PKI for Network Engineers (4/?): RSA Enterprise CA setup

Greetings Fellow Geeks!

In this post, we’re going to set up our enterprise issuing CA for RSA based certificates.

The workflow is pretty straightforward.  The steps are:

  1. publish root Cert to AD
  2. add root cert and crl to local store
  3. install services
  4. configure CDP and AIA extensions
  5. run scripts
  6. copy enterprise cert to web server and rename
  7. publish CRL and Delta CRL

Here are text snippets to help out if you would like to follow long and build your own issuing CA while watching the video:


The video came out a little bit long due to some troubleshooting at the end, but I think it showed a couple of helpful things about checking the details of your certificates and fixing mistakes.  Let me know if you think this is too long and I’ll make a shorter version.


2 thoughts on “PKI for Network Engineers (4/?): RSA Enterprise CA setup

  1. Thanks for making these videos Steven! I am glad to follow along with the configurations. Working through these videos has been my first time configuring certificate authorities.

    Regarding 6:54 mins in the video. I challenged myself to remove the Root CA OCSP Location #1 Error in my home lab replica of this configuration. I had a hunch that It did not require creating a new Root Certificate, so I had to follow it.

    On the, offline “Densemode Root RSA Certification Authority,” I opened the CA properties and removed the unwanted “” AIA field from the extensions tab previously configured.

    I issued a new certificate to the enterprise issuing CA, “Densemode-RSA-ECA.”
    This time the offline root CA did not include the AIA field in the new Densemode-RSA-ECA certificate.
    I installed the new certificate for Densemode-RSA-ECA.

    I unchecked the box, “include in the AIA extension of issued certificates,” for the AIA extension on the enterprise issuing CA, RSA-ECA.

    During those steps, I restarted the AD Certificate services and refreshed the Revocation Configuration in the OCSP manager. The OSCP manager received the updated extensions configuration from the enterprise issuing CA, Densemode-RSA-ECA.

    I also updated the certificate in the PKI folder to the new one like you said in the video.

    Afterwards I closed and opened pkiview.msc, surprisingly to me, I got all the errors to go away. It totally felt like I did everything wrong along the way.

    I did make snapshots of my VMs first before I tried all that, feeling like this was about to nuke my lab. A few days ago I messed up the lab and had to remake the VMs in the previous videos.

Leave a Reply