Create and use intermediate certificate authority on Windows Server 2012

certificate-authoritywindows-server-2012

Background: Server OS is Windows Server 2012. GUI is installed as we come upto speed with powershell. Setup is staging, not production (yet).

We have our (internal, domain limited) Root CA installed. I would like to take the Root CA offline to secure storage but before that I'd like to setup an intermediate CA which can take over actual live, online (int-RA-net) functionality

How can I do the above? I assume a complete answer would cover

  • creating the intermediate CA certificate request
  • installing the intermediate CA certificate on domain controller (certification authority role already installed with Root CA online right now)
  • use the intermediate CA to generate a certificate (any use certificate, just for demonstration purposes)

Obviously this certification chain would be invalid on computers outside our domain (self trusted root – our root certificate is NOT from common 3rd parties). This last point is NOT a problem.

Best Answer

I recently went through the process of migrating from an Enterprise Online Root CA to a two tier PKI. Generally the process you will want to follow will contain these steps:

  1. Provision a server that will not be joined to your domain and Install Active Directory Certificate Services. Configure it as a standalone offline root certificate.
  2. Publish your Root CA to the forest.
  3. Provision a second server online and domain joined. Configure that as your intermediate Certificate Authority.
  4. Create a CSR from your intermediate CA and go through the process of issuing a cert from your offline root CA.
  5. Migrate the Certificate templates to the new Intermediate CA and remove the templates from your original PKI. (This will only start issuing new certs from your Intermediate CA NOT invalidating certs issued from your original CA.)
  6. From here you can decide to leave your old CA up until all certs expire or go through the process of forcing your network systems to re-enroll on the new PKI.

The Directory Services Team at Microsoft has a nice high level walkthrough for this.

For more in depth information, here is the walkthrough I followed.

Additionally, here is a Technet Guide and some planning information on the process.

Related Topic