If you have not already read the first page in this MS PKI series, you should do so before continuing.
The following is useful for setting up a single ADCS PKI server in a very small environment such as a lab. It provides instructions using the standard graphical interface that most people use in the MS world. It uses LDAP for all publishing the CDP/AIA points to computers that are only on the domain.
If HTTP is needed to publish CRL/AIA, it must be on a different server (Maybe, I’ve had issues getting CRL/AIA publishing to work on the same server). The requirements can be used from the “Two Tier” setup instructions located on a different page.
Note that a single tier PKI is not typically appropriate in a production environment.
A second page is provided elsewhere that uses a mixture of command line instructions, both PowerShell and the certutil interfaces, for building and configuring the server.
Build up the server and add to the domain.
Copy CAPolicy.inf to C:\windows (%systemroot%) of root CA server. A simple minimal example is provided below. You must do this step prior to installing the CA role.
Warning: If creating a new replacement issuing (including single tier) server, use the CAPolicy.inf with the “LoadDefaultTemplates=0” line added. When server is ready to issue, manually add the certificate templates.
CAPolicy.inf example for Root CA:
[Version] Signature=”$Windows NT$” [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 [CRLDistributionPoint] [AuthorityInformationAccess]
Install CA Role:
Enterprise root CA "Certification Authority"
Configure ADCS:
"Certification Authority" "Enterprise CA" "Root CA" "Create Private Key" -- RSA default is ok,key length 4096, SHA256 "Common name" -- Not the same name as the server "Validity period" -- Should be set by CAPolicy.inf, or equal to.
After complete, check the certificate with MMC CertSRV. It should match above settings.
Post Install Configuration:
Open command prompt as administrator. Don’t make these too short if using LDAP. Consider OCSP instead.
NOTE: There are many settings. These are pretty minimal.
Certutil -setreg CA\CRLPeriodUnits 1
Certutil -setreg CA\CRLPeriod "Weeks"
--Next two if CRL Deltas are used (which I usually don't on single tier testing server)
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Add the CDP and AIA points:
From Server Manager:
"Tools" "Certification Authority" (MMC CertSRV) "Properties" "Extensions" tab
Don’t screw these up or you have to start over because issued certs will be bad.
Add CDP (CRL Distibution Point):
Click ADD, use as examples and add LDAP path utilizing “Variable” and Insert.
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
Check "Publish CRL's to this location","Include in CRL's", "Include in the CDP extentions of issued certificates"
Remove default ones except C:\windows (standalone - so no file, ldap, anyway)
-- or --
Uncheck all boxes for each.
Add AIA (Authority Information Access):
Click ADD, use as examples and add LDAP path utilizing “Variable” and Insert.
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass> Check "Include in the AIA of issued certificates" Remove default ones except "C:\windows\System32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt -- or -- Uncheck all "Publish/Include" boxes for each.
Restart the Service and Publish CRL (certutil -crl):
Restart certificate services to activate this configuration in a PowerShell window:
restart-service certsvc
R-click "Revoked Certificates" All Tasks, Publish
C:\Windows\System32\CertSrv\CertEnroll – .crl’s date modified should change when CRL is published.
Check PKI health:
pkiview
Also check “Manage AD Containers” from the pkiview menu.
If CA Object Access Auditing is needed, see the page here.