From b5ff4d7c5e417fe817419c3fd245d3746dc29afd Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Tue, 15 Jul 2025 22:05:16 -0600 Subject: [PATCH] Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md --- .../Active Directory Certificate Services.md | 37 ++++++++++++++++++- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md index 7722a77..fbb4c79 100644 --- a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md @@ -117,10 +117,43 @@ You will see a finalization screen confirming everything we have configured, it At this point, we will need to focus on getting the certificate signing request generated on `LAB-CA-02` to `LAB-CA-01` (the rootCA), this can be via temporary network access or via a USB flashdrive. !!! danger - If using a USB flashdrive is not viable, don't leave the RootCA on the network any longer than what is absolutely necessary. + If using a USB flashdrive is not viable, don't leave the RootCA server on the network any longer than what is absolutely necessary. - Once the certificate signing request file `C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req` is on `LAB-CA-01` (RootCA) we can proceed to get it signed. - - **PLACEHOLDER** +- Navigate to "**Server Manager > Tools > Certification Authority**" + - Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-RootCA`) + - Click on "**All Tasks" then "Submit new request...**" + - Browse to and select the subordinate CA’s .req file (e.g. `LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req`) + - Click on "**BunnyLab-RootCA > Pending Requests** + - Right-click the request we just imported, and select "**All Tasks > Issue**" + - Click on ""**BunnyLab-RootCA > Issued Certificates**" + - Locate the new subordinate CA certificate, and double-click it. + - Click the "**Details**" tab + - Click the "**Copy to File**" button + - Click "**Next**" + - Choose `DER encoded binary X.509 (.CER)` and save as `LAB-CA-02-SubCA.cer`. + - Export the Root CA certificate: + - Right-click the `BunnyLab-RootCA` node > Properties > View Certificate > Details > Copy to File... + - Save as `RootCA.cer` +- Copy both `LAB-CA-02-SubCA.cer` (the signed subordinate CA cert) and `RootCA.cer` (the root CA cert) to the subordinate CA (`LAB-CA-02`), using a secure method (e.g. USB drive). + +!!! info "On the Subordinate CA (LAB-CA-02): Complete CA Installation" +1. Open Certification Authority (certsrv.msc). +2. If prompted, select Install CA Certificate... +- Browse to and select LAB-CA-02-SubCA.cer. +3. If not prompted, right-click the CA node (with warning icon) > All Tasks > Install CA Certificate... +4. When prompted for the CA chain or root certificate, browse to and select RootCA.cer. +5. Ensure the Root CA certificate is also imported into the Trusted Root Certification Authorities store for both the local machine and the CA service. +- Open certlm.msc, right-click Trusted Root Certification Authorities > Certificates, and select Import... +6. Start the Certification Authority service: +- Right-click the CA node > All Tasks > Start Service. +7. Verify that the CA status is now green (running). + +!!! success "Next Steps" +- Publish a new CRL: +- Right-click the CA node > All Tasks > Publish > New CRL. +- Export and distribute the CA certificate(s) as needed for client trust via Group Policy. +- Proceed with further PKI configuration (CRL/AIA paths, templates, permissions, etc). !!! warning "Under Construction" Section is still being written during lab deployment.