate Installation for Microsoft SharePoint 2013. The other options are used when you want to restore a CA after a disaster. On the next screen, I advise you to set at least a key length of 4. SHA 2. 56 MD5 and SHA 1 are vulnerable to collision. Next, specify a common name for your CA. I choose to not change this parameter. On Validity Period screen, select a validity period for the Self Signed certificate using to sign certificates for Sub CA. In best pratices, this type of certificate should have a validity period between 1. Next, choose the database locations. It is recommended to store the database on a separate disk. To finish, click on configure to run the CA configuration. Now you can open Certification Authority console as below. Extensions configuration AIA and CDPBefore signing any certificates, it is necessary to configure the CDP and the AIA extensions. A comprehensive Windows 10 resource for IT professionals. Find downloads, tools, technical documentation, best practices, and other learning resources to help upgrade. Technical articles, content and resources for IT Professionals working in Microsoft technologies. Every certificate you sign before you configure these extensions will not have CDP and AIA information and you will must resign them. To configure CDP and AIA open Certification Authority console and right click on the CA Name as below. Select Properties. Navigate to Extensions tab. On CRL Distribution Point CDP menu we have some settings to modify. First I delete all CDP except LDAP. I add a CDP located to D CRL. I use variable to construct CRL name. In this example the CRL will be called VMPKI0. CA. crl. Verify that the previously CDP added have the publish option ticked for CRL and Delta CRL as below. For the LDAP CDP, make sure that this options are configured as below. The first checkbox is useful to include the Active Directory path directly in CRL to simply publishing manually. The second option add the CDP extension to the certificate. This extension is used by servers to download the CRL. Next I navigate to Authority Information Extension AIA menu. As CDP, I remove every location except LDAP. Verify that option Include in the AIA extension of issued Certificates is ticked for LDAP location. The server will download the certificate chain from the path included in AIA extension. Next I add my custom path to store the CA certificate. Once extensions are set, click on apply. You will be asked to restart the Certificate Services. Select yes. Now I try to publish a CRL to validate my settings. For that right click on Revoked Certificates, select All tasks and publish. Now that my CRL is published I navigate to D CRL and as you can see below, I have my CRL. CRL and Certificate Validity period. The Root CA is used to sign the CA certificate from Sub CA. So the Certificate and CRL validity period can be increased. So open the registry key HKLMSystemCurrent. Control. SetServicesCert. SvcConfigurationlt CAName. To modify the signed certificate validity period, edit Validity. Period. Units and set this key to 2. Because Validity. Period key is set to Years, certificates that will be signed by my Root CA will have a validity period of 2. You can do this with these commands. Validity. Period. Units 2. 0. certutil setreg caValidity. Period Years. Next the CRL validity period can be increased also because this CA will sign certificate only of Sub CA. So few revocation will be performed. So edit CRLPeriod. Units and set this key to 1. Because CRLPeriod key is set to Weeks, the validity period of the Root CA CRL is 1. You can do this using these commands. CACRLPeriod. Units 1. CACRLPeriod Weeks. To finish, you have to restart Cert. Svc service net stop certsvc net start certsvcVariables configuration. Before when we have set CDP and AIA extensions we have seen variable. There are also variables for the Distinguished Name in Active Directory where to store information for example LDAP CDP. Because my Root CA is not a member of an Active Directory, it cant know the Distinguished Name DN in Active Directory. So it is possible to define it manually with certutil command. Certutil setreg caDSConfig. DN CNConfiguration,DCMy,DCDomain. Below an example in my environment Next, you have to restart Cert. Svc service net stop certsvc net start certsvc. To view if the configuration is good, publish again the CRL and open it. In the General tab, you should see Published CRL Location field. If the value of this field contains the DN that you have specified previously it is good Publish Root CA CRL and AIA to Active Directory. The first time, you have to connect with an enterprise admin account to publish certificate and CRL in Active Directory. To finish the Root CA configuration, it is necessary to publish the CRL and the Root CA certificate in Active Directory. For that I have copied the Root CA certificate crt file and the CRL file to VMPKI0. Next I have run the below commands Publish CRL certutil dspublish f lt CRLFile lt CAName Publish CA Certificate  certutil dspublish f lt CACertificate. Name Now the basic configuration of the Root CA is done. It is time to set the Sub CA. Sub CA configuration VMPKI0. You have to connect with an enterprise admin account to install the enterprise Sub CA. Connect to the Sub CA server and open the Server Manager. Select Configure Active Directory Certificate Services as below. On the first screen, you can see that an Enterprise Admins account is needed to install an Enterprise Certification Authority. On Role Services screen, select Certification Authority and click on next. On Setup Type screen, select Enterprise CA and click on next. On the next screen, select Subordinate CA. On private key screen, select Create a new private key. Other options are used to recover the CA after a disaster. On the next screen, I advise you to set at least a key length of 4. SHA 2. 56 MD5 and SHA 1 are vulnerable to collision. Next specify a common name for your CA and the distinguished name. I choose to let default parameter. Next, specify where to store the certificate request and click on next. User Account Control attribute WindowsNote  You cannot assign the permission settings of PASSWDCANTCHANGE by directly modifying the User. Account. Control attribute. For more information and a code example that shows how to prevent a user from changing the password, see. User Cannot Change Password.