Step-By-Step Procedure To Set Up An Enterprise Issuing CA In ADCS

23Aug 2023 by webmaster No Comments

If you want to set up a multilevel PKI echo system in your organization, setting up a root CA is the first thing you should start with. We covered how to set up standalone and enterprise root CAs in two different posts. Once you are ready with your root CAs, the next you should set up an Enterprise Issuing CA to set up a multilevel PKI echo system. If you are confused about Certificate Authorities, we encourage you to read the post “Types of Certificate Authorities in ADCS,” which will clarify the different types of certificates available in ADCS.

What Is An Enterprise Issuing CA?

An Enterprise Issuing Certificate Authority (CA) is a component within a larger Public Key Infrastructure (PKI) system that is responsible for issuing digital certificates. In the hierarchy of a PKI, the Enterprise Issuing CA is usually a subordinate entity under the Root CA (Certificate Authority), which is the highest level of trust in the PKI. The Root CA is responsible for the creation and management of one or more Issuing CAs.

An Enterprise Issuing CA can issue certificates directly to end entities (like servers, users, or devices), or it can issue certificates to additional subordinate CAs, which then issue certificates to end entities. This creates a multi-tiered, hierarchical trust model that allows for granular control and management of digital certificates within an organization.

In the context of an “enterprise”, this typically refers to a large business or organization that has its own internal PKI. This allows the enterprise to manage its own certificates rather than relying on external, third-party CAs. The advantage of this approach is that it provides the enterprise with complete control over its certificate policies and procedures, allowing it to tailor the PKI to its specific needs.

Reasons Set Up An Enterprise Issuing CA

Setting up an Enterprise Issuing Certificate Authority (CA) can be beneficial for a variety of reasons. Here are some key motivations:

  1. Control Over Certificate Policies: With an internal Enterprise Issuing CA, an organization has full control over its certificate policies. This includes which types of certificates are issued, who or what can receive them, and how they are managed. This can be important for ensuring that certificate usage aligns with the organization’s security policies and goals.
  2. Cost Efficiency: For organizations that need to issue a large number of certificates, running their own CA can be more cost-effective than purchasing certificates from an external CA. This is especially true if the organization needs to frequently issue, revoke, or renew certificates.
  3. Fast and Flexible Certificate Issuance: With its own Enterprise Issuing CA, an organization can issue certificates quickly and flexibly without having to go through the process of requesting and waiting for certificates from an external CA.
  4. Custom Certificate Attributes: Some organizations may have specific needs that require custom certificate attributes. An Enterprise Issuing CA can allow for such customization.
  5. Improved Security: By managing its own certificates, an organization can ensure that all aspects of its certificate usage, from issuance to revocation, are handled in a secure manner. This can help to prevent security breaches that could occur if certificates were improperly issued or managed.
  6. Compliance with Industry Regulations: Some industries have regulations that require organizations to use certificates in specific ways. By managing its own Enterprise Issuing CA, an organization can ensure that it complies with these regulations.

Prerequisites To Set Up Enterprise Issuing CA on Windows Platform

To set up an Enterprise Issuing CA on a Windows platform, there are several prerequisites that must be met before the setup can begin. The following items must be in place for the Enterprise Issuing CA to work properly:

  1. Active Directory Domain Services (AD DS) must be installed and configured on the server that will be hosting the Enterprise Issuing CA.
  2. A Domain Controller running Windows Server 2008/2012/2016 or later. This is necessary for Active Directory authentication and Certificate Services management.
  3. The server must have a static IP address and a fully qualified domain name (FQDN).
  4. The server must be a member of the domain in which the Enterprise Root CA will be used.
  5. An administrator account with elevated privileges (local Administrator or delegated rights) for managing the Certificate Services via the Microsoft Management Console (MMC).
  6. The server must have the necessary software components installed, including the Microsoft .NET Framework and Internet Information Services (IIS).
  7. A trusted root Certificate Authority (CA) for signing certificates and issuing certificates from the Enterprise Issuing CA.
  8. A certificate template must be created in the Enterprise Root CA for the Issuing CA.

Once these prerequisites are met, the Enterprise Issuing CA can be installed and configured in ADCS.

Note: Enterprise CA should be installed as a Domain Member server. Make sure the server is joined into the domain. To configure Enterprise Certification Authority, the user account should be a member of the Domain Administrator and the Enterprise Administrator.

How to Set Up An Enterprise Issuing CA In ADCS?

An Enterprise Issuing CA setup is a multi-stage process where it need several sub tasks to be done. We have divided the process into these different stages to make the process easy to learn.

  1. Pre-Installation Configuration for Enterprise Issuing CA
  2. Publish the Root CA Certificate and CRL.
  3. Set up Active Directory Certificate Service (ADCS) Role.
  4. Submit the request and Issue a certificate for Enterprise issuing CA.
  5. Install the Issued certificate on Issuing CA server.
  6. Post-Installation Configuration for Issuing Sub CA.
  7. Configuring CDP and AIA using GUI.

Let’s get started with pre-installation configurations.

Pre-Installation Configuration for Enterprise Issuing CA

Login to the member server with Administrator permissions

Pre-Installation Configuration for Enterprise Issuing CA

Creating CAPolicy.inf file and updating the configuration

Click on ‘Start’ –> ‘Run’, type ‘notepad C:\Windows\CAPolicy.inf‘, and click on ‘OK’.

Creating CAPolicy.inf file and updating the configuration

It prompts you to create a file. Click on ‘Yes’

Prompt creating CAPolicy.inf file and updating the configuration

Update the CAPolicy.inf file as below configurations:

[Version]

Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
LoadDefaultTemplates=0
Update the CAPolicy.inf file

Note: Make sure CAPolicy.inf file with the extension ‘.inf’  (File ends with ‘.inf’). Else it will not be recognized during CA installation.

Ensure the CAPolicy.inf file is saved in inf file extention

Publish the Root CA Certificate and CRL

  1. Login to the domain member server (IssueSubCA.TheSecMaster.local) as TheSecMaster\Administrator.
  2. Copy the Root CA certificate (SecMasterRootCA_SECMASTERROOTCA-CA.crt) and the Root CA Certificate Revocation List (SECMASTERROOTCA-CA.crl), which exist in the path: ‘C:\Windows\System32\CertSrv\CertEnroll‘ on the Standalone Root CA server(SecMasterRootCA) to the path: ‘C:\Root_Cert‘ on the member server (IssueSubCA.TheSecMaster.local).
Publish the Root CA Certificate and CRL
  1. Publish Root CA certificate and CRL into Active Directory.

Run the below commands with the administrative command prompt in the domain member server (IssueSubCA.TheSecMaster.local)  to publish the Root CA certificate and CRL into Active Directory.

certutil -dspublish -f "C:\Root_Cert\SecMasterRootCA_SECMASTERROOTCA-CA.crt" RootCA
certutil -dspublish -f "C:\Root_Cert\SECMASTERROOTCA-CA.crl" RootCA
Command to publish Root CA certificate into Active Directory
Command to publish CRL into Active Directory
  1. Add Root CA certificate and CRL into Local Store.

Run the below commands with the administrative command prompt in the domain member server (IssueSubCA.TheSecMaster.local)  to Add the Root CA certificate and CRL into Local Store.

certutil -addstore -f root "C:\Root_Cert\SecMasterRootCA_SECMASTERROOTCA-CA.crt"
certutil -addstore -f root "C:\Root_Cert\SECMASTERROOTCA-CA.crl"
Command to add Root CA certificate into Local Store
Command to add CRL into Local Store

How to Install Enterprise Subordinates Issuing CA?

Installing Enterprise Subordinates Issuing CA on the domain member server (IssueSubCA.TheSecMaster.local)

Set up Active Directory Certificate Service (ADCS) Role

Time needed: 30 minutes

How to Install Enterprise Subordinates Issuing CA?

  1. Open the ‘Add Roles and Features

    1. log in to the server with the Administrator privilege (Domain and Enterprise Administrator)
    2. Set up Active Directory Certificate Service (ADCS) Role- Open the ‘Add Roles and Features’

    Let’s begin this process by setting up the ADCS role. Open the ‘Add Roles and Features’.In Server Manager, go to Manage –> Add Roles and Features.

    Set up Active Directory Certificate Service (ADCS) Role

  2. Select Role-Based Installation

    Click the ‘Next’ button in the ‘Add Roles and Features’ wizard. Select ‘Role-based or Feature-based installation’ since it is role-based.

    Click ‘Next.’

    Select Role-Based Installation

  3. Select the Server on which you are going to install the ADCS Role

    Since it has only a local server, select that local server, then click Next.

    Select the Server on that you are going to install the ADCS Role

  4. Select ‘Active Directory Certificate Services’ role

    Select the “Active Directory Certificate Services” role, then click on Next.

    Select ‘Active Directory Certificate Services’ role

  5. Add the ‘Add Features’

    Click on the ‘Add Features’ button to add the ADCS features.

    Click on Next, and Next again.

    Click on the ‘Add Features’ button

  6. Select Features

    Check the features need to be added

  7. Initiate the ADCS installation process

    Click on Next, and This will take you to the ADCS installation wizard. Click the Next button to initiate the ADCS installation process.

    Initiate the ADCS installation process

  8. Initiate the ADCS installation process and Add Features for Web Enrollment

    Click the Next button to initiate the ADCS installation process and Add Features for Web Enrollment.

    Initiate the ADCS installation process and Add Features for Web Enrollment

  9. Select ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

    You will be greeted with multiple options to choose from.  Select the first and fourth options, ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles, then click Next.

    Select ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

  10. Install Web Server Roll (IIS) with Default Role services

    Since we are installing Web Server Roll (IIS) with Default Role services, click Next.

    Install Web Server Roll (IIS)

  11. Select Role Services

    Install Web Server Roll (IIS) with Default Role services

  12. Begin the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

    Click on the Install button to begin the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles.

    Begin the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

  13. Start the Active Directory Certificate Service configuration wizard

    Upon the completion of the installation process, it prompts for Configuration. Select “Configure Active Directory Certificate Services on destination server” to start the ADCS configuration wizard.

    Start the Active Directory Certificate Service configuration wizard

  14. Select the Administrator account in the ADCS configuration wizard

    By default, Domain Account should be selected (Server is a Member of the Domain). Just ensure it is selected, then click Next.

    Select the Administrator account in the ADCS configuration wizard

  15. Select ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’  roles in the ADCS configuration wizard

    You are allowed to Check the ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’ roles, then click Next.

    Select ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’ roles in the ADCS configuration wizard

  16. Select the Enterprise CA in the ADCS configuration wizard

    You will be greeted to choose two types of CA’s, Enterprise CA and Standalone CA. Since we are configuring Enterprise CA, Select the Enterprise CA option, then click on Next.

    Select the Enterprise CA in the ADCS configuration wizard

  17. Select Subordinate CA

    Since we are going to set up Enterprise Issuing CA in this demo, go with the Subordinate CA option. Select Subordinate CA, then click Next.

    Select Subordinate CA

  18. Create a new private key for Enterprise Issuing CA

    The private key is the first element of trust for any Certificate Authority. Let’s create a private key for this root CA. Since this is the newly created CA. Create a new private key. Select “Create a New Private Key,” then click Next.

    Create a new private key for Enterprise Issuing CA

  19. Select Key Length & Hash Algorithm based on requirement

    Select the Cryptographic Provider, Hash Algorithm and Key Length as per your design. Then Click Next.

    Select Key Length & Hash Algorithm based on requirement

  20. Specify the name of the Certificate Authority

    Specify the name of your CA. By default, Domain Name-Server Name with ‘– CA’ will be taken as the CA name. Click on ‘Next.’

    Specify the name of the Certificate Authority

  21. Save a Certificate Request to a file that is requested from the parent CA

    Since our Root CA is Standalone Root CA and the server is not connected to the network, we need to Save a certificate request to a file. Click on ‘Next.’

    Save a Certificate Request to a file that is requested from the parent CA

  22. Specify Database & Logs location for Enterprise Issuing CA

    Specify the location for the database and logs for your Enterprise Issuing CA. You can leave this default as it is, then click Next.

    Specify Database & Logs location for Enterprise Issuing CA

  23. Verify the summary of the configuration

    Look at all the configurations, then click on Configure.

    Verify the summary of the configuration

  24. Close the configuration wizard after the completion

    Still, the ADCS installation is incomplete. Needs to submit this Request file in Root CA to get the certificate and install the certificate in this issuing CA server to complete the installation.
    Click on the Close button upon the completion of the configuration wizard.

    Close the configuration wizard after the completion

  25. Certificate Request file in C drive

    Certificate Request file, which was saved in location ‘C:

    Certificate Request file in C drive

  26. Submit the request and Issue certificate for Enterprise issuing CA

    To submit the request on Standalone Root CA (SecMasterRootCA) and Issue certificate for Enterprise issuing CA (IssueSubCA.TheSecMaster.local).

    1. log in to the Standalone Root CA (SecMasterRootCA) as Administrator.
    2. Copy the Request file (which was generated in Issuing CA) into Standalone Root CA.(SecMasterRootCA) to generate a certificate.
    In this demo, the Request file (IssueSubCA.TheSecMaster.local_TheSecMaster-ISSUESUBCA-CA.req) is copied into C:\ on the Root CA server.
    3. Open Certification Authority console
    On the Root CA server, open Server Manager –> Click on ‘Tools‘ –> click on ‘Certification Authority‘.

    Open Certification Authority console

  27. Submit New Request

    On Certification Authority Console, right-click on Root CA Common Name (SECMASTERROOTCA-CA) –> All Tasks –> Submit a new request.

    Submit New Request

  28. Select the Certificate Request file

    Select the requested file which was copied in the location C:\ and click on ‘Open.’

    Select the Certificate Request file

  29. Certificate requests in the pending queue

    After submitting the requested file, we have the request under ‘Pending Requests.’

    Certificate requests in pending queue

  30. Issue the certificate

    Under ‘Pending Requests’, we have the requested file, Right-click on the file –> click on ‘All Tasks’ –> Click on ‘Issue.’

    Issue the certificate

  31. Certificate is issued

    We see the issued certificate under the ‘Issued Certificates’ folder.  Make sure Certificate Template is ‘SubCA.’

    Certificate is issued

  32. Verify the certificate

    Double-click on the certificate and verify the ‘Issued to’ and ‘Issued by’ details in the ‘General’ tab.

    Verify the certificate

  33. Export the certificate to a file

    Click on the ‘Details’ tab and ‘Copy to file’ to initiate the certificate export. Click on ‘Next’ in the Certificate Export Wizard.

    Export the certificate to a file

  34. Certificate Export Wizard

    Certificate Export Wizard

  35. Choose the Export File Format

    In the ‘Export File Format’, select ‘Cryptographic Message Syntax Standard – PKCS #7 certificate (P7B)’ and also ‘Include all certificates in the certification path if possible’ and click on ‘Next.’

    Choose the Export File Format

  36. Browse the location where certificate to be exported

    Location selected as ‘Desktop’ and click on ‘Next.’

    Browse the location where certificate to be exported

  37. The final step to Export

    Click on ‘Finish‘ in the Final step in the ‘Certificate Export Wizard.’

  1. .’

    Final step to Export

  2. Successful Export

    Certificate Export completes with a message ‘The Export was successful’. Click ‘OK’ to complete the wizard.

    Successful Export

  3. Install the Issued certificate on Issuing CA server

    To Install the certificate on Enterprise issuing CA (IssueSubCA.TheSecMaster.local)

    1. Log in to the Enterprise Issuing CA (IssueSubCA.TheSecMaster.local) server as TheSecMaster\Administrator
    2. Copy the Certificate file (which was generated on Root CA) into Enterprise issuing CA (IssueSubCA.TheSecMaster.local) server.
    In this demo, the Certificate file (IssueingCA.p7b) copied into C:\ on Enterprise issuing CA (IssueSubCA.TheSecMaster.local)
    3Open Certification Authority console
    On Issuing CA server, open Server Manager –> Click on ‘Tools‘ –> click on ‘Certification Authority.’

    Open Certification Authority console

  4. Install CA Certificate

    In the Certification Authority Console, Services is stopped. Since certificate installation is not yet completed.
    Right-click on the Common Name (TheSecMaster-ISSUESUBCA-CA) –> click on ‘All Tasks‘ –> Select ‘Install CA certificate.’

    Install CA Certificate

  5. Select the certificate file

    Select the certificate file which was copied in the location C:\ and click on ‘Open.’

    Select the certificate file

  6. Start the Certificate Authority Service

    If the service didn’t start automatically, Right-click on the Common Name (TheSecMaster-ISSUESUBCA-CA) –> click on ‘All Tasks’ –> Select ‘Start Service.’

    Issuing Sub CA is up and running.

    Start the Certificate Authority Service

  7. Issuing Sub CA is in running state

    Issuing Sub CA service in running state

  8. No Certificate Templates published

    In the CA console, navigate to Common Name (TheSecMaster-ISSUESUBCA-CA) –> Certificate Templates. No templates exist because we set ‘LoadDefaultTemplates=0‘ in ‘CAPolicy.inf‘ file during pre-configurations of Issuing Sub CA.

    No Certificate Templates published

  9. Add Templates, based on the requirement

    To add a Certificate Template, right-click on ‘Certificate Templates‘ –> select ‘New‘ –> click on ‘Certificate Template to issue.’

    Add Templates, based on the requirement

  10. Choose User Template

    In this demo, select ‘User’ Template and click on ‘OK.’

    Choose User Template

  11. User Template has been added to Certificate Templates

    User Template has been added to Certificate Templates

See Also  How To Fix Apache Cassandra RCE Vulnerability- CVE-2021-44521

Post-Installation Configuration for Issuing Sub CA

  1. Log in to the Enterprise Issuing CA (IssueSubCA.TheSecMaster.local) server as TheSecMaster\Administrator
  2. Opening Evaluated command prompt:

Follow the below steps to open the evaluated cmd,

Click Start –> type ‘cmd‘, right-click on ‘Command Prompt‘ –> Click on ‘Run as administrator.’

Run the Command Prompt as an administrator user
  1. Run the below commands to complete the Issuing CA configurations. Run the below commands in the evaluated command prompt:

Note: Restart the certificate service at the end after the completion of the below commands.

    1. To configure the CRL and Delta CRL settings
        Certutil -setreg CA\CRLPeriodUnits 1
        Certutil -setreg CA\CRLPeriod "Weeks"
        Certutil -setreg CA\CRLDeltaPeriodUnits 1
        Certutil -setreg CA\CRLDeltaPeriod "Days"
    2. To configure the 'CRL Overlap Period Units' and the 'CRL Overlap Period'
        Certutil -setreg CA\CRLOverlapPeriodUnits 12
        Certutil -setreg CA\CRLOverlapPeriod "Hours"
    4. To configure the 'Validity Period Units' for all issued certificates by this CA.
        Certutil -setreg CA\ValidityPeriodUnits 5
        Certutil -setreg CA\ValidityPeriod "Years"
    5. To resetart Certificate Service on the server,
        net stop certsvc && net start certsvc
Commands to complete the Issuing CA configurations
Continued commands to complete the Issuing CA configurations

Configuring CDP and AIA using GUI

Similar to the Root CA, it needs to configure CDP and AIA for the issuing CA.

  1. Configuring CDP & AIA in Certification Authority Console

In Server Manager, click on ‘Tools‘ –> select ‘Certification Authority.’

Open the Certification Authority
  1. Opening Certification Authority properties

In the Certification Authority console, right-click on Certification Authority Name and click-on ‘Properties.’

Opening Certification Authority properties
  1. Modifying  CDP configurations in Certification Authority properties
    1. In the Certification Authority Name properties, Select the ‘Extensions’ tab –> Make sure the selected extension is ‘CRL Distribution Point (CDP)’ and Remove the below 2 default CDP Location templates.
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Modifying CDP configurations in Certification Authority properties

2. After default CDP Location removal, click on ‘Add’ to add a new location.

Add new location
  1. Copy ‘Example location’ from  ‘Description of the selected variable’ and Paste in the Location. Replace the ServerDNSName accordingly.
  2. In this demo, replace ‘ServerDNSName’ with ‘PKI.thesecmaster.local.’
Sample: http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
New Location: http://PKI.thesecmaster.local/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Location
  1. Make sure below 2 options are selected.
    1. Include in CRL’s Clients use this to find Delta CRL locations.
    2. Include in the CDP extension of issues certificates.
Make sure below 2 options CRL and CDP are selected

6. Click on ‘Apply‘ and click on ‘Yes’ to restart the certificate services.

Restart the certificate services
  1. Modifying  AIA configurations in Certification Authority properties
    1. In the Certification Authority Name properties, Select the ‘Extensions’ tab –> Make sure the selected extension is ‘Authority Information Access (AIA)’ and Remove the below 2 default AIA Location templates.
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
Modifying AIA configurations in Certification Authority properties

2. After the default AIA Location removal, click on ‘Add’ to add a new location.

Add new AIA Location
  1. Copy ‘Example location‘ from  ‘Description of the selected variable‘ and Paste in the Location. Replace the ServerDNSName accordingly.
  2. In this demo, replace ‘ServerDNSName’ with ‘PKI.thesecmaster.local.’
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
http://PKI.thesecmaster.local/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
Update AIA Location

5. Make sure to select ‘Include in the AIA extension of issues certificates.’

Include in the AIA extension of issues certificates

6. Click on ‘Apply‘ and click on ‘Yes‘ to restart the certificate services.

Restart the certificate services
  1. Publish New Certificate Revocation List (CRL):

To publish the new CRL, Right click on the ‘Revoked Certificates‘ –> Select ‘All Tasks‘ –> Click on ‘Publish.’

Publish New Certificate Revocation List
  1. Select the type of ‘CRL to publish’

Select ‘New CRL‘ to issue a complete CRL, which contains up-to-date revocation information for the CA, and click on ‘OK.’

Leave a Reply

Your email address will not be published. Required fields are marked *