Quick Steps - How to implement your own Windows PKI

BembiCEO
CERTIFIED EXPERT
Published:
Updated:
General Aspects

Certificates are used more and more in windows environment. As newer windows versions try to encrypt traffic between servers by default, and more and more server applications like Exchange and Lync need their own certificate, it is not the worst idea to have your own PKI (Private Key Infrastructure).

A PKI consist of at least one, mostly two or in larger environments three levels.
Which infrastructure is the best for you depends from the size of your organisation and how many locations you have.

The idea is to have a Root CA (certificate authority) chain, where on the top, one single Root CA server provides several Intermediate CA servers with a CA certificates. This Intermediate CA itself provides CA certificate for Sub Intermediate CAs.
Only the last CA in this chain issues certificates for users and computers.

While three tier PKIs are mostly for large companies with a lot of different locations, where local CAs are hosted on each location, smaller companies can work with a two tier environment.

Not the safest construction, but also usably for companies with only one location is a single Root CA, which gives out certificates.

Each CA instance needs its own certificate, which is used to sign issued certificates.
Some common life times and encryption levels for certificate authority certificates are:
20 years 4096 bit for root CAs
10 years 4096 bit for intermediate CAs
5 years 2048 bit for sub intermediate CAs

Note: Windows includes a lot of default templates for all kind of purposes. But the default templates cannot be changed. You can create your own templates on a windows enterprise server, where the PKI management tools are installed.

To create a new 20 years Root CA template, create a copy of the default Root CA template and change the lifetime to 20 years.

Put the default Root CA template under the "superseeded template" tab of the new template.

To create a new 10 years intermediate CA template, create a copy of the default Intermediate CA template and change the lifetime to 10 years.
"superseeded template" tab leaves empty, as we need the 5 years template too.

The steps for the Root CA are:
Take a Windows Server (standard - no DC) and install the CA role.
A root CA creates only certificates for one or more intermediate CAs.
That means, no additional services are needed, only the pure CA installation

Select Enterprise Root CA during install and supply the parameters for creating the root certificate.

To provide 20 years lifetime, you need the custom template above, otherwise it will be 5 years.

You may also have to change a registry key to create certificates longer than 2 years.
Have a look at HCLM\System\CurretnContolSet\services\CertSrv\Configuration\<YourCaName>\
ValidityPeriods: default years
ValidityPeriodUnits: default 2 - should be 10 here

The steps for intermediate CA are:
Take a Windows Server (standard - no DC)
To create now a 10 years intermediate certificate, you need the 10 years intermediate CA custom template.

Go to the Certificates Computer MMC snap in and request a custom certificate, store the request, import the request in the Certificate Authorization Snap In of the Root CA server.
The certificate is created there
Then export the issued certificate, and copy it back to the intermediate CA server

You may also have to change a registry key to create certificates longer than 2 years.
Have a look at HCLM\System\CurretnContolSet\services\CertSrv\Configuration\<YourCaName>\
ValidityPeriods: default years
ValidityPeriodUnits: default 2 - should be 5 here

Install the CA role.
This intermediate CA only created certificates for sub intermediate CAs
That means, no additional servies are needed, only the pure Ca installation

Select Intermediate CA during install and supply during the install the certificate, you created on the Root CA.

The steps for the sub intermediate CA are:
Take a Windows Server (Enterprise - no DC)
To create now a 5 years intermediate certificate, you need the default intermediate CA template.

Go to the Certificates Computer MMC snap in and request a custom certificate, store the request, import the request in the Certificate Authorization Snap In of the Intermediate CA server.
The certificate is created there
Then export the issued certificate, and copy it back to the intermediate CA server

Install the CA role.
This intermediate CA creates the certificates for users and computers
That means, you can install additional services here, i.e. a web interface or providing certificates for devices and more.

Select Intermediate CA during install and supply during the install the certificate, you created on the intermediate CA.

Now you have a working PKI Infrastructure.

The next steps are:
As root and intermediate CAs only create certificates for the last CA in the CA chain, the root and intermediate CAs can be switched off. They are needed, when the certificate in the next structure hierarchy has to be renewed. So every 5 or 10 years.
So you work only with the Sub Intermediate CA, which issues client certificates.

If you need only a two tier PKI infrastructure, just skip the Intermediate CA in the Middle.
If you want to have only a one tier PKI infrastructure, you can install a Root CA on a single machine and install all services there.
0
5,061 Views
BembiCEO
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.