Active Directory Certificate Services
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
images
Install-ADCSOfflineCA.ps1
Install-ADCSSubordinateCA.ps1
LICENSE
README.md

README.md

Active Directory Certificate Services

This my take on a simple yet powerful Active Directory Certificate Services (ADCS) implementation. The two PowerShell scripts provides an easy and documented process to install, configure and setup a complete two-tier PKI environment.

PKI Overview

Root/Offline CA Configuration:

Item Value (Can be modified)
Customer Contoso
Operating system 2012 / 2012R2 / 2016
CA Type Standalone Root
CA Name Contoso-ROOT-CA
Validity Period 10 years
CSP RSA #Microsoft Software Key Storage Provider
Hash Algorithm SHA256
Key Length 4096
Database Location C:\PKI\Database\CertDB
Database Log Location C:\PKI\Database\CertLog
CRL Validity Period 1 year (No delta)
CDP Only HTTP - pki.contoso.com
CAPolicy.inf Automatically generated

Enterprise/Subordinate CA Configuration:

Item Value (Can be modified)
Customer Contoso
Operating system 2012 / 2012R2 / 2016
CA Type Enterprise Subordinate
CA Name Contoso-Subordinate-CA
Validity Period 5 years
CSP RSA #Microsoft Software Key Storage Provider
Hash Algorithm SHA256
Key Length 2048
Database Location C:\PKI\Database\CertDB
Database Log Location C:\PKI\Database\CertLog
CRL Validity Period 7 days (No delta)
CDP Only HTTP - pki.contoso.com
CAPolicy.inf Automatically generated

Requirements

  • An Active Directory Directory Service
  • A Windows 2012/2012R2/2016 Server* (PowerShell 4.0) used for Root/Offline CA
  • A Windows 2012/2012R2/2016 Server* (PowerShell 4.0) used for Enterprise/Subordinate CA
  • Domain Administrator membership or similar privileges for installation.
  • Local Administrator privileges (PowerShell.exe Runas Administrator).

*Servers can be hosted in a virtual environment.

Installation

  1. Run "Install-ADCSOfflineCA.ps1" on the server dedicated for the Root/Offline CA Role. Install-ADCSOfflineCA.ps1
  • Company: Used to populate the and AIA/CRL and CA Common names.
  • DomainURL: Used for CDP and AIA publishing.
  • ConfigNC: Used for publishing Root CA in the Active Directory.
  1. Confirm the installation when/if prompted. The installation of the Root/Offline CA Role is now done. Root CA Installation fininshed

  2. Run "Install-ADCSSubordinateCA.ps1" on the server dedicated for the Enterprise/Subordinate CA Role. Install-ADCSSubordinateCA.ps1

  • SMTPServer: Mail server used to send the PKI maintenance/job reminder.
  • ToAddress: Recipient address for the PKI maintenance/job reminder.
  • FromAddress: Sender address for the PKI maintenance/job reminder.
  • City: Used to populate the ADCS Web Enrollment information template.
  • State: Used to populate the ADCS Web Enrollment information template. *Country is not available as a parameter as of now, default is Sweden. * *ADCS Web Enrollment Template can easily be modified in the $env:WinDir\System32\certsrv\certdat.inc file. *
  1. Each next setup provides a prompt that encourages a manual routine / process. 4.1. Create an Internal DNS-Zone and/or an A-record pointed to the Enterprise Subordinate CA server. It's highly recommended to create an external publishing for the $DomainURL so the CDP is reachable from the outside. Create a DNZ-Zone

4.2 Sign/Issue the Enterprise/Subordinate CA Certificate on the Root/Offline CA server. *It's recommended to not have a network connection on the Root/Offline CA Server when running in production. * Issue Subordinate CA

Example Submit request: Example Sign/Issue

4.3 Publish a new CRL on the Root/Offline CA server. enter image description here

Example: Example New CRL Publish

4.4. Rename the Root/Offline CA Certificate to match the AIA location. Rename Root CA certificate

4.5. Copy the CRL and CRT files from the Root/Offline CA server to the Enterprise/Subordinate server.
Copy CRL and CRT files

Example:

Example Copy

4.6. Unzip / Move the copied CRL and CRT files (Step 4.5) to the correct paths on the Enterprise/Subordinate CA Server. Move CRL and CRT files

4.7 Automatically trying to add the Root/Offline CA certificate to the Active Directory Configuration. Add Root CA to Active Directory

View in adsiedit.msc after Step 7 (4.6). AD ConfigNC

4.8. Install the Enterprise/Subordinate Certificate. Install Subordinate Certificate

Example:

Install CA Certificate

4.9. Automatically modifying "certdat.inc" file to match the Company information. Modify certdat.inc

4.10. Create a Group Policy for Certificate Auto Enrollment (Only recommended). Create Group Policy

Installation is now done. Installation finished

Verify the setup in pkiview.msc. pkivewi.msc


> For a more detailed installation check the [Wiki section.](https://github.com/PhilipHaglund/ADCS/wiki/Detailed-Installation-instructions)