docs/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md

Purpose

This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).

!!! abstract "Environment Breakdown" The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named LAB-CA-01 and LAB-CA-02. This stands for "Lab Certificate Authority [01|02]". In a two-tier hierarchy, an offline (you intentionally keep this VM offline) Root CA signs a single "Subordinate" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration.

In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA.  You can add more than one subordinate CA if you desire more redundancy in your environment.  Making them operate together is generally automatic and does not require manual intervention.

!!! note "Provisioning Assumptions" - OS = Windows Server 2022/2025 bare-metal or as a VM
- You should give it at least 4GB of RAM.
- Change the edition of Windows Server from "Evaluation" to "Standard" via DISM - Ensure the server is fully updated
- Ensure the server is activated - Ensure the timezone is correctly configured - Ensure the hostname is correctly configured

Offline Root CA LAB-CA-01 Role Deployment

• Provision a non-domain-joined Windows Server
  • This is critical that this device is not domain-joined for security purposes
• Navigate to "Server Manager > Manage > Add Roles and Features"
  • Check "Active Directory Certificate Services"
    • When prompted to confirm, click the "Add Features" button
    • Ensure the "Include management tools (if applicable)" checkbox is checked.
  • Click "Next" > "Next" > "Next"
    • You will be told that the name of the server cannot be changed after this point, and it will be associated with WORKGROUP > This is fine and you can proceed.
  • Check the boxes for the following role services:
    • Certification Authority
    • Certificate Enrollment Policy Web Service
    • Certificate Enrollment Web Service
    • Certification Authority Web Enrollment
      • When prompted to confirm multiple times, click the "Add Features" button
      • Ensure the "Include management tools (if applicable)" checkbox is checked.
  • Click "Next" > "Next" > "Next" > "Install"
  • Restart the Server

Offline Root CA LAB-CA-01 Role Configuration

• Navigate to "Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services"
  • You will be prompted for an admin user, in this example, you will use the pre-populated LAB-CA-01\Administrator
  • Check the boxes for Certification Authority and Certification Authority Web Enrollment then click "Next"
  • Check the "Standalone CA" radio box then click "Next"
  • Check the "Root CA radio box then click "Next"
  • Check the "Create a new private key" radio box then click "Next"
  • Click the dropdown menu for "Select a crypotographic provider" and ensure that "RSA#Microsoft Software Key Storage Provider" is selected
  • Set the key length to 4096
  • Set the hash algorithm to SHA256

!!! warning "Raw Unprocessed Documentation - Do Not Use" 3. 10-year validity. 4. Configure AIA and CDP extensions with HTTP paths. 5. Publish root cert and CRL to AD and internal HTTP. 3. Online Subordinate CA Setup Steps: 1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA. 2. Generate CSR, sign with Root CA, import signed cert. 3. Configure AIA/CDP extensions for CRL publication. 4. Enable role separation and auditing. 4. Certificate Templates and Autoenrollment Configure certificate templates for the following use cases: • - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption. • - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients. • - LDAPS: Use 'Kerberos Authentication' template for domain controllers. Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration. 5. CRL and Revocation Management Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root. 6. Security Recommendations • - Harden CA servers; limit access to PKI admins. • - Use BitLocker or HSM for key protection. • - Enforce strong cryptographic settings: RSA 2048+, SHA-256. • - Monitor issuance and renewals with audit logs and scripts.