Home > AD, ADCS, GPO, PKI, SSL > Enterprise CA PKI for Domains – 2 Tier, with Root & Subordinate

Enterprise CA PKI for Domains – 2 Tier, with Root & Subordinate

I’ve been fighting with wanting a PKI working in my environment for a while.  For all the typical reasons:

  • Required for 802.1x WiFi authentication
  • Required for 802.1x Wired authentication
  • Required for RADIUS
  • Required for IPSEC between domain systems
  • Required for internal web sites that have SSL based traffic without a 3rd party SSL including:
    • Actual web sites – ie: those hosted and created on IIS/Apache
    • Application/utility web sites – ie: Open Manage (OMSA, IT Assistant, OME, etc), Veeam Enterprise Manager, etc.
    • Hardware with administration pages – ie: Juniper ScreenOS/SSG, Dell PowerConnect switches, Dell iDRAC, Digi CM32, etc.

I finally got around to finding a way to make it work.  I don’t propose that this is 100% functional at this point, but it’s working. I also don’t suggest that this is ideal – there likely is a better way.  By all means – let me know if there is!  Thanks in advance.  I cobbled together a little here and a little there and made it functional for me.  I’m sure there is more to do…..

With that said – the meat of this post…..

Would you like to know why companies don’t have PKI infrastructures?  Because it is FRUSTRATING AS HELL.  Wizardry might be easier.  Seriously, I could make dragons teleport in and breath flaming acid on Orcs easier.

Okay, so here is the VERY high level of what you want to know:


1) Best link to get started:  http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/

a. READ IT VERY FREAKING CAREFULLY.  There is a lot of stuff that if you skim it, you’re missing some CRITICAL stuff.  Or if you think you know better, you’ll mess it up – and realize why in step 43.  For example:

· “Log off the Subordinate CA”.  “Log onto the Root CA, do blah blah”.  “Log off the root CA”.  “Log onto the DC and edit the GPO to include the certificate”, “Log back onto the Subordinate CA”


o You’re logging OFF the first box, so that after you modify the GPO, you’re re-processing the GPO when you login.  If you don’t, the stuff you added to the GPO isn’t there!  Go figure.

o If you don’t log off the DC after editing the GPO, there’s a good chance you didn’t close the GPO.  Or save it.  Or set it up to push out the next pass.

· Think about your naming.  You will NEVER be able to change it.

· I have NO idea how to do any sort of dual server clustering of your Subordinate CA’s.  You will almost certainly want some HA of it, especially in a corporate environment

2) After you do the above…. Now what?  There’s no good details on how to TEST it.  You also haven’t added in the Web Requestor, the Network Device Enrollment, etc.  We’ll get to that.

3) http://blogs.technet.com/b/askds/archive/2011/04/11/designing-and-implementing-a-pki-series-wrapup-and-downloadable-copies.aspx– this is a great resource.  Not just this link, and this 5 part series, but in general.  Read it a few times.  Digest the information.  Let it sink in.  Read it again.  Then realize it is NOT digested.

4) Go find a computer.  Go login as a member of ENTERPRISE ADMINS.  Start MMC, add the CERTIFICATE option and choose COMPUTER -> LOCAL COMPUTER.



b. Look at that – we have some options.  All we care about (and that you’ll have at this point is COMPUTER and *maybe* IPSEC.  Click COMPUTER and NEXT.


c. OOOH!  Look at that!



d. I bring to you – certificates!  It works!


5) Sooner or later you’re going to want to create a certificate request.  I can’t seem to do mine via the MMC – because I was getting the error shown here: http://pdconsec.net/blogs/davidr/archive/2008/08/13/No_2D00_Certificate_2D00_Template_2D00_In_2D00_Request.aspx

Rather than fight with it, I have accepted Dave’s Solution.  Smile  It works fine for me, I’ll cope for now.  This is a “to be fixed” thing though for me.

6) http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx – you’re probably going to set it up like me so it uses Domain Credentials and Trusted Computer to do enrollment.  Think about that for a second.   That works GREAT if your computers are all Windows, and all Domain Joined and all Local.  Now how are you planning on getting a certificate for your Juniper Router, at a remote site, that isn’t connected with a VPN because of DMZ?  How is your user going to request a Cert for DirectAccess, when he’s off network, and trying to setup for the first time?  There are a LOT of VERY LONG TERM design issues to think about here.  For now, I’m stumbling.

Categories: AD, ADCS, GPO, PKI, SSL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: