Best Step Guide On Simple 2-Tier PKI?


  • I wan to set up a 2 Hyper-V servers that will both be running Server 2016, 2-tier PKI for a small environment.  I will not use an offline laptop because we can't afford the cost of a Server 2016 license.  If we do everything using Hyper-V guests running on Server 2016 Data Center, there will be no additional licensing costs.  We will use Bitlocker with PIN to keep the offline root from accidentally being started without the PIN and to keep the VM files from being read or written to while offline.

    It is a simple environment where there will be a single issuing Enterprise CA that will issue web certificates for our Intranet, user certificates for wifi authentication, computer certificates for SCCM authentication and user and computer certificates for VPN authentication.

    I have searched online for step by step guides and there are so many bad ones.  Some have instructions that conflict with each other, some are too old, some are too difficult to follow, there was one more recent one that was looking good, but the guy stopped working on it 2/3 of the way through a 7 step blog and never finished it.  There is a Youtube video where the guy made so many errors that it was impossible to follow along, there are a bunch of Youtube videos where they use Notepad instead of talking or the most annoying ones where they make the title and description in English to trick people into clicking, but when I start playing the video, the person is talking in some other language. 

    There are also the useless ones where they just follow the wizard, publish to LDAP and install everything on a domain controller.

    Where are the best step by step instructions that are easy to follow and use correct best practices?

    יום ראשון 10 יוני 2018 17:46

כל התגובות

  • Well, the question is very good and I don't have a good answer. I agree that most similar articles I faced are simply bad. Most of them are copy-paste versions of some outdated Microsoft articles. Authored articles are even worse.

    Recently I wrote a series of articles that discuss, describe and show exact steps to implement a 2-tier PKI in Windows environment that complies with all best practices. The only problem, I wrote them in Russian. I have plans to publish them in English, but I don't have even estimate dates when I can get to this. If you could use online translation tools, these may help you:

    Part 1: -- this part describes general questions on private PKIs, tasks and hierarchies

    Part 2: -- this part discuss a lot on proper planning of PKI, important notes, possible pitfalls and so on. During write-up I create a set of installation tables.

    Part 3: -- this part guides with exact steps on PKI installation and configuration. Last section discusses some operational hints and recommendations to keep PKI conformant with best practices.

    This is the best I can offer you at this moment. Maybe I can find time to translate them in English, but not very soon.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog:
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    יום ראשון 10 יוני 2018 19:36