bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
Details

Browse Source
This commit is contained in:
Nicole Rappe
2025-07-11 16:55:33 -06:00
parent e7e5020100
commit 9a8584a101
1 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
View File

@ -2,20 +2,35 @@
This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).
!!! abstract "Environment Breakdown"
The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`. This stands for "*Lab Certificate Authority [01|02]*" In a two-tier hierarchy, an offline Root CA signs a single "*Subordinate*" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration.
The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`. This stands for "*Lab Certificate Authority [01|02]*". In a two-tier hierarchy, an offline (*you intentionally keep this VM offline*) Root CA signs a single "*Subordinate*" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration.
In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA. You can add more than one subordinate CA if you desire redundancy in your environment.
In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA. You can add more than one subordinate CA if you desire more redundancy in your environment. Making them operate together is generally automatic and does not require manual intervention.
!!! note "Assumptions"
It is assumed that you understand how to set up a Windows Server 2022/2025 bare-metal or as a VM. You should give it at least 4GB of RAM. It is also assumed that you will [change the edition of Windows Server from "*Evaluation*" to a "*Standard*"](https://docs.bunny-lab.io/Workflows/Windows/Change%20Windows%20Edition/) via DISM. Fully updating the server prior to beginning is also advised. Lastly, ensure the timezone is correctly configured.
- OS = Windows Server 2022/2025 bare-metal or as a VM
- You should give it at least 4GB of RAM.
- It is assumed that you will [change the edition of Windows Server from "*Evaluation*" to a "*Standard*"](https://docs.bunny-lab.io/Workflows/Windows/Change%20Windows%20Edition/) via DISM.
- Ensure the server is fully updated
- Ensure the timezone is correctly configured
- Ensure the hostname is correctly configured
### Offline Root CA `LAB-CA-01` Setup
- Provision, change edition, and activate a non-domain-joined Windows Server 2022 machine
- Provision the non-domain-joined Windows Server
- Navigate to "**Server Manager > Manage > Add Roles and Features**"
- Check "**Active Directory Certificate Services**"
- When prompted to confirm, click the "**Add Features**" button
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
-
- Click "**Next**" > "**Next**" > "**Next**"
- You will be told that the name of the server cannot be changed after this point, and it will be associated with `WORKGROUP` > This is fine and you can proceed.
- Check the boxes for the following role services:
- `Certification Authority`
- `Certificate Enrollment Policy Web Service`
- `Certificate Enrollment Web Service`
- `Certification Authority Web Enrollment`
- When prompted to confirm multiple times, click the "**Add Features**" button
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
- Click "**Next**" > "**Next**" > "**Next**" > "**Install**"
Install AD CS role as a Standalone Root CA.
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
4. Configure AIA and CDP extensions with HTTP paths.