2.install and Configure Offline Root CA PDF

Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.
aspx
Identity with Windows Server 2016
Install and Configure Offline Root CA
Introduction
Exercise 1 - Deploy Stand-alone CA
Exercise 2 - Configure an Enterprise Subordinate CA
Summary
Introduction
The Install and Configure Offline Root CA module provides you with the
instruction and server hardware to develop your hands-on skills in the defined topics.
This module includes the following exercises:
Deploy Stand-alone CA
Configure an Enterprise Subordinate CA
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
Install stand-alone CAs

Configure Certificate Revocation List (CRL) distribution points and Authority
Information Access (AIA)
Install and configure enterprise subordinate CA
Lab Diagram
During your session, you will have access to the following lab configuration.
1 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Connecting to your Lab
In this module, you will be working on the following equipment to carry out the steps
defined in each exercise.
Important: When you start a module, PLABDC01 must be powered on first.

When PLABDC01’s activity indicator states “On,” you can then power on the
other devices in the sequence indicated below. This will ensure that certain
Windows services like Active Directory Services are successfully started and will
avoid errors in domain security policy. Please note that some network services
require Active Directory in order to function.
PLABDC01 (Windows Server 2016 - Domain Controller)

PLABDM01 (Windows Server 2016 - Domain Server)
PLABSA01 (Windows Server 2016 - Domain Server)
For further information and technical support, please see our Help and Support
2 of 74 24-01-2020, 15:29
page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1. You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.
Exercise 1 - Deploy Stand-alone CA

A stand-alone root certification authority (CA) is another variant of certification
authority server that can be installed in a network. Unlike an Enterprise Root CA, a
stand-alone CA does not require the use Active Directory Domain Services (AD DS) to
create a certificate trust chain between a parent and subordinate CA.
Organizations that implement restrictive network security policies have the option of
installing stand-alone CA that can be configured as an offline trusted root CA by simply
disconnecting it from the network or putting it in an isolated network segment. A
stand-alone CA is the starting point of certificate issuance in an organization and
therefore must be protected from unauthorized personnel.
In this exercise, you will install and configure a stand-alone CA on one of the servers in
the existing Active Directory domain called PRACTICELABS.COM.
Please refer to your course material or use your preferred search engine to research
this topic in more detail.
Task 1 - Add AD Certificate Services and Certificate Web

Enrollment
3 of 74 24-01-2020, 15:29
In this task, you will add the Windows feature called Active Directory Certificate
Services and Certificate Web Enrollment using Windows PowerShell.
Step 1
Ensure that you have powered on the required devices indicated in the Introduction of
this lab.
Connect to PLABDM01.
On the Server Manager > Dashboard window, click on the Tools menu and select
Windows PowerShell.
Step 2
Windows PowerShell commands are not case sensitive.
In the Windows PowerShell window, to add Active Directory Certificate Services

feature, type the following command:
Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Web-Enrollment -IncludeManagementTools
Press Enter.
4 of 74 24-01-2020, 15:29
Figure 1.1 Screenshot of PLABDM01: A command is entered in Windows

PowerShell to install Active Directory certificate services.
Step 3
Please wait while installation is in progress. This will take a few minutes.
Step 4
Windows PowerShell confirms the successful installation of the Active Directory
Certificate Services.
Keep Windows PowerShell window open.
5 of 74 24-01-2020, 15:29
Figure 1.2 Screenshot of PLABDM01: The results of the Windows PowerShell

command indicate a successful installation.
Task 2 - Install Stand-alone Root CA
In the earlier task, you simply added the AD Certificate Services. This will not make
Certification Authority fully functional as it will not be able to issue certificates to
requesting computers or users.
It is essential that the service be installed first with its respective system settings like
encryption strength or key length, CA name and validity of issued certificates among
others to make it capable of issuing certificates to requesting users, computers or
services.
To install a stand-alone CA server, perform the following steps:
Step 1
6 of 74 24-01-2020, 15:29
On PLABDM01 server, Windows PowerShell window is open.
Please note that you can install the Stand-alone CA with default system settings. In the
next command, you will configure the Stand-alone CA with specific system settings.
To install AD Certification Authority as a Stand-alone CA with keylength of 4096 bits,

using a CommonName PLABDM01-RootCA with a validity period of 10 years, type the
following command:
Install-AdcsCertificationAuthority -CAType
StandaloneRootCA -KeyLength 4096 -CACommonName
PLABDM01-RootCA -ValidityPeriod Years
-ValidityPeriodUnits 10
Press Enter.
On the next prompt, to accept the default settings, type:
Press Enter.
7 of 74 24-01-2020, 15:29
Figure 1.3 Screenshot of PLABDM01: Windows PowerShell displays the

installation of Certificate Authority.
Step 2
The installation of AD Certification Authority is successfully confirmed with ErrorId
of “0.”
8 of 74 24-01-2020, 15:29
Figure 1.4 Screenshot of PLABDM01: The results of the Windows PowerShell

command indicate a successful installation.
Step 3
In the next prompt, to configure AD Certificate Web Enrollment type the following
command:
Install-AdcsWebEnrollment
Press Enter.
On the next prompt, type:
9 of 74 24-01-2020, 15:29
Press Enter.
Figure 1.5 Screenshot of PLABDM01: The Windows PowerShell command

indicate a screen prompt to confirm the installation.
Step 4
When the ErrorId indicates a value of “0” minimize Windows PowerShell
window.
10 of 74 24-01-2020, 15:29
Figure 1.6 Screenshot of PLABDM01: Windows PowerShell displays a

successful installation of Certificate Authority.
Step 5
To verify that AD CS is working, in the Server Manager > Dashboard window,
click on Tools menu and select Certification Authority.
Step 6
In the Certification Authority window, expand PLABDM01-RootCA node.
Notice that a number of folders related to certificate administration are displayed.
Keep Certification Authority window open.
11 of 74 24-01-2020, 15:29
Figure 1.7 Screenshot of PLABDM01: Windows PowerShell displays the

successful installation of Certificate Authority.
Task 3 - Configure CRL and AIA
Active Directory Certificate Services (AD CS) tracks down all issued certificates to
users, computers or network services. If for any reason that an issued certificate’s
security is compromised, the AD CS administrator has the authority to cancel or
revoke the certificate to prevent unauthorized access to corporate assets.
When a certificate is cancelled, AD CS organize the cancelled/revoked certificates in a

Certificate Revocation List or CRL.
Certificate Revocation List (CRL) is a list of certificates that have been revoked or
canceled due to security-related issues that have been identified by the Certification
Authority administrator. The CRL is retrieved by the client and caches the information
for a limited period of time. The CRL is used to look up the revoked certificates and
verify if the certificate can still be used in a variety of network applications.
12 of 74 24-01-2020, 15:29
Authority Information Access (AIA) are Uniform Resource Locators (URLs) added to a
certificate. These URLs can be used by a network service or application to retrieve
information about the CA that issued the certificate. Once the issuing CA is verified,
AIA information is used to validate the certificate signature and build a path to the
trusted certificate.
To set up CRL and AIA, perform the following steps:
Step 1
On PLABDM01 server, the Certification Authority console window is open.
Right-click PLABDM01-RootCA and select Properties.
Figure 1.8 Screenshot of PLABDM01: The Certificate Authority console

window is displayed.
13 of 74 24-01-2020, 15:29
Step 2
In the PLABDM01-RootCA Properties dialog box, click the Extensions tab.
Step 3
Under the Extensions tab, observe the Selection extension drop-down list and
verify that it is set to CRL Distribution Point (CDP).
Then click Add.
Figure 1.9 Screenshot of PLABDM01: The PRACTICELABS-PLABDM01-CA

Properties dialog box is displayed.
Step 4
In the Add Location dialog box, click in the Location text box and type:
14 of 74 24-01-2020, 15:29
http://plabdm01.practicelabs.com/certdata/
Access the Variable drop-down list and verify that it is set to <CaName>.
Then click Insert.
Figure 1.10 Screenshot of PLABDM01: The Add Location dialog box is

displayed.
Step 5
The Location text box, will now display:
15 of 74 24-01-2020, 15:29
http://plabdm01.practicelabs.com/certdata/<CaName>

displayed.
Step 6
In the Add Location dialog box, access the Variable drop-down list and change it to
<DeltaCRLAllowed>>
Then click Insert.
16 of 74 24-01-2020, 15:29

displayed.
Step 7
The Location text box will now display:
<DeltaCRLAllowed>
17 of 74 24-01-2020, 15:29

displayed.
Step 8
Place the cursor or insertion point at the end of the Location string and type:
.crl
The Location text box will now display:
18 of 74 24-01-2020, 15:29
<DeltaCRLAllowed>.crl
Click OK.

displayed.
Step 9
You are directed back to PLABDM01-RootCA Properties dialog box.
With the new Location just added, enable the following check boxes:
Include in CRLs. Clients use this to find Delta CRL locations

Include in the CDP extension of issued certificates
Click Apply.
19 of 74 24-01-2020, 15:29
Figure 1.15 Screenshot of PLABDM01: The PLABDM01-RootCA dialog box is

displayed.
Step 10
In the Certification Authority message box, click No as you will need to set the AIA
properties of the stand-alone CA.
20 of 74 24-01-2020, 15:29
Figure 1.16 Screenshot of PLABDM01: The Certification Authority message

box is displayed.
Step 11
In the PLABDM01-RootCA Properties dialog box, ensure that you are in
Extensions tab.
Under the Extensions tab, go the Select extension drop-down list and change it to
Authority Information Access (AIA).
Then click Add.
21 of 74 24-01-2020, 15:29

Step 12
In the Add Location dialog box, click in the Location text box and type:
http://plabdm01.practicelabs.com/certdata/
Verify that the Variable drop-down list is set to <ServerDNSName> and then click
Insert.
22 of 74 24-01-2020, 15:29

displayed.
Step 13
Still in the Add Location dialog box, in the Location text box, ensure that the cursor
is at the end of the string and type an underscore.
The Location field should now look like:
http://plabdm01.practicelabs.com/certdata
/<ServerDNSName>_
23 of 74 24-01-2020, 15:29

displayed.
Step 14
Still in the Add Location dialog box, access the Variable drop-down list and select
<CaName> and click Insert.
24 of 74 24-01-2020, 15:29

displayed.
Step 15
The Location string now looks like:
/<ServerDNSName>_<CaName>
25 of 74 24-01-2020, 15:29

displayed.
Step 16
In the Add Location dialog box, access the Variable drop-down list and set it to
<CertificateName> then click Insert.
26 of 74 24-01-2020, 15:29

displayed.
Step 17
The Location string now looks like:
/<ServerDNSName>_<CaName><CertificateName>
27 of 74 24-01-2020, 15:29

displayed.
Step 18
In the Location text box, place the cursor or insertion point at the end of the
generated string.
Then type:
.crt
Click OK.
28 of 74 24-01-2020, 15:29

displayed.
Step 19
In the PLABDM01-RootCA Properties dialog box, enable Include in the AIA
extension of issued certificates check box.
Click OK.
29 of 74 24-01-2020, 15:29

Step 20
Click Yes in the Certification Authority message box.
Please wait while Certificate Services is restarting.
Step 21
Back in the Certification Authority console window, right-click Revoked Certificates
folder and point to All Tasks then select Publish.
30 of 74 24-01-2020, 15:29
Figure 1.26 Screenshot of PLABDM01: The Certification Authority console

Step 22
In the Publish CRL dialog box, the New CRL option is selected.
Click OK.
Minimize Certification Authority console window.
31 of 74 24-01-2020, 15:29
Figure 1.27 Screenshot of PLABDM01: The Publish CRL message box is

displayed.
Keep the devices you have powered on in their current state and proceed to the
next exercise.
Exercise 2 - Configure an Enterprise Subordinate

CA
For corporate networks with restrictive security policies, the separation of roles of the
root CA and issuing CA can be achieved by deploying subordinate CAs. The root CA is
typically taken offline and is not accessible from the external network.
Under the stand-alone root CA server, an enterprise subordinate CA server is usually
32 of 74 24-01-2020, 15:29
configured. Initially, the enterprise subordinate CA generates a certificate request file

(.req) which is later submitted to stand-alone root CA for approval. Upon approval of
the certificate request, the certificate is manually added to the subordinate CA.
The relationship between a stand-alone root CA and enterprise subordinate CA when

successfully established, is considered a two-tier CA hierarchy. The stand-alone root
CA grants the enterprise subordinate CA the authority to issue certificates to
requesting clients within the internal network or the Internet.
Please refer to your course material or use your preferred search engine to research
this topic in more detail.
Task 1 - Install an Enterprise Subordinate CA
Most Windows features can be installed either using Server Manager or Windows
PowerShell.
In this task, you will install an enterprise subordinate CA using Windows PowerShell.
Step 1
Connect to PLABSA01.
When signed-on, Server Manager > Dashboard window opens.
Click Tools menu and select Windows PowerShell.
33 of 74 24-01-2020, 15:29
Figure 2.1 Screenshot of PLABSA01: Server Manager Dashboard window is

displayed and Windows PowerShell is selected.
Step 3
A local user named PLABSA01\Administrator is logged on to PLABSA01.
You need to launch Windows PowerShell within the context of

PRACTICELABS\administrator to be able to install Certification Authority on the
target server.
in the Windows PowerShell window, type:
runas /user:practicelabs\administrator
powershell.exe
34 of 74 24-01-2020, 15:29
Press Enter.
When asked for a password, type:
Passw0rd
Press Enter.
Figure 2.2 Screenshot of PLABSA01: A command is entered to launch

Windows PowerShell as practicelabs\administrator.
Step 3
A new Windows PowerShell window opens. Notice the title bar indicates “(running
as practicelabs\administrator.”
In the Windows PowerShell window, to add Active Directory Certificate Services

feature, type the following command:
35 of 74 24-01-2020, 15:29
Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Web-Enrollment -IncludeManagementTools
Press Enter.
Figure 2.3 Screenshot of PLABSA01: A command is entered in Windows

PowerShell to install Active Directory Certificate Services and other
components.
Step 4
Please wait while installation of the feature is in progress.
This process will take a few minutes.
36 of 74 24-01-2020, 15:29
Step 5
Windows PowerShell will confirm a successful installation of the AD Certification
Authority.
Keep Windows PowerShell window open.
Figure 2.4 Screenshot of PLABSA01: Windows PowerShell confirms the

successful installation of Active Directory Certificate Services and other
components.
Step 6
On the next prompt, to install AD Certificate Services standalone subordinate CA, type:
Install-AdcsCertificationAuthority -CAType
37 of 74 24-01-2020, 15:29
EnterpriseSubordinateCA -CACommonName PLABSA01-

IssueCA
Press Enter.
On the next prompt, type:
Press Enter.
Figure 2.5 Screenshot of PLABSA01: Windows PowerShell prompts to

continue with the installation of AD Certificate Services.
38 of 74 24-01-2020, 15:29
Step 7
Since PLABSA01 is trying to contact a machine that is not a member of the domain,
you will receive a warning that the Active Directory Certificate Services installation is
incomplete.
Please take note of the WARNING message that will be required in a later step to
complete the Active Directory Certificate Services setup.
Minimize the Administrator: powershell.exe (running as

practicelabs\administrator) window.
Close the other PowerShell window called Administrator: Windows PowerShell

window.
Figure 2.6 Screenshot of PLABSA01: Windows PowerShell indicates the

installation of Active Directory Certificate Services is incomplete.
39 of 74 24-01-2020, 15:29
Task 2 - Process certificate request file
In the earlier task, the installation of the subordinate CA failed as it requires the
processing of a request file that must first be submitted to the root CA.
To process the generated certificate request file, perform the following steps:
Step 1
On PLABSA01, click File Explorer on the taskbar.
Step 2
In the File Explorer window, under This PC node click Local Disk C drive.
Observe the details pane at the right displaying the contents of C drive.
Right-click the request file called

PLABSA01.PRACTICELABS.COM_PLABSA01-IssueCA.req and select Open
with.
40 of 74 24-01-2020, 15:29
Figure 2.7 Screenshot of PLABSA01: In File Explorer window, the certificate

request file is about to be opened with an application.
Step 3
In the message box that appears, click Try an app on this PC web link.
Step 4
In the “How do you want to open this file?” dialog box, click Notepad.
Select OK.
41 of 74 24-01-2020, 15:29
Figure 2.8 Screenshot of PLABSA01: In the How do you want to open this file
dialog box, Notepad application is selected.
Step 5
The request file opens.
To select all the contents of the requested file, press Ctrl+A.
Note: Similarly, you can click Edit menu and choose Select All.
Then press Ctrl+C.
Note: Similarly, you can click Edit menu and choose Copy.
If you are using HTML5 client to connect to the lab, a small clipboard window will
42 of 74 24-01-2020, 15:29
appear at the top right corner of the screen.
Click [x] to close the clipboard.
Minimize Notepad window and close File Explorer.
Figure 2.9 Screenshot of PLABSA01: The certificate request file is open and
the signature is selected.
Step 6
In the next few steps, you will use the contents of the request file to request for a
certificate from the stand-alone root CA.
In PLABSA01, click Internet Explorer on the taskbar.
Step 7
43 of 74 24-01-2020, 15:29
When Internet Explorer opens, the Setup Internet Explorer 11 message box
appears. Select Use recommended settings and compatibility settings option.
Click OK.
Step 8
The Tools and resources intranet web page.
Click in the address bar and type:
http://plabdm01/certsrv
Press Enter.
44 of 74 24-01-2020, 15:29
Figure 2.10 Screenshot of PLABSA01: The Internet Explorer window is open

and an address to the certificate authority server is entered.
Step 9
In the Microsoft Active Directory Certificate Services - PLABDM01-RootCA,
Welcome page, click Request a certificate web link.
Figure 2.11 Screenshot of PLABSA01: The Microsoft Active Directory

Certificate Services - PLABDM01-RootCA web page is displayed.
Step 10
In the Request a certificate page, click advanced certificate request web link.
45 of 74 24-01-2020, 15:29

Certificate Services - PLABDM01-RootCA, now displays the Request a
Certificate page.
Step 11
In the Advanced Certificate Request page, click Submit a certificate request
by using a base 64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file web link.
46 of 74 24-01-2020, 15:29

Certificate Services - PLABDM01-RootCA, now displays the Advanced
Certificate Request page.
Step 12
In the Submit a Certificate Request or Renewal Request page, click under the
Saved Request text box.
Press Ctrl+V to paste the block of text you copied earlier.
Note: Similarly, you can right-click on the empty text box and select Paste.
After pasting the block of text, click Submit.
47 of 74 24-01-2020, 15:29

Certificate Services - PLABDM01-RootCA, now displays the Submit a
Certificate Renewal Request page.
Step 13
A Certificate Pending request is displayed.
However, you don’t have to wait for x number of days to get the certificate.
Close the Internet Explorer window.
48 of 74 24-01-2020, 15:29

Certificate Services - PLABDM01-RootCA, now displays the Certificate
Pending page.
Task 3 - Approve and export the certificate
After processing the certificate request file in the previous task, you will now go to the
root CA to approve and export the issued certificate.
Step 1
In the Server Manager > Dashboard window, click Tools menu and select
Certification Authority.
49 of 74 24-01-2020, 15:29
Step 2
In the Certification Authority window, click Pending Requests folder.
In the details pane on the right, right-click the pending certificate and point to All
Tasks and select Issue.

Step 3
Now that the certificate has been issued, the next step is to export this issued
certificate to a file.
Click Issued Certificates folder.
Right-click the issued certificate and select Open.
50 of 74 24-01-2020, 15:29

Step 4
In the Certificate dialog box, select Details tab.
Step 5
In the Details tab, ensure that Show section indicates <All>.
Then click Copy to File…
51 of 74 24-01-2020, 15:29
Figure 2.18 Screenshot of PLABDM01: The Certification dialog box is

displayed.
Step 6
In the Welcome to the Certificate Export Wizard page, click Next.
Step 7
In the Export File Format page, select Cryptographic Message Syntax
Standard - PKCS #7 Certificates (.P7B) option button.
Enable Include all certificates in the certification path if possible check box.
Click Next.
52 of 74 24-01-2020, 15:29
Figure 2.19 Screenshot of PLABDM01: The Certification Export Wizard,

Export File Format page is displayed.
Step 8
In the File to Export page, in the provided text box, type:
C:\PLABSA01-CA
Click Next.
53 of 74 24-01-2020, 15:29

Export, File to Export page is displayed.
Step 9
In the Completing the Certificate Export Wizard page, click Finish.
Click OK when the export is successfully completed.
Similarly, click OK to close Certificate dialog box.
Minimize Certification Authority window.
54 of 74 24-01-2020, 15:29

Export, Completing the Certificate Export Wizard page is displayed.
Task 4 - Verify functionality of Enterprise Subordinate CA
To verify the functionality of the enterprise subordinate CA, perform the following
steps:
Step 1
Connect to PLABSA01.
Restore Server Manager > Dashboard window from taskbar if not yet open.
Click Tools menu and select Certificate Authority.
Step 2
55 of 74 24-01-2020, 15:29
In the Certification Authority console window, expand PLABSA01-IssueCA

node.
Then right-click PLABSA01-IssueCA and point to All Tasks and select Start
service.
Figure 2.22 Screenshot of PLABSA01: The Certification Export Wizard,

Step 3
In the Microsoft Active Directory Certificate services message box, click Yes to
install this certificate.
56 of 74 24-01-2020, 15:29
Figure 2.23 Screenshot of PLABSA01: The Certification Export Wizard,

Step 4
In the Select to complete the CA installation dialog box, click in the File name
text box.
Then type the following network path:
\\plabdm01\c$\PLABSA01-CA.p7b
Click Open.
57 of 74 24-01-2020, 15:29
Figure 2.24 Screenshot of PLABSA01: The Select file to complete CA

installation dialog box is displayed.
Step 5
If the Microsoft Active Directory Services message box indicating the certificate
chain cannot be verified is displayed, click OK.
58 of 74 24-01-2020, 15:29

Certificate Services message box is displayed.
Step 6
Please wait while Certificate Services is being started on PLABSA01-IssueCA.
Notice that after a few seconds, the green tick/check mark appears which indicates
that PLABSA01-IssueCA is now functional.
Expand the PLABSA01-IssueCA node to view the subfolders.
Keep the Certification Authority console window open.
59 of 74 24-01-2020, 15:29
Figure 2.26 Screenshot of PLABSA01: The Certification Authority console

Task 5 - Export root CA certificate to a file
In this task, you will export the root CA certificate to a file. The exported certificate will
be used to publish the root CA certificate using GPO.
To export root CA certificate to a file, perform the following steps:
Step 1
Restore Certification Authority window from the taskbar.
Step 2
60 of 74 24-01-2020, 15:29
Right-click PLABDM01-RootCA and select Properties.

Step 3
In the PLABDM01-RootCA Properties dialog box, click View Certificate.
61 of 74 24-01-2020, 15:29

Step 4
In the Certificate dialog box, click Details tab.
Step 5
Under the Details tab, click Copy to File.
62 of 74 24-01-2020, 15:29
Figure 2.29 Screenshot of PLABDM01: The Certificate dialog box is

displayed.
Step 6
In the Welcome to the Certificate Export Wizard page, click Next.
Step 7
In the Export File Format page, the DER encoded binary X.509 (.CER) is
selected.
Click Next.
63 of 74 24-01-2020, 15:29
Figure 2.30 Screenshot of PLABDM01: The Export File Format page is

displayed.
Step 8
In the File to Export page, in the File name text box, type:
C:\plabdm01-rootCA
Click Next.
64 of 74 24-01-2020, 15:29
Figure 2.31 Screenshot of PLABDM01: The Certificate Export Wizard, File to

Export page is displayed.
Step 9
In the Completing the Certificate Export Wizard page, click Finish.
Click OK when prompted that export was successful.
Click OK to close Certificates dialog box.
Similarly, click OK in the PLABDM01-RootCA Properties dialog box.
Minimize Certification Authority console window.
65 of 74 24-01-2020, 15:29
Figure 2.32 Screenshot of PLABDM01: The Certificate Export Wizard,

Completing the Certificate Export Wizard page is displayed.
Task 6 - Publish root CA certificate in Group Policy
To publish the root CA certificate in GPO, perform the following steps:
Step 1
Connect to PLABDC01.
In the Server Manager > Dashboard window, click Tools menu and select Group
Policy Management.
Step 2
In the Group Policy Management console, expand Forest:
66 of 74 24-01-2020, 15:29
PRACTICELABS.COM > Domains > PRACTICELABS.COM.
Click Default Domain Policy.
Note if the Group Policy Management Console message box appears, click Do
not show the message again check box and click OK.
Right-click Default Domain Policy and select Edit.
Figure 2.33 Screenshot of PLABDC01: The Group Policy Management

console is displayed.
Step 3
In the Group Policy Management Editor window, expand Computer
Configuration > Policies > Windows Settings > Security Settings > Public
Key Policies.
67 of 74 24-01-2020, 15:29
Click Trusted Root Certification Authorities.
Then right-click on Trusted Root Certification Authorities and select Import.
Figure 2.34 Screenshot of PLABDC01: The Group Policy Management Editor

Step 4
In the Welcome to the Certificate Import Wizard page, click Next.
Step 5
In the File to Import page, in the File name text box, type:
68 of 74 24-01-2020, 15:29
\\plabdm01\c$\plabdm01-rootCA.cer
Click Next.
Figure 2.35 Screenshot of PLABDC01: The Certificate Import Wizard, File to

Import page is displayed.
Step 6
In the Certificate Store page, the location of the store is automatically filled in for
you.
Click Next.
69 of 74 24-01-2020, 15:29
Figure 2.36 Screenshot of PLABDC01: The Certificate Import Wizard,

Certificate Store page is displayed.
Step 7
In the Completing the Certificate Import Wizard page, click Finish.
70 of 74 24-01-2020, 15:29
Figure 2.37 Screenshot of PLABDC01: The Certificate Import Wizard,

Completing the Certificate Import Wizard page is displayed.
Step 8
You will be directed back to the Group Policy Management Editor window.
Note: There will be a momentary pause as the certificate is being imported.
Click OK when notified that the certificate import was successful.
71 of 74 24-01-2020, 15:29

window is displayed indicating the successful import of a certificate.
Step 9
The PLABDM01-rootCA certificate is now in the Trusted Root Certification
Authorities folder.
Close the Group Policy Management Editor and the Group Policy
Management console.
72 of 74 24-01-2020, 15:29

window is displayed with the new certificate.
Result - You have completed the essential tasks to install an offline root CA and an
enterprise subordinate CA.
Shutdown all virtual machines used in this lab by using the power functions
located in the Tools bar before proceeding to the next module. Alternatively, you
can log out of the lab platform.
Summary
In this module you covered the following topics:
Deploy Stand-alone CA
73 of 74 24-01-2020, 15:29
Configure an Enterprise Subordinate CA
74 of 74 24-01-2020, 15:29

2.install and Configure Offline Root CA PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

2.install and Configure Offline Root CA PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.

Identity with Windows Server 2016

Install and Configure Offline Root CA

Lab time: It will take approximately 1 hour to complete this lab.

The following exam objectives are covered in this lab:

Install stand-alone CAs

Connecting to your Lab

Important: When you start a module, PLABDC01 must be powered on first.

PLABDC01 (Windows Server 2016 - Domain Controller)

Exercise 1 - Deploy Stand-alone CA

Task 1 - Add AD Certificate Services and Certificate Web

In the Windows PowerShell window, to add Active Directory Certificate Services

Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Figure 1.1 Screenshot of PLABDM01: A command is entered in Windows

Keep Windows PowerShell window open.

Figure 1.2 Screenshot of PLABDM01: The results of the Windows PowerShell

Task 2 - Install Stand-alone Root CA

To install a stand-alone CA server, perform the following steps:

On PLABDM01 server, Windows PowerShell window is open.

To install AD Certification Authority as a Stand-alone CA with keylength of 4096 bits,

On the next prompt, to accept the default settings, type:

Figure 1.3 Screenshot of PLABDM01: Windows PowerShell displays the

Figure 1.4 Screenshot of PLABDM01: The results of the Windows PowerShell

On the next prompt, type:

Figure 1.5 Screenshot of PLABDM01: The Windows PowerShell command

Figure 1.6 Screenshot of PLABDM01: Windows PowerShell displays a

Notice that a number of folders related to certificate administration are displayed.

Keep Certification Authority window open.

Figure 1.7 Screenshot of PLABDM01: Windows PowerShell displays the

Task 3 - Configure CRL and AIA

When a certificate is cancelled, AD CS organize the cancelled/revoked certificates in a

To set up CRL and AIA, perform the following steps:

Right-click PLABDM01-RootCA and select Properties.

Figure 1.8 Screenshot of PLABDM01: The Certificate Authority console

Then click Add.

Figure 1.9 Screenshot of PLABDM01: The PRACTICELABS-PLABDM01-CA

Then click Insert.

Figure 1.10 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.11 Screenshot of PLABDM01: The Add Location dialog box is

Then click Insert.

Figure 1.12 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.13 Screenshot of PLABDM01: The Add Location dialog box is

The Location text box will now display:

Figure 1.14 Screenshot of PLABDM01: The Add Location dialog box is

Include in CRLs. Clients use this to find Delta CRL locations

Figure 1.15 Screenshot of PLABDM01: The PLABDM01-RootCA dialog box is

Figure 1.16 Screenshot of PLABDM01: The Certification Authority message

Then click Add.

Figure 1.17 Screenshot of PLABDM01: The PRACTICELABS-PLABDM01-CA

Figure 1.18 Screenshot of PLABDM01: The Add Location dialog box is

The Location field should now look like:

Figure 1.19 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.20 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.21 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.22 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.23 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.24 Screenshot of PLABDM01: The Add Location dialog box is

Figure 1.25 Screenshot of PLABDM01: The PRACTICELABS-PLABDM01-CA

Please wait while Certificate Services is restarting.

Figure 1.26 Screenshot of PLABDM01: The Certification Authority console

Minimize Certification Authority console window.

Figure 1.27 Screenshot of PLABDM01: The Publish CRL message box is

Exercise 2 - Configure an Enterprise Subordinate