Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -6,11 +6,17 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
|
||||
In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA. You can add more than one subordinate CA if you desire redundancy in your environment.
|
||||
|
||||
!!! note "Assumptions"
|
||||
It is assumed that you understand how to set up a Windows Server 2022/2025 bare-metal or as a VM. You should give it at least 4GB of RAM. It is also assumed that you will [change the edition of Windows Server from "*Evaluation*" to a "*Standard*"](https://docs.bunny-lab.io/Workflows/Windows/Change%20Windows%20Edition/) via DISM. Fully updating the server prior to beginning is also advised. Lastly, ensure the timezone is correctly configured.
|
||||
|
||||
2. Offline Root CA Setup
|
||||
Steps:
|
||||
1. Provision a non-domain-joined, isolated Windows Server.
|
||||
2. Install AD CS role as a Standalone Root CA.
|
||||
### Offline Root CA `LAB-CA-01` Setup
|
||||
- Provision, change edition, and activate a non-domain-joined Windows Server 2022 machine
|
||||
- Navigate to "**Server Manager > Manage > Add Roles and Features**"
|
||||
- Check "**Active Directory Certificate Services**"
|
||||
- When prompted to confirm, click the "**Add Features**" button
|
||||
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
|
||||
-
|
||||
Install AD CS role as a Standalone Root CA.
|
||||
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
||||
4. Configure AIA and CDP extensions with HTTP paths.
|
||||
5. Publish root cert and CRL to AD and internal HTTP.
|
||||
|
||||
Reference in New Issue
Block a user