If you have not already read the first page in this MS PKI series,
you should do so before continuing.
The following is useful for setting up a single ADCS PKI server in a very small environment such as a lab. It provides instructions using the standard graphical interface that most people use in the MS world. It uses LDAP for all publishing the CDP/AIA points to computers that are only on the domain.
If HTTP is needed to publish CRL/AIA, it must be on a different server (Maybe, I’ve had issues getting CRL/AIA publishing to work on the same server). The requirements can be used from the “Two Tier” setup instructions located on a different page.
Note that a single tier PKI is not typically appropriate in a production environment.
A second page is provided elsewhere that uses a mixture of command line instructions, both PowerShell and the certutil interfaces, for building and configuring the server.
Build up the server and add to the domain.
Copy CAPolicy.inf to C:\windows (%systemroot%) of root CA server. A simple minimal example is provided below. You must do this step prior to installing the CA role.
Warning: If creating a new replacement issuing (including single tier) server, use the CAPolicy.inf with the “LoadDefaultTemplates=0” line added. When server is ready to issue, manually add the certificate templates.
CAPolicy.inf example for Root CA:
[Version]
Signature=”$Windows NT$”
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]
Install CA Role:
Enterprise root CA
"Certification Authority"
Configure ADCS:
"Certification Authority"
"Enterprise CA"
"Root CA"
"Create Private Key" -- RSA default is ok,key length 4096, SHA256
"Common name" -- Not the same name as the server
"Validity period" -- Should be set by CAPolicy.inf, or equal to.
After complete, check the certificate with MMC CertSRV. It should match above settings.
Post Install Configuration:
Open command prompt as administrator. Don’t make these too short if using LDAP. Consider OCSP instead.
NOTE: There are many settings. These are pretty minimal.
Certutil -setreg CA\CRLPeriodUnits 1
Certutil -setreg CA\CRLPeriod "Weeks"
--Next two if CRL Deltas are used (which I usually don't on single tier testing server)
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Add the CDP and AIA points:
From Server Manager:
"Tools"
"Certification Authority" (MMC CertSRV)
"Properties"
"Extensions" tab
Don’t screw these up or you have to start over because issued certs will be bad.
Add CDP (CRL Distibution Point):
Click ADD, use as examples and add LDAP path utilizing “Variable” and Insert.
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
Check "Publish CRL's to this location","Include in CRL's", "Include in the CDP extentions of issued certificates"
Remove default ones except C:\windows (standalone - so no file, ldap, anyway)
-- or --
Uncheck all boxes for each.
Add AIA (Authority Information Access):
Click ADD, use as examples and add LDAP path utilizing “Variable” and Insert.
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
Check "Include in the AIA of issued certificates"
Remove default ones except "C:\windows\System32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
-- or --
Uncheck all "Publish/Include" boxes for each.
Restart the Service and Publish CRL (certutil -crl):
Restart certificate services to activate this configuration in a PowerShell window:
restart-service certsvc
R-click "Revoked Certificates"
All Tasks, Publish
C:\Windows\System32\CertSrv\CertEnroll – .crl’s date modified should change when CRL is published.
Check PKI health:
pkiview
Also check “Manage AD Containers” from the pkiview menu.
If CA Object Access Auditing is needed, see the page here.
