PKI for Network Engineers (3/?): RSA Offline Root

Greetings Professor Falken,


How about Global Thermonuclear War  setting up a two level CA hierarchy?  This is great configuration for labbing and for medium to largish enterprises.  As I discussed at the end of part one of this series, you would never want to deploy an enterprise root in a real network.  So why not model best practices in our lab?

Ok, let’s get started.

NOTE:  Before we configure anything, it’s important to do some planning and sort out all the naming conventions.  If you want to follow along with the videos, check out the attached: Setup Text Block File and a Diagram  which you can edit to customize for your lab.  I also included links to some resources in the doc.  I found Timothy Gruber’s guide on setting up Windows 2016 PKI enormously helpful.

There’s a lot of work to be done, so I’ll break it up into 15-20 minute chunks.

In this video we set up the offline root.




One thought on “PKI for Network Engineers (3/?): RSA Offline Root

  1. At 6:58 in this video, you simply copy and paste the text from Notepad++ to notepad in Windows Server.
    The Setup Text Block File download is formatted as a word document and it changed the way text was copied and pasted. Instead of pasting everything nicely, line by line like in the video, everything was pasted into one long line of text.

    I found an article called, “Using Notepad++ to change end of line characters (CRLF to LF)
    My goal was to change the end of line characters from CR to CRLF and it worked fine.

    It may have been easier to just hit enter at the end of each line in the text rather than finding the article mentioned.

    Thanks for making this PKI aritcle series, I intend to make it to the end!

    My goal is to have a certificate server that I can use to enroll two routers with digital certificates and setup a site-to-site VPN with PKI peer authentication.

Leave a Reply