Implementing Root CA, PCA and Issuing CA on the same VM

Posted on 2010-08-24
Medium Priority
Last Modified: 2013-12-04

We are implementing a new PKI in our environment.  It will be a 3-tier Hierachy.  In Phase I we will be standing up the Root CA (stand-alone – offline), PCA (Stand-alone – offline) and one issuing CA.  We have chosen to install the Enterprise Edition of Windows Server 2008 R2 on all 3 servers.  
The above is going to be done in the near future, but at this time I am having this problem with my test server:
I am brand new to PKI.  I have a VM Server which I have been given to experiment with (install/un-install) Certificate Services on.  This test Server has Windows Server 2008 R2 on it.
To start out, I installed Certificate Services Role on the test VM server, but I didn’t know about the CAPolicy.inf file at the time.  Now I am trying to un-install Certificate Services (I don’t have any Certificates to revoke or anything).  
I stopped the Cert Service, then tried to delete the private key of the Root CA by doing:
Certutil –delkey
Then I tried to list the Keys by:
Certutil –keys
It says the command completed successfully, but doesn’t show any keys.  
Does that mean no keys were created during the Install of CS..??
I tired the Certutil –delkey
And it says “Administrator permissions are needed to use the selected options.  Use an administrator command prompt to complete these tasks.  CertUtil:  The requested operation requires elevation.”
I am an administrator on the box.  
The next step I was going to do after –delkey was to un-install CS from Add or Remove Programs and then delete the CA database.

How do I proceed to cleanly un-install the Root CA and start all-over again ??    

Once I get this going,  I am supposed to use the same server to install the Root CA, PCA and the Issueing CA all-in-one.  I don’t know how to do that.  Can you please help me.  Can someone please send me some guidance on how to do this ??

Thank you.  msyed1
Question by:msyed1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 31

Expert Comment

ID: 33515922
Just because you are an administrator doesn't mean you are running with admin rights.  This is a new protection in Vista/2008 and newer (you might not see it sometimes in the client OS if it was turned off by GPO).  Anyways, I would recommend locating the command prompt application on the start menu under all programs - applications (if memory serves) and then right-click - pin to start menu.  Then when you open the start menu you can right-click the shortcut and select 'run as administrator'.  

Was that a typo: certutil -key not certutil -keys

You can also open up the Certificates MMC (local computer) and look in the Personal store for confirmation.  Normally a key is generated as part of the CA installation unless you did so previously from a different CA instance, or if you're using an HSM or smartcard then the private key would reside in the HSM or card.

Its normally not a big deal if you have an extra key laying around that you don't need - its a big deal if you can't find the one you want.

I would say probably the easiest thing to do here would be to familiarize yourself a little bit with the capabilities of VM.  After installing the OS you should create a base snapshot, then install whatever standard software (e.g. antivirus) that are required by your company and run sysprep - when it shuts down use that to make a corporate base snapshot.  See here for basic instructions on sysprep for 2008 r2 - if you need more info on sysprep let me know:

You can then load that snapshot 3 times to create 3 new VMs - one for each CA tier.

When you install the CA you can only load one CA per OS instance / VM.  You can certainly run all three VM at the same time - unless you have a restriction against doing so in your CP or CPS then you could use the VM network to allow shared folders from the root and policy servers to be accessed by the policy and subordinate servers.  Make sure the VM network is not configured to route to the real LAN.  If your policy restricts this (or if you don't want to deal with the 2008 firewall settings...) then do it the normal way by using a flash drive or some other similar method to transport data between VM instances for the purpose of moving the CA cert request to the superior CA and the issued cert back down to the CA you just installed.  Afterwards it is best to shut down that network connection as a security precaution and only bring it back up to transfer the CRL whenever that gets published.  Since you are running a 3 tier PKI I would recommend using a flash drive and not enabling the VM network since this indicates a little bit more professional installation.

For better security, you could move the VM images for the Root & Policy CAs onto a removable hard drive that you can lock up in a safe when not in use.  This best simulates an offline server and offers the most protection should an attack ever occur.  The issuing subordinate would normally remain online so it could remain on the normal hard drive for the system (some sort of RAID is recommended - RAID 1 or 1+0 is generally preferred for CA servers, not RAID 5).

Author Comment

ID: 33577351

Sorry for the delay in replying.  I may not have explained it accurately, but what I need to do, is build a one-tier CA (for testing).  I have only one machine which is a VM and I don't know how to make that one machine be the Root CA, Policy CA and the Issueing CA all in one.  So far, I just have the Root CA installed on the VM box.  How do I proceed to make this same machine be the 2nd tier CA and the 3rd tier (Issueing) CA ??   msyed1
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 33641568
They would each need to be installed within a different virtual machine on the same physical box.  You cannot install certificate services more than one time on the same virtual machine / OS instance.  You need 3 VM instances - one for each of the 3 VM tiers.  If you are doing an Enterprise CA for the issuing CA then you need a DC available as well - if you don't have that then you could install that into a 4th VM.  OS licenses shouldn't be an issue for testing presuming your company has an MSDN subscription.

If you have a base snapshot saved prior to installing the root, revert to that and copy it to make a new VM for the 2nd & again for the 3rd tier.  If not, then try uninstalling the root and create a snapshot there and run sysprep against it (so the machine SIDs are different to avoid issues with each one being a duplicate), then you can restore that sysprepped snapshot and you should be all set to install each tier in a different VM, all on the same physical machine.

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question