08. Install and Configure Enterprise Subordinate Root CA Part-1
ฝัง
- เผยแพร่เมื่อ 14 ธ.ค. 2024
- Video Series on Deploying Two-Tier Public Key Infrastructure in Windows Server 2019:
Part-3: In the third part of this six part video series on how to deploy a Two-Tier Public Key Infrastructure, we will see the steps to install and configure Enterprise Subordinate Certificate Authority on Windows Server 2019.
Link to see the next video:
• 09. Install and Confi...
Link to see the previous video on How to Install and configure Offline Standalone Root CA:
• 07. Install and Confi...
This Video series is based on Technet Guide on Windows Server 2008:
social.technet...
Full Playlist:
yt.vu/p/PLUZTRm...
Follow my blogs:
msftwebcast.bl...
You have an excellent presentation kills. Literally speaking awesome explanation explaining the smallest of things - so much focus you have; Kindly let me know what you do to maintain so much focus.
at 16:09 by mistake instead of choosing install CA, i did request CA certificate; i realised later, but how can i fix it? after realising I am not getting otion to install CA.
@17:16 - what are the default templates needed for ADCS to operate properly in Windows Server 2019 & Windows 10 network ???
Users
Computers
OCSP
Domain Controller
web server
RDP Cert
On which server should I run the certutil.exe commands (minute 4:00) (root - subordinate or domain controller) ?
On member server where you are planning to setup enterprise subordinate CA. So it may be member server or domain controller as per your setup. I have used dedicated member server for enterprise subordinate CA.
@@MSFTWebCast Thanks for the answer, in my project the server with the CA Subordinate role is independent from the Domain Controller, I have followed all the steps according to your explanation, but when executing the certutil.exe -dsPublish commands, it returns the following error : DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Could not load Certificate or CRL from file (The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.
I ended up getting the AIA location in PKIview as the same location as the CDP. The entire URL with the .crl not the .crt. Not sure what happened.
why is my Sub CA server certificate showing only 1year validity... where have i gone wrong.
and in the template why am i see duplicate template. all the template are dual.
Hi, how could I change the DeltaCRL Location http url? Seem like I couldn't change under CDP extension, it doesn't take effect... please help me...
Go to CA properties. Click the Extensions tab. Make sure that Select extension is set to CRL Distribution Point (CDP). From the Specify locations, add or remove the locations.
@@MSFTWebCast Yes, I did that but it doesn't help.
At first, I followed your guide to set to www. but the status of AIA, CDP and DeltaCRL still showed "Unable To Download" even after enabling "Directory Browsing" on IIS. Then I changed the to FQDN of the Subordinate CA server, the status of AIA and CDP changed to "OK", but DeltaCRL is still "Unable To Download" and the URL is still showing the old that I set, which is "www.". Any other ways to change it? I have already tried a few times remove and add but still doesn't work on DeltaCRL...
Hi, my CDP and AIA not updating. If I look in pkiview and copy the URL, I can reach the URL but my files are not there :-(
If I copy the generated files from C:\Windows\System32\certsrv\CertEnroll to the URL directory then it is all ok.
I miss something in writing to the folder, I gave full control to "cert publisher". Please Help?
Anyone???
Does anyone has the problem that once install the subordinate CA the LDAP Still appearing as Unable to download?
In ADSIedit, appears the respective Enterprise CA CRLs and CDPs, but does not update in the PKIview, do you have an Idea?
did you ever figure this out? im seeing the same thing right now
you are great man, this video helped me a lot.
thanks..
What will happen if loaddefaulttemplate =0 on ca policy. Inf. Will the default template be visible on enterprisecA?
Yes, setting the LoadDefaultTemplates=0 prevent the default templates from being added to the Enterprise CA. By default the value is 1 so the default templates are added automatically.
thank you brother
Could you please post here the commands from your notepad?
Here you go:
Notepad C:\Windows\CAPolicy.inf
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]Policies=InternalPolicy[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5[Certsrv_Server]RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
Save the file.
certutil.exe -dsPublish -f "C:\NameofCert with .crt" RootCA
certutil.exe -dsPublish -f "C:\NameofCert with .crl" RootCA
certutil.exe -addstore -f root "C:\NameofCert with .crt"
certutil.exe -addstore -f root "C:\NameofCert with .crl"
@@MSFTWebCast Hello there, love the video and the walk through, i would like to ask you how you know what OID to use
@@zephteo6029 The OID (Object ID) I used in this example is the Microsoft OID. You can get your own OID via PEN registration on IANA.
You didn't showed that to install AD certificate server role on member server.Do we need to install?if we didn't install we won't be able to execute commands on PS with cerutil
Wheres the file to copy paste?
Sorry. Here is the text.
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]Policies=InternalPolicy[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
okk
amazing. I understand nothing ))))
Try again.
@@MSFTWebCast just a joke bro. Thank you for the video