In the post,Will show you how to install Subordinate CA where you have already have Enterprise ROOT-CA available in the domain. Ideally, When you install Subirdiante CA Under ROOT-CA is called 2-Tier PKI Infrastructure. Many Organizations they use 2-Tier Method to avoid abnormal down due to the Servers, Threats and Vulnerability.
ROOT-CA or Offline-CA will be in the out of network and kept in Isolated network to avoid the missusing of the Certificate Services.
Subordinate-CA or issueing CA will be used to issue the Certificates to the Computers, Users and Websites.
I cover here how to install Subordinate-CA, Please refer the article to learn how to install ROOT-CA.
Install Certificate Service role from the Server Manager and Click on Configure Active Directory Certificate Services on the destination server
Select the Enterprise account of the domain which allowed to Install the certificate Services and Click on Next
Select Certificate Authority and Click on Next
Select Enterprise CA and Click on Next
Select Subordinate CA and Click on Next
Select Create a new private key and Click on Next
Click on Next after selecting the Cryptographic Options
Give the Name for the CA and Click on Next
Majority of CA Administrators will keep the ROOT-CA Servers in offline or isolated network, hence generate the request for and save it in the location system
Select the Database Location and Log Location paths and Click on Next
Click on Configure
Now CA is ready to configure, What we need to take that reuqest file to the ROOT-CA Server and get the certificate. Click on Close.
Copy the request for from the Saved path to the ROOT-CA Server Manually.
Login in to ROOT-CA–>Right click on ROOT-CA–> All Tasks-->Submit new request
Select the Request file and click on Open
You will get the certificate to save in the shared path to take it to the Subordinate CA Server once submitted,
Now, Click on Certificate Authority in the Subordinate CA Server
Click on Install CA Certificate
Select the Certificate from the Shared path and click on Open
Click on Start Service
Click on Properties once service started successfully.
You can see the Certificate got installed and ready to issue certificates from the Subordinate CA.
