Followed this guide and built an Azure Dev Test Lab – https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/
Another great link for lab environments: https://technet.microsoft.com/en-us/windows/mt604890.aspx
Good link from Brian Mason on OCSP! Do it!!
Save this link for the rest of your life!!! Perfect step by step on setting up a two tier PKI environment and the OSSP.
I would provide more notes, but honestly the link has it all.
The one thing I would change is the CAPolicy.inf files the guide references.
The Offline RootCA should look like this:
Signature=”$Windows NT$”
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
AlternateSignatureAlgorithm=0
The other stuff they have in the guide is meant more for internet based PKI, which you are not doing.
I would install the Offline RootCA as follows:
On the offline root machine install ADCS – Certificate Authority
Standalone CA
Root CA
Configure new Private Key
RSA@Microsoft Software Key Storage Provider
SHA2
Key length 4096
Name of CA: azEmptyGardenRootCA
Validity period- 20 Years
Database location- default
RootCA Post Installation
Certutil -setreg CA\DSConfigDN “CN=Configuration,DC=azEmptyGarden,DC=BTLS”
Certutil -setreg CA\CRLPeriodUnits 6
Certutil -setreg CA\CRLPeriod “Months”
Certutil -setreg CA\CRLDeltaPeriodUnits 0
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod “Hours”
Certutil -setreg CA\ValidityPeriodUnits 20
Certutil -setreg CA\ValidityPeriod “Years”
NOTE: The CRLPeriod of 6 months means that the Offline RootCA needs to be booted up once every six months to copy the latest CRL to the SubordinateCA
Subordinate CA – CAPolicy.inf file
[Version]
Signature=”$Windows NT$”
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=0
Subordinate CA – CAPolicy.inf file
[Version]
Signature=”$Windows NT$”
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=0
Subordinate CA install
Install ADCS – This will be the Subordinate CA
Certification Authority only
Configure the Certification Authority
Enterprise CA
Subordinate CA
Create a new private key
Key length: 4096
azEmptyGardenIssuingCA