Implementing Root CA, PCA and Issuing CA on the same VM


We are implementing a new PKI in our environment.  It will be a 3-tier Hierachy.  In Phase I we will be standing up the Root CA (stand-alone – offline), PCA (Stand-alone – offline) and one issuing CA.  We have chosen to install the Enterprise Edition of Windows Server 2008 R2 on all 3 servers.  
The above is going to be done in the near future, but at this time I am having this problem with my test server:
I am brand new to PKI.  I have a VM Server which I have been given to experiment with (install/un-install) Certificate Services on.  This test Server has Windows Server 2008 R2 on it.
To start out, I installed Certificate Services Role on the test VM server, but I didn’t know about the CAPolicy.inf file at the time.  Now I am trying to un-install Certificate Services (I don’t have any Certificates to revoke or anything).  
I stopped the Cert Service, then tried to delete the private key of the Root CA by doing:
Certutil –delkey
Then I tried to list the Keys by:
Certutil –keys
It says the command completed successfully, but doesn’t show any keys.  
Does that mean no keys were created during the Install of CS..??
I tired the Certutil –delkey
And it says “Administrator permissions are needed to use the selected options.  Use an administrator command prompt to complete these tasks.  CertUtil:  The requested operation requires elevation.”
I am an administrator on the box.  
The next step I was going to do after –delkey was to un-install CS from Add or Remove Programs and then delete the CA database.

How do I proceed to cleanly un-install the Root CA and start all-over again ??    

Once I get this going,  I am supposed to use the same server to install the Root CA, PCA and the Issueing CA all-in-one.  I don’t know how to do that.  Can you please help me.  Can someone please send me some guidance on how to do this ??

Thank you.  msyed1
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
They would each need to be installed within a different virtual machine on the same physical box.  You cannot install certificate services more than one time on the same virtual machine / OS instance.  You need 3 VM instances - one for each of the 3 VM tiers.  If you are doing an Enterprise CA for the issuing CA then you need a DC available as well - if you don't have that then you could install that into a 4th VM.  OS licenses shouldn't be an issue for testing presuming your company has an MSDN subscription.

If you have a base snapshot saved prior to installing the root, revert to that and copy it to make a new VM for the 2nd & again for the 3rd tier.  If not, then try uninstalling the root and create a snapshot there and run sysprep against it (so the machine SIDs are different to avoid issues with each one being a duplicate), then you can restore that sysprepped snapshot and you should be all set to install each tier in a different VM, all on the same physical machine.
ParanormasticCryptographic EngineerCommented:
Just because you are an administrator doesn't mean you are running with admin rights.  This is a new protection in Vista/2008 and newer (you might not see it sometimes in the client OS if it was turned off by GPO).  Anyways, I would recommend locating the command prompt application on the start menu under all programs - applications (if memory serves) and then right-click - pin to start menu.  Then when you open the start menu you can right-click the shortcut and select 'run as administrator'.  

Was that a typo: certutil -key not certutil -keys

You can also open up the Certificates MMC (local computer) and look in the Personal store for confirmation.  Normally a key is generated as part of the CA installation unless you did so previously from a different CA instance, or if you're using an HSM or smartcard then the private key would reside in the HSM or card.

Its normally not a big deal if you have an extra key laying around that you don't need - its a big deal if you can't find the one you want.

I would say probably the easiest thing to do here would be to familiarize yourself a little bit with the capabilities of VM.  After installing the OS you should create a base snapshot, then install whatever standard software (e.g. antivirus) that are required by your company and run sysprep - when it shuts down use that to make a corporate base snapshot.  See here for basic instructions on sysprep for 2008 r2 - if you need more info on sysprep let me know:

You can then load that snapshot 3 times to create 3 new VMs - one for each CA tier.

When you install the CA you can only load one CA per OS instance / VM.  You can certainly run all three VM at the same time - unless you have a restriction against doing so in your CP or CPS then you could use the VM network to allow shared folders from the root and policy servers to be accessed by the policy and subordinate servers.  Make sure the VM network is not configured to route to the real LAN.  If your policy restricts this (or if you don't want to deal with the 2008 firewall settings...) then do it the normal way by using a flash drive or some other similar method to transport data between VM instances for the purpose of moving the CA cert request to the superior CA and the issued cert back down to the CA you just installed.  Afterwards it is best to shut down that network connection as a security precaution and only bring it back up to transfer the CRL whenever that gets published.  Since you are running a 3 tier PKI I would recommend using a flash drive and not enabling the VM network since this indicates a little bit more professional installation.

For better security, you could move the VM images for the Root & Policy CAs onto a removable hard drive that you can lock up in a safe when not in use.  This best simulates an offline server and offers the most protection should an attack ever occur.  The issuing subordinate would normally remain online so it could remain on the normal hard drive for the system (some sort of RAID is recommended - RAID 1 or 1+0 is generally preferred for CA servers, not RAID 5).
msyed1Author Commented:

Sorry for the delay in replying.  I may not have explained it accurately, but what I need to do, is build a one-tier CA (for testing).  I have only one machine which is a VM and I don't know how to make that one machine be the Root CA, Policy CA and the Issueing CA all in one.  So far, I just have the Root CA installed on the VM box.  How do I proceed to make this same machine be the 2nd tier CA and the 3rd tier (Issueing) CA ??   msyed1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.