AD CS 2008 R2 Two-tier Install Procedure

• Windows 2008 R2 Server core – offline Root CA
• Windows 2008 R2 domain controller
• Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 (Server Core
   Installation)” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
   install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server
   automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account
   password -> specify complex password and confirm it -> press Enter ->
   Press OK.
9. From the command prompt window, run the command
   bellow:
   sconfig.cmd
10. Press “2″ to replace the computer name -> specify new computer name ->
    click “Yes” to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
12. From the command prompt window, run the command
    bellow:
    sconfig.cmd
13. Press “5″ to configure “Windows Update Settings” -> select “A” for
    automatic -> click OK.
14. Press “6″ to download and install Windows Updates -> choose “A” to search
    for all updates -> Choose “A” to download and install all updates -> click
    “Yes” to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
16. From the command prompt window, run the command
    bellow:
    sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press “7″ to
    enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or
    “2″ according to your client settings -> Press OK.
18. Press “8″ to configure “Network settings” -> select the network adapter
    by its Index number -> press “1″ to configure the IP settings -> choose
    “S” for static IP address -> specify the IP address, subnet mask and default
    gateway -> press “2″ to configure the DNS servers -> click OK -> press
    “4″ to return to the main menu.
19. Press “9″ to configure “Date and Time” -> choose the correct “date/time”
    and “time zone” -> click OK
20. Press “11″ to restart the server to make sure all settings take effect ->
    click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation
phase

1. To login to the server, press CTRL+ALT+DELETE -> specify the
   “Administrator” account credentials.
2. Install Certificate services:
   start /w ocsetup.exe
CertificateServices /norestart /quiet
3. To check that the installation completed, run the command:
   oclist
find /i "CertificateServices"
4. Download the file “setupca.vbs”
   from:
   http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
   To:
   C:\Windows\system32
5. Run the command bellow to configure the Root CA:
   Cscript /nologo
C:\Windows\System32\setupca.vbs /is /sn
<ca_server_name> /sk 4096 /sp "RSA#Microsoft
Software Key Storage Provider" /sa SHA256
6. In-order to verify that the installation completed successfully, open using
   Notepad, the file “_SetupCA.log” located in
   the current running directory, and make sure the last line is:
   Install
complete! Passed
7. Run the command bellow to enable remote management of the Root
   CA:
   netsh advfirewall firewall set rule group="Remote Service
Management" new enable=yes
8. Run the command bellow to stop the CertSvc service:
   Net stop
CertSvc
9. Run the command bellow to change new certificate validity period
   time:
   reg add
HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v
ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be
   written in one line.
10. Run the command bellow to start the CertSvc service:
    Net start
CertSvc

Enterprise Subordinate CA – OS installation
phase
Pre-requirements:

• Active Directory (Forest functional level – Windows 2008 R2)
• Add “A” record for the Root CA to the Active Directory DNS.

1. Boot the server using Windows 2008 R2
   Enterprise Editionbootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full
   installation” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
   install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server
   automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account
   password -> specify complex password and confirm it -> press Enter ->
   Press OK.
9. From the “Initial Configuration Tasks” window, configure the following
   settings:
   • Set time zone
   • Configure networking – specify static IP address, netmask, gateway, DNS
   • Provide computer name and domain – add the server to the domain
   • Enable Remote Desktop
10. In-order to be able to remotely manage the Root CA, run the command
    bellow:
    cmdkey /add:<RootCA_Hostname>
/user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server
installation phase
Pre-requirements:

• DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.

1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials
   of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
2. Start -> Administrative Tools -> Server Manager.
3. From the left pane, right click on Roles -> Add Roles -> Next ->
   select “Web Server (IIS)”
   -> click Next twice -> select the following role services:
   • Web Server
   • Common HTTP Features
   • Static Content
   • Default Document
   • Directory Browsing
   • HTTP Errors
   • HTTP Redirection
   • Application Development
   • .NET Extensibility
   • ASP
   • ISAPI Extensions
   • Health and Diagnostics
   • HTTP Logging
   • Logging Tools
   • Tracing
   • Request Monitor
   • Security
   • Windows Authentication
   • Client Certificate Mapping Authentication
   • IIS Client Certificate Mapping Authentication
   • Request Filtering
   • Performance
   • Static Content Compression
   • Management Tools
   • IIS Management Console
   • IIS Management Scripts and Tools
   • IIS 6 Management Compatibility
   • IIS 6 Metabase Compatibility
4. Click Next -> click Install -> click Close.
5. From the left pane, right click on Features -> Add Features -> Next
   -> expand “Windows Process Activation Service” -> select “.NET
   Environment” and “Configuration APIs” -> select the feature “.NET Framework
   3.5.1 Features” -> click Next -> click Install -> click Close.
6. From the left pane, right click on Roles -> Add Roles -> Next ->
   select “Active Directory Certificate
   Services” -> click Next twice -> select the following role
   services:
   • Certification Authority
   • Certification Authority Web Enrollment
   • Certificate Enrollment Policy Web Service
7. Click Next.
8. Configure the following settings:
   • Specify Setup Type: Enterprise
   • CA Type: Subordinate CA
   • Private Key: Create a new private key
   • Cryptography:
     Cryptographic service provider (CSP): RSA#Microsoft
     software Key Storage Provider
     Key length: 2048
     Hash algorithm SHA256
   • CA Name:
     Common name: specify here the subordinate server NetBIOS
     name
     Distinguished name suffix: leave the default domain settings
   • Certificate Request: Save a certificate to file and manually send it later
   • Certificate Database: leave the default settings
   • Authentication Type: Windows Integrated Authentication
   • Server Authentication Certificate: Choose and assign a certificate for SSL
     later
9. Click Next twice -> click Install -> click Close.
10. Close the Server Manager.
11. Start -> Administrative Tools -> Certification Authority
12. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
13. Right click on the RootCA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked
      is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option
      checked is: “Publish CRLs to this location”
14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
15. Click OK and allow the CA server to restart its services.
16. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> Properties:
    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
17. Right click on the CA name -> All tasks -> Stop service
18. Right click on the CA name -> All tasks -> Start service
19. Run the commands bellow from command line, to configure the Offline Root CA
    to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN
"CN=Configuration,DC=mycompany,DC=com"
certutil.exe -setreg
ca\DSDomainDN "DC=mycompany,DC=com"Note: Replace
    “DC=mycompany,DC=com”
    according to your domain name.
20. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
21. Close the “Certification Authority” snap-in and logoff the subordinate CA
    server.
22. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
23. Copy the file bellow from the Offline Root CA server to a temporary folder
    on the domain
    controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
24. Start -> Administrative Tools -> Group Policy Management.
25. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
26. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Trusted Root Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the Root CA -> click Open -> click Next twice -> click Finish
    -> click OK.
27. Logoff the domain controller.
28. Return to the subordinate enterprise CA server.
29. Start -> Administrative Tools -> Certification Authority.
30. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
31. Right click on the RootCA server name -> All Tasks -> Submit new
    request -> locate the subordinate CA request file (.req) -> Open.
32. Expand the RootCA server name -> right click on “Pending Requests” ->
    locate the subordinate CA request ID according to the date -> right click on
    the request -> All Tasks -> Issue.
33. From the left pane, click on “Issued Certificates” -> locate the
    subordinate CA request ID -> right click on the request -> All Tasks ->
    “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary
    data to a file” -> click OK -> specify location and the file name –
    <subordinate_ca_server_name_signed_certificate>.p7b
    -> click Save.
34. Run the command bellow from command line to avoid offline CRL
    errors:
    Certutil.exe -setreg ca\CRLFlags
+CRLF_REVCHECK_IGNORE_OFFLINE
35. From the left pane, right click on “Certificate Authority” -> “Retarget
    Certification Authority” -> choose “Local computer” -> click Finish.
36. Right click on the subordinate CA server name -> All Tasks -> “Install
    CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b
    -> click Open.
37. Right click on the subordinate CA server name -> All Tasks -> Start
    Service.
38. Right click on the subordinate CA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name&gt;.crl
    • Click on the line begins with “HTTP”, and make sure the following options
      are checked: “Include in CRLs” and “Include in the CDP”.
39. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crtExample: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt
    • Click on the line begins with “HTTP”, and make sure the following option is
      checked: “Include in the AIA”.
40. Click OK and allow the CA server to restart its services.
41. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
42. Close the “Certification Authority” snap-in
43. Copy the files bellow from the Root CA to the subordinate CA (same
    location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt
44. Logoff the subordinate CA server.
45. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
46. Copy the file bellow from the subordinate CA server to a temporary folder on
    the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    – copy the newest file
47. Start -> Administrative Tools -> Group Policy Management.
48. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
49. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Intermediate Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the subordinate CA server -> click Open -> click Next twice
    -> click Finish -> click OK.
50. Logoff the domain controller.