Anda di halaman 1dari 2

Deploying

a Two-Tier Standalone
Certification Authority Infrastructure
This type of CA infrastructure is appropriate for both Active Directory domain-based and Non-domain
based environments. With this type, we can issue certificates to any device and user, i.e. Cisco ASA
firewalls, routers, switches, computers, Web servers, domain controllers etc.
Following are the steps for configuring a Root CA and Subordinate CA. We will call the Root CA RootCA
and Subordinate SubCA.

Configuring RootCA
1.
2.
3.
4.

5.
6.
7.
8.
9.
10.
11.

Prepare a Non-domain joined computer


Make sure the data and time are correct
Select Standalone option
Install Certification Authority role
I.
Name it RootCA
II.
Select key length of 2048 bits
III.
Validity 50 years
Navigate to the properties of RootCA
Under General tab, select the certificate properties
Clear all entries for CRL and Authority Information Access
Run regedit
Go to Local Machine>System>Current Control Set>Services>CertSrv>Configuration>RootCA
Set the value for Validity Perion to 20 years
Export the RootCA certificate and copy it to SubCA

Configuring SubCA
The following steps must be followed to successfully configure the SubCA. In RootCA configuration we
cleared on revocation check points (CRL, and Authority Information Access) because normally those
resources are not configured by default and the SubCA will not be able to access them, therefore it will
fail and the service will not start at all. If we leave those CRL check points, they will be included as
parameters in the SubCA certificate. We can do the same for SubCA, but at least should leave the
checkpoint at C:\Windows\System32\CertSrv. This way will have at least on check point to refer to for
revoked certificate. In case of configuring a Cisco ASA with our CAs for SSL VPN with certificate
authentication, we will have to configure IIS on SubCA and point a virtual directory to the above
location.
1. Copy RootCA certificate to Trusted Root Certification Authorities store
2. Make sure the date and time are correct
3. Select Standalone
1

4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

Select Subordinate option


Install Certification Authority role
Name it SubCA
Select key length of 2048 bits
Copy certificate request to RootCA
On the RootCA submit the request, issue it and copy the issued certificate to SubCA
Regedit> Local Machine>System>Current Control Set>Services>CertSrv>Configuration>SubCA
Set the value for Validity Perion to 5 years
Run the command (certutil setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE)
Install the SubCA certificate
Accept the error message
The SubCA should be started, if not manually start it yourself
Start issuing certificates
Configure IIS with virtual directory point to the location above

Generating Certificate Requests on Computers


1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

18.
19.
20.
21.
22.
23.
24.
25.

Copy RootCA and SubCA certificates


Make sure the date and time are correct
Open an MMC
Add Certificates
Select Computer
Select Local
Import RooCA and SubCA to Trusted Root Certification Authorities store
Navigate to Personal
Select Create a Custom Certificate Request
Pass through all options until you get to CNG
Select Properties
Give it a friendly name
Supply CN and DNS names, they should be exactly the same as the full name of the computer
Set Key length to 2048 bits
Select Data Encipherment and Digital Signature
Select Server Authentication and Client Authentication
Choose whether you want the Private Key to be exportable. If you do not copy this certificate to
another location such as Internet Explorers Personal Certificate store, then choose not NonExportable option, otherwise choose Exportable
Select the Export Extended Properties
Apply
OK
Finish
Copy the request file to SubCA
Issue the certificate on SubCA
Copy the issued certificate back to the computer
Under Personal store, import the certificate

Anda mungkin juga menyukai