Deploying AD Cert Services as a subordinate CA

Michael Leone

unread,

Feb 12, 2020, 10:52:39 AM2/12/20

to NTSysAdmin

As some have followed here, I have a Linux based CA that I use to issue certificates. I'd like to finally go whole hog, and install the AD CS, so that my certs are AD-integrated.

Now, I know that since I already have a CA that I use, what I want to do is create a subordinate CA, and AD-joined one that actually issues the certs. And that sub-CA cert will need to be signed by my root CA, then installed in the ADCS. Fine, no worries.

I've been reading this:

https://mizitechinfo.wordpress.com/2013/08/31/step-by-step-deploying-an-enterprise-subordinate-ca-in-server-2012-r2-part-2/

and this:

https://myitworld.azurewebsites.net/2016/01/21/installing-two-tier-pki-hierarchy-windows-server-2016-part2/

both of which seem like exactly what I want to do. But other sites - such as MS itself - are saying that I need to make a "capolicy.inf" file first, before ever installing the cert services.

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

"Before you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment."

So I don't know where to go with this. The web pages above don't make such a file first, they just install AD CS, and then use that to make a request.

Can anybody shine some light on my stupidity?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

Michael B. Smith

unread,

Feb 12, 2020, 11:04:54 AM2/12/20

to ntsys...@googlegroups.com

You only need a CApolicy.inf if you want to change defaults at installation; that is, you don’t want to configure them.

For example, your AIA and CDP name will be based on the name of your CA. So if your CA is named CA-01.example.local, then that’ll be the hostname encoded in your certificates. You can specify in the CApolicy.inf file that you want it to be, for example, ca.contoso.com.

Changing the certificate renewal default from 1 year to 2 or 3 years is also a common change.

All of these can also be configured after the fact.

Regardless, this specifies how to build or use a CApolicy.inf if you want to use one:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiWorJHmZ7Y%3DSOv2q5Sojd-6k-FU6Cv6niJsh0u2FbW6g%40mail.gmail.com.

Kurt Buff - GSEC, GCIH

unread,

Feb 12, 2020, 11:17:28 AM2/12/20

to ntsys...@googlegroups.com

For more background on this process, you might wish to peruse this article:
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx#Install_the_Standalone_Offline_Root_CA

Kurt

Michael Leone

unread,

Feb 12, 2020, 12:20:40 PM2/12/20

to NTSysAdmin

On Wed, Feb 12, 2020 at 11:04 AM Michael B. Smith <mic...@smithcons.com> wrote:

You only need a CApolicy.inf if you want to change defaults at installation; that is, you don’t want to configure them.

For example, your AIA and CDP name will be based on the name of your CA. So if your CA is named CA-01.example.local, then that’ll be the hostname encoded in your certificates. You can specify in the CApolicy.inf file that you want it to be, for example, ca.contoso.com.

AH HA! Now see, that's quite very useful information, thanks. And here's why ... my Linux CA instructions make a CRL (Certification Revocation List) file, and one of the sections for signing an intermediate CA cert has an entry that adds a "crlDistributionPoints" entry that points to a URI, that I have defined as "http://pki.<FQDN>/my-CRL.crl". So I might need to look at that policy file, to add that alias in there. Or maybe just need a DNS alias that points to the intermediate CA, with that name? Remove it entirely from the root CA config file?

I'll have to ruminate a bit ... I don't get those sections when I sign a normal cert, so I don't know if I have to do anything special to sign the intermediate CA ...

Changing the certificate renewal default from 1 year to 2 or 3 years is also a common change.

Yeah, I can see that.

All of these can also be configured after the fact.

AH, that might be easier still ...

Regardless, this specifies how to build or use a CApolicy.inf if you want to use one:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Thanks, I will be perrusing that ...

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/e74e6a267aa043988df1a27c946f470b%40smithcons.com.

Reply all

Reply to author

Forward