Installing the Enterprise Subordinate CA - Part 2


To complete this installation we will be performing below steps


Prepare the CAPolicy.inf for the Enterprise Subordinate CA

Install the Enterprise Subordinate CA

Configure the Enterprise Subordinate CA Authority Information Access and Certificate Distribution Point settings

IssuingCA - Hyper-V




Rename Administrator / Guest Account

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security options

Accounts: Rename Administrator/Guest Account

  1. Admin: IssuingCAAdmin

Interactive logon: Do not display last username:

  1. Clear last username at logon

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

CONFIGURE ALL FOR / success - failure

Computer configuration > Administrative Templates > Windows Components > AutoPlay Policies

Disable autoplay functions > All Drives

Right Mouse on Start Button > Run


And logon with altered Administrator Account Name.

Open Windows PowerShell

Type: notepad c:\Windows\CAPolicy.inf and press ENTER.

When prompted to create a new file, click Yes.Enter the following as the contents of the file:



Signature="$Windows NT$"




Notice="Legal Policy Statement"









Windows XP and Windows Server 2003 certificate clients do not support the Alternate Signature Algorithm. If you want these clients to be able to enroll for certificates, do not add the line AlternateSignatureAlgorithm=1 to the CAPolicy.inf.

Save the file as C:\Windows\CAPolicy.inf, make sure to save it in the ANSI encoding format.

To install the Enterprise Subordinate CA Role:

  1. In Server Manager, click Manage, and then click Add Roles and Features.
  2. On the Before you begin screen, click Next.
  3. On the Select installation type screen, ensure the default selection of Role-based or feature-based installation is selected. Click Next.
  4. On the Select destination server screen, ensure that DC01 is selected and then click Next.
  5. On the Select server roles screen, select the Active Directory Certificate Services role.
  6. When prompted to install Remote Server Administration Tools click Add Features. Click Next.
  7. On the Select features screen, click Next.
  8. On the Active Directory Certificate Services screen, click Next.
  9. On the Select role services screen, the Certification Authority role is selected by default. Click Next.
  10. On the Confirm installation selections screen, verify the information and then click Install.
  11. Wait for the installation to complete. The installation progress screen is displayed while the binary files for the CA are installed.

The necessary files have now been installed for our Certificate Services Role.

Configuring Active Directory Certificates Services on the destination server.

Logon with CONTOSO\DomainAdmin

  1. When the binary file installation is complete, click the Configure Active Directory Certificate Services on the destination server link.
  2. On the Credentials screen, you should see that the CONTOSO\DomainAdmin (ISSUINGCA\ENTCAADMIN) is displayed in the Credentials box. Click Next.
  3. On the Role Services screen, select Certification Authority. This is the only available selection when only the binary files for the certification authority role are installed on the server. Click Next.
  4. On the Setup Type screen, ensure that Enterprise CA is selected and then click Next.
  5. On the CA Type screen, select Subordinate CA to install an Enterprise Subordinate CA. Click Next.
  6. On the Private Key screen, leave the default selection to Create a new private key selected. Click Next.
  7. On the Cryptography for CA screen, ensure that the cryptographic provider is RSA#Microsoft Software Key Storage Provider, the key length is set to 4096 and the hash algorithm is set to SHA256 / SHA512 then click Next.

Do not select the Allow administrator interaction when the private key is accessed by the CAcheckbox. This setting is typically used with Hardware Security Modules (HSMs) and similar key protection devices prompt for additional information when the private key is accessed.

  1. On the CA Name screen, in the Common name for this CA text box, type IssuingCA and then click Next.

Note that your distinguished name should be automatically expanded to cover your domain name as well.

  1. On the Certificate Request screen, notice that Save a certificate request to file on the target machine is selected. This is the correct option because we are using an offline parent CA (the root CA) in this configuration. Leave the default and click Next.
  2. On the CA Database screen, leave the default locations for the database and database log files. Click Next.
  3. On the Confirmation screen, click Configure.
  4. On the Results screen, you see that you must take the certificate request to the RootCA in order to complete the configuration. Click Close
  5. Once that you have your certificate request file copied onto your Root Certificate Authority, submit it to your CA.
  6. On RootCA, you must approve the request. You can do this using Server Manager or by using certutil from the command line.

To use Server Manager, click Tools, and then click Certification Authority. Expand the RootCA object and then click Pending Requests.

Right click the RootCA > All Tasks > Submit New Request > Locate the .req file on the A: drive.

Right-click the Request ID that corresponds with the one you saw when you submitted the request in the previous step. Click All Tasks and then click Issue.

Click Issued Certificates and see the issued certificate in the Details pane.

From the command prompt on RootCA, retrieve the issued certificate by running the command

certreq –retrieve <RequestId> A:\ISSUINGCA.crt

certreq –retrieve 2 A:\ISSUINGCA.crt

Save your retrieved certificate back onto your removable media and copy it over to your Enterprise Subordinate CA.

On the MBSRV1, copy all the files from your removable media into the D:\CertEnroll

CERTIFICATES folder, there should be three files there:

  1. The root certificate from your RootCA
  2. The certificate revocation list from your RootCA
  3. Your approved certificate for your Enterprise Subordinate CA


At this point you can shut down your RootCA, and protect it from access by anyone, until you need to regenerate your Enterprise Subordinate CA (in 10 years);

Configuring Certificate Revocation Lists and Authority Information Access

In a powershell session, we will configure the the CDP and AIA settings for our Enterprise Subordinate CA.

Open a powershell window and enter the following commands:

$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

certutil -setreg CA\CACertPublicationURLs "1:$env:windir\system32\CertSrv\CertEnroll\%3%%4.crt\n2:\n3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"

certutil -setreg CA\CRLPublicationURLs "1:$env:windir\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:\n3:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10"

certutil -setreg CA\CRLPeriodUnits 3

certutil -setreg CA\CRLPeriod "Days"

certutil -setreg CA\CRLOverlapUnits 3

certutil -setreg CA\CRLOverlapPeriod "Days"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

Net stop certsvc

Net start certsvc

Certutil -CRL

Depending on your environment you need to consider the CRLPeriod. You can set it to hours or minutes, if you want fast and strict results upon revoking a certificate.

Now install your approved Enterprise Subordinate Certificate onto your Certificate Authority with the below powershell commands:

Double click a:\RootCA.crt and import to local machine > trusted root certificate store.

certutil –installcert a:\IssuingCA.crt

start-service certsvc

Importing the Certificates on Domain Controllers

Copy the Certificate to the Domain Controllers:

- Double click RootCA.crt and import to local machine > trusted root certificate store.

# Make Templates Available

On the IssuingCA Computer open the Certificate Authority

Right click on Certificate Templates and click Manage



Goto to tab Subject name:

Build from this Active Directory information




Tab Compatibility

Server 2016

Windows 10 Server 2016

Tab Security:








Authenticated users




Tab Request Handling

Authorize addtional service account to access the private key:

key permissions: Domain Admins

Renew with same key

Allow Private Key to be exported


Certificate Templates > Right Click > New > Certificate Template to issue


Head over to NPS_SRV1/NPS_SRV2


Certificates (local computer) > Personal Store > All Tasks > New > Request CERTIFICATES


Next, next, finish

Export certificate incl private key, set password

Copy to desktop


A configuration item that is typically performed on production CAs that is not part of this lab is to enable Audit Object Access ( and then to enable all auditing events by running the following command: certutil -setreg CA\AuditFilter 127. After doing so, ensure that you regularly archive the Security Event Log and follow the Auditing Security Events Best Practices(

Configure computer certificate autoenrollment

To enable computer certificate auto enrollment, you will need to run through 2 procedures:

Enable certificate autoenrollment through Group Policy

Configure a client and server authentication certificate template for autoenrollment

To enable certificate autoenrollment through Group Policy

On DC1, sign in as Administrator. In Server Manager, click Tools, and then click Group Policy Management.

In your group policy management console, edit your default domain policy

In your default domain policy, go over to Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - and open - Certificate Services Client - Certificate Enrollment Policy

Select Renew expired certificates, update pending certificates, and remove revoked certificates andUpdate certificates that use certificate templates. Click OK.

The auto enrollment will not work unless we configure a client server authentication certificate template for autoenrollment

On DC01, in the Certification Authority console pane, right click Certificate Templates and select Manage.

In the details pane, right-click Workstation Authentication and then click Duplicate Template.

Click the General tab, in Template display name, type Client-Server Authentication.

Click the Extensions tab, ensure Application Policies is selected, and then click Edit.

Click Add then click Server Authentication. Click OK twice.

On the Properties of New Template dialog, click the Security tab.

In Group or user names, click Domain Computers (CORP\Domain Computers).

In the Autoenroll row, select the Allow checkbox. This will cause all domain computers to automatically enroll for certificates using this template. Now click ok to close the properties of the new template.


You would typically not assign a template both the Client Authentication and the Server Authentication enhanced key usage (EKU). Also, Server Authentication EKU are typically not configured for autoenrollment. This is done in this lab only for convenience and compatibility with other labs.


The computers also need Read permission for the template in order to enroll. However, this permission is already granted to the Authenticated Users group. All computer accounts in the domain are members of Authenticated Users, so they already have the permission to Read the template.

Before this template will do it's work, you need to issue it.

Right-click Certificate Templates, click New, click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, click Client-Server Authentication and then click OK. Close the Certification Authority console.




online responder: