Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 8s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 8s
This commit is contained in:
@ -117,10 +117,43 @@ You will see a finalization screen confirming everything we have configured, it
|
||||
At this point, we will need to focus on getting the certificate signing request generated on `LAB-CA-02` to `LAB-CA-01` (the rootCA), this can be via temporary network access or via a USB flashdrive.
|
||||
|
||||
!!! danger
|
||||
If using a USB flashdrive is not viable, don't leave the RootCA on the network any longer than what is absolutely necessary.
|
||||
If using a USB flashdrive is not viable, don't leave the RootCA server on the network any longer than what is absolutely necessary.
|
||||
|
||||
- Once the certificate signing request file `C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req` is on `LAB-CA-01` (RootCA) we can proceed to get it signed.
|
||||
- **PLACEHOLDER**
|
||||
- Navigate to "**Server Manager > Tools > Certification Authority**"
|
||||
- Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-RootCA`)
|
||||
- Click on "**All Tasks" then "Submit new request...**"
|
||||
- Browse to and select the subordinate CA’s .req file (e.g. `LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req`)
|
||||
- Click on "**BunnyLab-RootCA > Pending Requests**
|
||||
- Right-click the request we just imported, and select "**All Tasks > Issue**"
|
||||
- Click on ""**BunnyLab-RootCA > Issued Certificates**"
|
||||
- Locate the new subordinate CA certificate, and double-click it.
|
||||
- Click the "**Details**" tab
|
||||
- Click the "**Copy to File**" button
|
||||
- Click "**Next**"
|
||||
- Choose `DER encoded binary X.509 (.CER)` and save as `LAB-CA-02-SubCA.cer`.
|
||||
- Export the Root CA certificate:
|
||||
- Right-click the `BunnyLab-RootCA` node > Properties > View Certificate > Details > Copy to File...
|
||||
- Save as `RootCA.cer`
|
||||
- Copy both `LAB-CA-02-SubCA.cer` (the signed subordinate CA cert) and `RootCA.cer` (the root CA cert) to the subordinate CA (`LAB-CA-02`), using a secure method (e.g. USB drive).
|
||||
|
||||
!!! info "On the Subordinate CA (LAB-CA-02): Complete CA Installation"
|
||||
1. Open Certification Authority (certsrv.msc).
|
||||
2. If prompted, select Install CA Certificate...
|
||||
- Browse to and select LAB-CA-02-SubCA.cer.
|
||||
3. If not prompted, right-click the CA node (with warning icon) > All Tasks > Install CA Certificate...
|
||||
4. When prompted for the CA chain or root certificate, browse to and select RootCA.cer.
|
||||
5. Ensure the Root CA certificate is also imported into the Trusted Root Certification Authorities store for both the local machine and the CA service.
|
||||
- Open certlm.msc, right-click Trusted Root Certification Authorities > Certificates, and select Import...
|
||||
6. Start the Certification Authority service:
|
||||
- Right-click the CA node > All Tasks > Start Service.
|
||||
7. Verify that the CA status is now green (running).
|
||||
|
||||
!!! success "Next Steps"
|
||||
- Publish a new CRL:
|
||||
- Right-click the CA node > All Tasks > Publish > New CRL.
|
||||
- Export and distribute the CA certificate(s) as needed for client trust via Group Policy.
|
||||
- Proceed with further PKI configuration (CRL/AIA paths, templates, permissions, etc).
|
||||
|
||||
!!! warning "Under Construction"
|
||||
Section is still being written during lab deployment.
|
||||
|
||||
Reference in New Issue
Block a user