Greetings Fellow Geeks!
In this post, we’re going to set up our enterprise issuing CA for RSA based certificates.
The workflow is pretty straightforward. The steps are:
- publish root Cert to AD
- add root cert and crl to local store
- install services
- configure CDP and AIA extensions
- run scripts
- copy enterprise cert to web server and rename
- publish CRL and Delta CRL
Here are text snippets to help out if you would like to follow long and build your own issuing CA while watching the video:
The video came out a little bit long due to some troubleshooting at the end, but I think it showed a couple of helpful things about checking the details of your certificates and fixing mistakes. Let me know if you think this is too long and I’ll make a shorter version.
2 thoughts on “PKI for Network Engineers (4/?): RSA Enterprise CA setup”
Thanks for making these videos Steven! I am glad to follow along with the configurations. Working through these videos has been my first time configuring certificate authorities.
Regarding 6:54 mins in the video. I challenged myself to remove the Root CA OCSP Location #1 Error in my home lab replica of this configuration. I had a hunch that It did not require creating a new Root Certificate, so I had to follow it.
On the, offline “Densemode Root RSA Certification Authority,” I opened the CA properties and removed the unwanted “pki.densemode.com/ocsp” AIA field from the extensions tab previously configured.
I issued a new certificate to the enterprise issuing CA, “Densemode-RSA-ECA.”
This time the offline root CA did not include the pki.densemode.com/oscp AIA field in the new Densemode-RSA-ECA certificate.
I installed the new certificate for Densemode-RSA-ECA.
I unchecked the box, “include in the AIA extension of issued certificates,” for the pki.densemode.com/oscp AIA extension on the enterprise issuing CA, RSA-ECA.
During those steps, I restarted the AD Certificate services and refreshed the Revocation Configuration in the OCSP manager. The OSCP manager received the updated extensions configuration from the enterprise issuing CA, Densemode-RSA-ECA.
I also updated the certificate in the PKI folder to the new one like you said in the video.
Afterwards I closed and opened pkiview.msc, surprisingly to me, I got all the errors to go away. It totally felt like I did everything wrong along the way.
I did make snapshots of my VMs first before I tried all that, feeling like this was about to nuke my lab. A few days ago I messed up the lab and had to remake the VMs in the previous videos.
I totally meant to post this to the video, PKI for Network Engineers (5/?): Online Responder.