Saturday, 11 February 2017

Offline standalone root CA install, Server 2012 R2 - Part 1


In this post, we’ll look at how to set up an offline standalone root CA in Windows Server 2012 R2. This is the most secure way to set up your CA because it means you can set up subordinate issuing CAs and power off the root CA when not required to issue subordinate CA certificates.
Having a powered off server means you cannot possibly have it compromised (unless someone has physical access to it or you decide to store the CA private key on an unencrypted USB key and gave it to a friend to get some movies but that’s beside the point!).

How to install an offline standalone root CA

Before we start, make sure you have a clean build of Windows Server 2012 R2 without any other roles installed. Make sure your server is not joined to a domain. The server in this example is called LITCA01 (our root CA in the Litware organization).
  • Install AD CS role and select Certificate Authority role service:
    • Either user Powershell
    Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority
    • Or use the GUI:
  • Select Active Directory Certificate Services
  • Click next
  • Click next
  • Select Certificate Authority
  • Click next
  • Configure CA and select standalone CA:
  • After installation, the wizard prompts you to configure the CA. If you used PowerShell then you can continue CA configuration by opening up Server Manager.
  • Click through the wizard and select defaults and then when prompted, for a CA type, select root CA:
  • Create certificate or use an existing one (if you have one already). In our case, we don't already have one so we create a new one.
  • Accept defaults and complete the wizard. You now have a standalone Certificate Authority.



Your standalone CA is now set up. So, that’s great! How do I make sure things will work when it’s offline? How do you get a certificate from an offline CA? How will domain joined clients autoenroll certificates? Well, we’ll need a subordinate CA but first we need to configure our CA and prepare it for a subordinate CA. We’ll go through this in part 2.

Offline standalone root CA install, Server 2012 R2 - Part 2


So, in part 1, we installed our offline root CA called LITCA01. In this part, we’ll configure the AIA and CDP settings so that we can create a subordinate CA which will be used to issue certificates to clients and be joined to the domain.

What is a CDP?

First of all, what is a CDP and what is AIA? Yes, good question!
CDP stands for CRL Distribution Point. CRL stands for Certificate Revocation List. Let’s say you issue a certificate to a web server. Your client then connects to the web server and downloads the certificate (public key). It needs to know if this web server certificate has been revoked or not so to do this, it looks at the certificate extensions (properties on the certificate) and looks for the CDP locations. Usually this is an LDAP or HTTP URL and the client can connect to download the CRL and then work out if the web server certificate has been revoked or not.

What is AIA?

The Authority Information Access (AIA) locations are configured on a CA and they are stamped onto certificates issued by the CA. This information is used by an application or service to get the issuing CA certificate to validate the certificate path.

How to configure an offline standalone root CA CDP and AIA extensions

  • Install IIS and the management tools:
Install-WindowsFeature web-server,web-mgmt-console
  • Make a directory in the default website: C:\inetpub\wwwroot\CertEnroll
  • Open up the Certification Authority console
  • Right click on your CA (LITCA01-CA in our case) and click on properties
  • Click on the extensions tab and click on Add to add a new CDP:
  • Enable Publish CRLs to this location and Publish Delta CRLs to this location
  • Run certutil -crl to create a new CRL and ensure this appears in the folder with the name: C:\inetpub\wwwroot\CertEnroll\LITCA01-CA.crl (your CA name will be different)
  • Configure the http CDP by enabling Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
  • Now, click on Select extension and choose Authority Information Access (AIA):
    • Add an AIA location:
  • Enable http AIA by ticking Include in the AIA extension of issued certificates
  • Click OK
  • Copy C:\Windows\System32\CertSrv\CertEnroll\litca01_LITCA01-CA.crt to C:\inetpub\wwwroot\CertEnroll\litca01_LITCA01-CA.crt (your CA name will be different so copy the .crt file for your CA)


We’ve now configured a CDP and AIA location for our offline root CA. These will only be needed for our subordinate CAs when they need to renew or reissue their CA certificates. In the next post, we’ll go through how to set up a subordinate enterprise CA which our domain joined clients can use for certificate requests.