Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md

2025-07-14 15:01:18 -06:00
parent d18528f5b8
commit a6d1204a11
1 changed files with 37 additions and 4 deletions
--- a/Workflows/Windows/Windows
+++ b/Workflows/Windows/Windows
@ -72,10 +72,44 @@ You will see a finalization screen confirming everything we have configured, it
 - Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
    - Under credentials, let it automatically populate a domain admin. (e.g. `BUNNY-LAB\nicole.rappe`)
    - Click "**Next**"
-    - 
+    - Check the following roles (*we will add the rest after setting up the core CA functionality*)
+        - `Certification Authority`
+        - `Certification Authority Web Enrollment`
+    - Check the "**Enterprise CA**" radio box then click "**Next**"
+    - Check the "**Subordinate CA**" radio box then click "**Next**"
+    - Check the "**Create a new private key**" radio box then click "**Next**"
+    - Click the dropdown menu for "**Select a crypotographic provider**" and ensure that "**RSA#Microsoft Software Key Storage Provider**" is selected
+        - *Microsoft Software Key Storage Provider (KSP) is the latest, most flexible provider designed to work with the Cryptography Next Generation (CNG) APIs. It offers better support for modern algorithms and improved security management (such as support for key attestation, better hardware integration, and improved key protection mechanisms).*
+    - Set the key length to `4096`
+    - Set the hash algorithm to `SHA256`
+    - Click "**Next**"
+    - **Common Name for this CA**: `BunnyLab-SubordinateCA-01`
+    - **Distinguished name suffix**: `DC=bunny-lab,DC=io`
+        - This will be auto-filled based on the domain that the CA is joined to
+    - **Preview of distinguished name**: `CN=BunnyLab-SubordinateCA-01,DC=bunny-lab,DC=io`
+    - Click "**Next**"
+    - Select the "**Save a certificate request to file on the target machine**" radio button
+        - This will auto-populate the destination to something like "`C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req`"
+    - Click "**Next**" > "**Next**"

-!!! warning "Under Construction"
-    Section is still being written during lab deployment.
+You will see a finalization screen confirming everything we have configured, it should look something like what is seen below:
+
+| **Field** | **Value** |
+| :--- | :--- |
+| CA Type | Enterprise Subordinate |
+| Cryptographic provider | RSA#Microsoft Software Key Storage Provider |
+| Hash Algorithm | SHA256 |
+| Key Length | 4096 |
+| Allow Administrator Interaction | Disabled | 
+| Certificate Validity Period | Determined by the parent CA |
+| Distinguished Name | CN=BunnyLab-SubordinateCA-01,DC=bunny-lab,DC=io |
+| Offline Request File Location | `C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req` |
+| Certificate Database Location | C:\Windows\system32\CertLog |
+| Certificate Database Log Location | C:\Windows\system32\CertLog |
+
+    - Click "**Configure**"
+!!! warning "Pending Certificate Signing Request"
+    You will see a screen telling you that the **Certification Authority Web Enrollment** was successful but it will give a warning about the **Certification Authority**.  The Active Directory Certificate Services installation is incomplete.  To complete the installation, use the request file <file-name> to obtain a certificate from the parent CA [*The RootCA*].  Then, use the Certification Authority snap-in to install the certificate.  To complete this procedure, right-click the node with the name of the CA, and then click "Install CA Certificate".

 ### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Configuration Deployment
 !!! warning "Under Construction"
@ -84,7 +118,6 @@ You will see a finalization screen confirming everything we have configured, it
 !!! warning "Raw Unprocessed Documentation - Do Not Use"
    3. Online Subordinate CA Setup
    Steps:
-    1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
    2. Generate CSR, sign with Root CA, import signed cert.
    3. Configure AIA/CDP extensions for CRL publication.
    4. Enable role separation and auditing.