Post

Creating an Enterprise Subordinate CA from an Offline Root CA

Posted Updated
By Chris Lovett
9 min read

Every organization that has an Active Directory structure, or any other service that uses SSL/TLS services (ie. HTTPS, RDP, etc.), should have a certificate authority. This certificate authority is used to verify that you are indeed talking directly with the server you think you are and that the connection is secure. Having a certificate authority is also required to enable secure LDAP (LDAPS), though this can also be done with an external certificate authority.

This guide covers the second part of a two-tiered certificate authority (CA) setup, which is the Enterprise Subordinate or Intermiediate CA. The Enterprise CA is a Active Directory domain-joined server. This CA will be online and will issue certificates on behalf of the offline CA, which is protected off-network.

Requirements

  • Windows Server joined to your Active Directory domain
    • The server should be fully updated before starting
    • This server should have a static IP address
    • We will be using Windows Server 2022 for this example
  • An offline Root CA
    • This can either be Linux or Windows-based and is covered elsewhere on this site
  • (Recommended) Private Enterprise Number or OID to represent your organization

Create CAPolicy.inf File

  1. Open Powershell as Administrator
  2. Create a new file with notepad.exe called CAPolicy.inf in C:\Windows
    1
2

    cd C:\Windows
notepad.exe CAPolicy.inf
  3. Answer Yes to create the new file
  4. Copy this text into the file
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

    [Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
CRLPeriod=weeks
CRLPeriodUnits=1
LoadDefaultTemplates=1
AlternateSignatureAlgorithm=1
[CRLDistributionPoint]
[AuthorityInformationAccess]
    • The OID listed above is an example by Microsoft. You should use one from IANA as mentioned in the Requirements section above.
    • Notice that LoadDefaultTemplates is set to 0, this will prevent unwanted or unneeded certificates from being issued after the install.
  5. Save and close the CAPolicy.inf file

Publish the Root CA Certificate and CRL

These two files were generated when you create either you Linux or Windows offline CA. You should have stored these files on a USB drive so that you can now import them into Active Directory.

  • The Root CA Certificate should have a .crt file extension
  • The Root CA Certificate revocation list (CRL) should have a .crl file extension
  1. Open Powershell as Administrator
  2. Assuming the CA cert and CRL files are on the root of E:, publish Root CA Certificate and CRL in Active Directory
    1
2

    certutil -f -dspublish "E:\Root-CA_Example Root CA.crt" RootCA
certutil -f -dspublish "E:\Example Root CA.crl" RootCA
  3. Add the Root CA Certificate and CRL in this server’s local store
    1
2

    certutil -addstore -f root "E:\Root-CA_Example Root CA.crt"
certutil -addstore -f root "E:\Example Root CA.crl"

Install the Active Directory Certificate Services Role

  1. Open Server Manager, if not already open
  2. Click Manage in the top right corner
  3. Click Add Roles and Features
  4. On Before You Begin, click Next
  5. On Installation Type, ensure Role-based or feature-based installation is selected and click Next
  6. On Server Selection, ensure this server is selected and click Next
  7. On Server Roles, check Active Directory Certificate Services, on the pop-up click Add Features, then click Next
  8. On Features, click Next
  9. On AD CS, click Next
  10. On Role Services, check Cerificate Authority and Certificate Authority Web Enrollment, on the pop-up click Add Features, then click Next
  11. On Web Server Role (IIS), click Next
  12. On Role Services, click Next
  13. On Confirmation, click Install

Configure the Certificate Authority Service

  1. If the Installation Wizard is still open, click Configure Active Directory Certificate Services on the destination server. Otherwise, in Server Manager click the flag icon in the upper right which should have a warning symbol (⚠️), then Post-deployment Configuration
  2. On Credentials, click Next
  3. On Role Services, check Certification Authority and Certificate Authority Web Enrollment, then click Next
  4. On Setup Type, ensure Enterprise CA is selected then click Next
  5. On CA Type, select Subordinate CA and click Next
  6. On Private Key, ensure Create a new private key is selected, then click Next
  7. On Cryptography, set the Key length to 4096
  8. On CA Name, set the Common name to a descriptive value, such as “Contoso Subordinate CA”. You may either accept the pre-filled Distinguished name or provide your own, such as O=Example School,L=Raleigh,ST=North Carolina,C=US then click Next
  9. On Certificate Request, note the path in the File name field. This is where the certificate request file will be saved. Click Next
  10. On Certificate Database, click Next
  11. On Confirmation, click Configure

  12. Once the installation is finished, close the wizard.

    The warning message is expected. This is to inform you that you must manually use the .req file to request a CA certificate from your offline Root CA. You should now copy this file to a USB drive to load onto your offline Root CA.

Request a CA Certificate from the Offline Root CA

Now that you have a certificate request, you must use your offline Root CA to obtain the Subordinate CA certificate.

Linux-based Offline CA

  1. Insert your USB drive containing the .req file into the offline Root CA server
  2. Find the path to your device (all devices in Linux are represented by files)
    1

    sudo sfdisk -l
    • -l List all devices
  3. My device was /dev/sdb1
    1
2
3
4
5
6
7
8
9
10

     Disk /dev/sdb: 7.52 GiB, 8058306560 bytes, 15738880 sectors
 Disk model: USB Disk        
 Units: sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disklabel type: gpt
 Disk identifier: 730CBDED-473E-4991-9AF8-A6910A72F498

 Device     Start      End  Sectors  Size Type
 /dev/sdb1   2048 15736831 15734784  7.5G Microsoft basic data
  4. Mount the USB Drive to the /media directory
    1

    sudo mount /dev/sdb1 /media
  5. Generate the Sub-CA Certificate using OpenSSL
    1

    sudo openssl ca -config /etc/ssl/root-ca/openssl.cnf -extensions v3_intermediate_ca -in /media/CA01.ad.example.edu_ad-CAS-CA.req -out /media/CA01.ad.example.edu_ad-CAS-CA.crt -days 3650 -notext
    • ca This is a Certificate Authority operation
    • -config The location of the OpenSSL configuration file to use
    • -extentions The certificate extensions to use, as defined in the config file
    • -in The location of the .req file from the Subordinate CA
    • -out Location and name of the output .crt certificate for the Sub-CA
    • -days How long the certificate will be valid, 10 years in this case
    • -notext Do not include a text version of the certificate in the output
  6. You will be asked for the password of the Root CA’s private key, which you should have documented
    1
2

    Using configuration from /etc/ssl/root-ca/openssl.cnf
Enter pass phrase for /etc/ssl/root-ca/private/ca.key:
  7. You will be asked to verify the request and signature. If this looks correct, answer y to both questions. Below is my example:
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

    Enter pass phrase for /etc/ssl/root-ca/private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
     Serial Number:
         60:1c:cb:4e:95:f9:4b:2f:42:30:e6:fe:0a:bb:6a:2f
     Validity
         Not Before: Jul  5 18:00:58 2022 GMT
         Not After : Jul  2 18:00:58 2032 GMT
     Subject:
         countryName               = US
         stateOrProvinceName       = North Carolina
         localityName              = RTP
         organizationName          = MCNC
         organizationalUnitName    = CNE
         commonName                = MCNC Subordinate CA
     X509v3 extensions:
         X509v3 Subject Key Identifier: 
             2A:69:D8:FB:5E:9E:2C:B4:B3:06:29:52:01:0B:5A:6E:E3:18:2C:55
         X509v3 Authority Key Identifier: 
             46:E7:C6:7A:74:1E:10:56:94:CC:39:22:FD:87:3F:AD:E0:EF:8E:D5
         X509v3 Basic Constraints: critical
             CA:TRUE, pathlen:0
         X509v3 Key Usage: critical
             Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jul  2 18:00:58 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  8. Unmount the USB drive before removing it
    1

    sudo umount /media
  9. Shutdown the offline Root CA

Windows-based Offline CA

  1. Insert your USB drive into the offline Windows Root CA server
  2. On the offline Windows Root CA server, open the Certificate Authority MMC by going to Tools > Certificate Authority in Server Manager or by running certsrv.msc
  3. In the Certificate Authority MMC, right-click your Root CA, then select All Tasks > Submit New request…
  4. Browse to your .req file and click Open
  5. Double click on Pending Requests you should see your new request listed
  6. Right-click on the request and select All Tasks > Issue
    • You should see the new certificate under Issued Certificates and note the Request ID for the next step
  7. Open Powershell as Administrator and export the new Sub-CA certificate to your USB drive
    1

    certreq -retrieve 2 "E:\CA01.ad.example.edu_ad-CAS-CA.crt"
    • -retrieve This is the number of the Request ID from the Issued Certificates container
  8. Click OK on the Certificate Authority List pop-up
  9. Safely eject and remove the USB drive from the server
  10. Shutdown the offline Root CA

Install the new Sub-CA Certificate on the Enterprise Subordinate CA

  1. Insert your USB drive into the offline Windows Root CA server
  2. On the Windows Enterprise Subordinate CA server, open the Certificate Authority MMC by going to Tools > Certificate Authority in Server Manager or by running certsrv.msc
  3. In the Certificate Authority MMC, right-click your Subordinate CA, then select All Tasks > Install CA Certificate…
  4. Change the File type dropdown to X.509 Certificate (*.cer,*.crt)
  5. Browse to your USB drive or location of the .crt file from the Root CA and select it
  6. Click Open
  7. Right-click right-click your Subordinate CA and select All Tasks > Start Service
    • Certificate Services should have started and a green check should be on you Subordinate CA

Perform Post Installation Configuration Tasks on the Subordinate Issuing CA

  1. Open Powershell as Administrator
  2. Configure the CRL and Delta CRL settings
    1
2
3
4

    certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 1
certutil -setreg CA\CRLDeltaPeriod "Days"
  3. Define CRL overlap settings
    1
2

    certutil -setreg CA\CRLOverlapPeriodUnits 12
certutil -setreg CA\CRLOverlapPeriod "Hours"
  4. Set the Validity Period to half the life of the Subordinate CA certificate. In this case, 5 years. The default is 2 years
    1
2

    certutil -setreg CA\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"
  5. Retart the Certificate Authority service
    1

    Restart-Service certsvc
  6. Generate the Certificate Revocation List
    1

    certutil -crl
  1. In the Certificate Authority MMC of the Subordinate CA, right click on Certificate Templates and select New > Certificate Template to Issue
  2. On the Enable Certificate Templates pop-up, select Domain Controller and click OK
    • After some time (gpupdate), the Domain Controllers will enroll themselves with a certificate which will enable LDAPS (port 636)
Services, Certificate Authorities
windows certificate security active directory
This post is licensed under CC BY 4.0 by the author.