I'm sure that you now have a subordinate Certificate Authority alongside with the Web Enrollment app, and you might think everything is ready to do certificate issuances?
Effortlessly, the Root CA has no roles to do, why we need it?
Remember, there is a step during Certificate Authority installation that requires you to enter root CA address to obtain a CA certificate for the sub-CA.
The subordinate CA cannot be used until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA.
You must ask permissions to become a component in the domain's PKI so that you have a certificate to work, be published into AD DS system to integrate GPO/policies, to be trusted, etc.
[00:16] "How CA Certificates Work" – technet.microsoft.com
[00:19] According to best practices, the Root CA should remain isolatedly, so the process of subordinate certificate obtaining might require exchange .req and .cer files manually.
In this VMware Workstation virtual lab, we use the 2nd method about submitting a CA Certificate request through an online channel.
Let's switch to the Root CA WS 2008 R2, open Certificate Authority certsrv console, navigate into the Pending Requests section.
Verify Request ID, Binary Request, Status Code, Disposition Message, Submission Date, Requester Name.
In fact, you should take care of Country/Region, Organization, Organizational Unit, etc. also.
[00:51] After you confirmed that request by click the Issue menu, navigate into the Issued Certificates section to see the newly created certificate for the sCA.
It was generated via the Subordinate Certificate template with default settings.
You can verify it by inspecting Request ID, Requester Name, Binary Certificate, Serial Number, Effective Date, Expiration Date, etc. through the Certificate dialog if needed.
[01:11] Now you just need to export that certificate and transfer through secure medium to this sCA and import it.
[01:32] Similarly, open Certificate Authority console, launch the Install CA Certificate dialog.
You can always request a new one through the CA Certificate Request tool.
Select an online CA to send the request by specifying Computer Name, Parent CA.
If you want to send the request to an offline CA, click Cancel and send the requested file at C:\…req to your parent CA.
[01:51] "Exporting the Certification Authority Certificates" – technet.microsoft.com
[02:01] Keep in mind that if "Active Directory Certificate Services is stopped. Certain properties will be unavailable."
[02:11] "Installing a Two Tier PKI Hierarchy in Windows Server 2016" – arthurremy.com
[02:17] Well done, with that certificate, this sCA now can communicate with clients as well as other CAs to do further PKI's operations.
[02:24] "Step by Step: Deploying an Enterprise Subordinate CA in Server 2012 R2 (Part 2)" – mizitechinfo.wordpress.com
This series: Installing and Configuring Active Directory Certificate Services Server Role focus mainly on building a strong foundation of the PKI before we go ahead.
It is recommended that you apply the Certificate Revocation List even in a test lab, that will be presented in part 3.