Many months ago I was tasked with implementing a 3-tier Certificate Authority for a large Windows domain environment. Unfortunately there is surprisingly little information for the nitty-gritty questions one may have. The Microsoft Press book Windows Server® 2008 PKI and Certificate Security proved quite useful, but at times lacking. (This book seems to have been discontinued, thus outrageous pricing; add a comment if you want a link to the eBook.) The Corelan Team site added more insight and was quite useful as well.
Here is the document I created detailing our setup and configuration process (using generic server names and Contoso as the company). Please review the entire document first, should use it for reference. Please note: this document is unsupported and is meant only as a guide.
Should you post questions here, I will do my best to answer them or help point you in the correct direction. This project took place almost a year ago and I'm no longer on site to examine the configuration, so please understand if I may not be able to shed light into the darkest corners of CA voodoo.
Ps. Thanks to SL @ TM for his time and trust with this project.
Hey thanks for making the guide. I'm having a little trouble following one piece. Under Issuing CA there's a script to run on step 16. When I run that script several of my certs aren't imported. I'm assuming it's something with the name of my crt and crl files. If I want to manually install these certificates into the correct store which store would the policy cert go into and which would the root cert go into?
ReplyDeleteI had some goofiness importing at times too. Try paring down the script to just import one or two certs at a time. And with all the arcane cmds I found I'd occasionally have a syntax error.
ReplyDeleteIf you are looking to add them manually my best guesses would be:
Trusted Root CA container for your root certs
Intermediate CA container for your policy certs
Hope that helps!
What are the primary benefits of going with a 3-tier over a 2-tier Certificate Authority Model in your opinion? Oh, and might I get a copy of that e-book.
ReplyDeleteI believe we did a 3-tier because an affiliated company had one, so of course it was a good idea...
ReplyDelete