According to part 1, we now have a Standalone Root CA in this master WS 2008 DC of SnoOpy.com domain.
This machine holds a private key and other powers to rule the whole of our PKI.
Now we must build the hierarchical model for the PKI to form its security, scalability, management characteristics.
Keep in mind that we are dealing with PKI, in real scenario deployment, everything must be taken care extremely.
You may wonder that why almost best-practices require the Root CA must be a Standalone one, pure workgroup machine, offline all the time, locked in a secure chamber?
Why it's needed to have a 3-tier model; 2nd layer rules policies, and 3rd layer is responsible for issuing?
Let's figure them out!
[00:19] "Step by Step: Deploying an Enterprise Subordinate CA in Server 2012 R2 (Part 2)" – mizitechinfo.wordpress.com
[00:24] We are going to build another CA, which will be a Subordinate bellow the Root CA.
This is SnoOpy-Server-2 ADC WS 2008 R2 of SnoOpy.com domain.
[00:34] In the scope of this virtual lab, we just need a 2-Tier chain-of-trust.
So this sCA is the actual CA, which exposes to domain clients in delivering PKI info and certificates.
[00:49] The process of install the Certificate Authority of the AD CS suite can be done via the Add roles tool that we are early familiar with the Root CA installation.
The installation process is same, except we are building an enterprise subordinate CA with Web Enrollment feature for issuing certificates through the web interface, instead of a Standalone Root CA.
Thus, select the role service Certificate Authority Web Enrollment and its required features: Web Server (IIS), RSAT too.
[01:22] This CA is a member of a domain so that we must leverage Directory Service to issue and manage certificates.
[01:22] "Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012" – blogs.interfacett.com
[01:28] Select Subordinate CA to indicate this ADC will belong to a lower Tier in the PKI hierarchy.
[01:33] "Defining CA Types and Roles" – technet.microsoft.com
[01:38] To generate and issue certificates to clients, a CA must have a private key.
Use this option if you don't have a private key or wish to create a new private key to enhance security.
To create a new private key, you must first select a cryptographic service provider, hash algorithm, and key length that are appropriate for the intended use of the certificates that you issue.
Selecting a higher value for key length will result in stronger security, but increase the time needed to complete signing operations.
[01:50] Type in a common name to identify this CA. This name is added to all certificates issued by the CA.
Distinguished Name suffix values are automatically generated but can be modified.
[01:53] You may request a Certificate for this subordinate CA directly from a parent CA in your network or save the request to a file and send it later to a parent CA (Standalone Root).
[01:56] The certificate database records all certificate requests, issued certificates, and revoked or expired certificates.
The database log can be used to monitor management activity for a CA.
Web Enrollment from AD CS suite will be served through Web Server IIS Role Services.
In conjunction with AD CS installation, this feature is ready when this Wizard is finished, because IIS components, as well as the ASP issuance app, will be prepared automatically.
Review your new sCA settings at the Confirm Installation Selections: CA Type, CSP, Hash Algorithm, Key Length, Allow CSP Interaction, Certificate Validity Period, Distinguished Name, Database Log Location, Web Server, RSAT, Management Tools, etc.
Remember that: "The name and domain settings of this computer cannot be changed after Certificate Authority has been installed."
The AD CS installation is incomplete. To finish that, use the request file .req to obtain a certificate from the parent Standalone Root CA. Then, use the CA snap-in to install the certificate.
Do not ignore the warning about "Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is automatically updated, turn on Windows Update in Control Panel."
[02:40] "Securing PKI: Planning a CA Hierarchy" – technet.microsoft.com
Well done, we now have a 2-Tier PKI taken place, domain users can request certificates for themselves with default settings.
Moreover, we can issue special certificates manually, as well as manage PKI settings like: CDP, certificate validity, CRL, etc. through CA console on DCs.