https://images.unsplash.com/photo-1549927455-67cc16cc490c by @chrispanas

Get rid of those annoying self-signed certificates with Microsoft Certificate Services, Part 3

In Part 1 of the guide, we introduced Certificate Services and we discussed the design and the plan to deploy these services.

Requirements:

Install a server with Windows Server 2016 or 2019 for the Standalone Root CA server, set a name for the server, configure the computer with a static IP address and don’t join the machine to the domain. This server will be Off-domain and Off-line after we completed the setup.

Installing Standalone Root CA:

Open Server Manager, click on the Add Roles and Features option, Role-based or feature-based installation type and choose Active Directory Certificate Services under Server Roles.

Add Roles and Features Wizard
Add Roles and Features Wizard
Add Roles and Features Wizard

Setup the Root CA Certificate Services:

After Certificate Services is installed, start the configuration wizard from Server Manager, clicking on the More link:

Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager
Server Manager

Configuring the Standalone Root CA: Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA)

We open the Certification Authority management console, and we can view the properties of the certificate authority and the Root CA’s certificate:

Certification Authority Management Console
  • Include in the CDP extension of issued certificates
Certification Authority Management Console
  • Publish Delta CRLs to this location
Certification Authority Management Console
Certification Authority Management Console

Configuring the CRL Publication Interval for the Offline Root CA

Before to publish the CRL, we need to define the CRL Publication Interval. The Root CA will be offline so I will setup the CRL publication interval to 1 year. This is an interval I found useful, however, feel free to adjust it to your environment.

Publish CRL

Open an elevated command prompt, and then publish the CRL with the following command:

certutil -crl
Certification Authority Console

Copy the CRT and CRL files

Open the folder C:\Windows\System32\CertSrv\CertEnroll from the Windows Explorer:

Windows Explorer
Windows Explorer

Export Certificates

We open the Certification Authority management console, and we can view the properties of the certificate authority and the Root CA’s certificate:

Certification Authority Management Console
Certification Authority Management Console
Certification Authority Management Console
Certificate Export Wizard
Certificate Export Wizard
Certificate Export Wizard
Certificate Export Wizard

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | Entrepreneur & Innovator | Book Author | Husband & Dad of ✌

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store