Wednesday, November 16, 2011

Windows 3-Tier Certificate Authority

Many months ago I was tasked with implementing a 3-tier Certificate Authority for a large Windows domain environment. Unfortunately there is surprisingly little information for the nitty-gritty questions one may have. The Microsoft Press book Windows Server® 2008 PKI and Certificate Security proved quite useful, but at times lacking. (This book seems to have been discontinued, thus outrageous pricing; add a comment if you want a link to the eBook.) The Corelan Team site added more insight and was quite useful as well.

Here is the document I created detailing our setup and configuration process (using generic server names and Contoso as the company). Please review the entire document first, should use it for reference. Please note: this document is unsupported and is meant only as a guide.

Should you post questions here, I will do my best to answer them or help point you in the correct direction. This project took place almost a year ago and I'm no longer on site to examine the configuration, so please understand if I may not be able to shed light into the darkest corners of CA voodoo.

Ps. Thanks to SL @ TM for his time and trust with this project.


  1. Hey thanks for making the guide. I'm having a little trouble following one piece. Under Issuing CA there's a script to run on step 16. When I run that script several of my certs aren't imported. I'm assuming it's something with the name of my crt and crl files. If I want to manually install these certificates into the correct store which store would the policy cert go into and which would the root cert go into?

  2. I had some goofiness importing at times too. Try paring down the script to just import one or two certs at a time. And with all the arcane cmds I found I'd occasionally have a syntax error.

    If you are looking to add them manually my best guesses would be:
    Trusted Root CA container for your root certs
    Intermediate CA container for your policy certs

    Hope that helps!

  3. What are the primary benefits of going with a 3-tier over a 2-tier Certificate Authority Model in your opinion? Oh, and might I get a copy of that e-book.

  4. I believe we did a 3-tier because an affiliated company had one, so of course it was a good idea...