Posted on by mteegarden

SCCM Training–Part 3

Followed this guide and built an Azure Dev Test Lab – https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/

Another great link for lab environments: https://technet.microsoft.com/en-us/windows/mt604890.aspx

Good link from Brian Mason on OCSP! Do it!!

https://arstechnica.com/information-technology/2017/07/https-certificate-revocation-is-broken-and-its-time-for-some-new-tools/

Save this link for the rest of your life!!! Perfect step by step on setting up a two tier PKI environment and the OSSP.

I would provide more notes, but honestly the link has it all.

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

The one thing I would change is the CAPolicy.inf files the guide references.

The Offline RootCA should look like this:

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=20

AlternateSignatureAlgorithm=0

The other stuff they have in the guide is meant more for internet based PKI, which you are not doing.

I would install the Offline RootCA as follows:

On the offline root machine install ADCS – Certificate Authority

Standalone CA

Root CA

Configure new Private Key

RSA@Microsoft Software Key Storage Provider

SHA2

Key length 4096

Name of CA: azEmptyGardenRootCA

Validity period- 20 Years

Database location- default

RootCA Post Installation

Certutil -setreg CA\DSConfigDN “CN=Configuration,DC=azEmptyGarden,DC=BTLS”

Certutil -setreg CA\CRLPeriodUnits 6

Certutil -setreg CA\CRLPeriod “Months”

Certutil -setreg CA\CRLDeltaPeriodUnits 0

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod “Hours”

Certutil -setreg CA\ValidityPeriodUnits 20

Certutil -setreg CA\ValidityPeriod “Years”

NOTE: The CRLPeriod of 6 months means that the Offline RootCA needs to be booted up once every six months to copy the latest CRL to the SubordinateCA

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA install

Install ADCS – This will be the Subordinate CA

Certification Authority only

Configure the Certification Authority

Enterprise CA

Subordinate CA

Create a new private key

Key length: 4096

azEmptyGardenIssuingCA

Leave a Reply

Your email address will not be published. Required fields are marked *