Microsoft PKI Planning and Deploying Certificate Services Part 3

KB ID 0001312


Following on from Part Two, now we have an offline Root CA, and a CRL server, our next step is defined by our PKI design, are we three tier, or two tier? (Look in Part One for a definition).


As previously mentioned, Microsoft just treats Intermediate CAs and Issuing CA’s as the same thing (SubCAs). So the next step is identical for either. But I would suggest one difference, If I was deploying an Intermediate CA, I would have “LoadDefaultTemplates=0” in the CAPolicy.inf file, and for an Issuing server I would not, (that’s just my personal preference).

I’m going to continue this piece for a two tier PKI deployment. And my next SubCA will be an Issuing CA.

Create your SubCA CAPolicy.inf file and save it to C:\Windows

Signature="$Windows NT$"
Notice="Legal Policy Statement"

CAPolicy File SubCA

Launch Server Manager > Manage > Add Roles and Features.

2012 Add Role

Role Based > Next > Select the Local Server >Next > Active Directory Certificate Services > Add Features > Next.

2012 Add Certificate Services

No additional Features are Needed > Next > Next > Select Certification Authority > Optional*: Select Certificate Authority Web Enrolment > Next.

*Note: This gives you the nice registration website for certificates.


Next > Install > Close.

Add Role

Configure Active Directory Certificate Services.

Configure Role Services

Next > Select ‘Certification Authority’ and ‘ Certificate Authority Web Enrolment’, if you selected it above > Next > Enterprise CA > Next.

Enterprise CA

Subordinate CA > Next > Create New Private Key > Next > Change the Hash algorithm to SHA256 > Next.

CA Sha 256

Give the CA a sensible Name > Next > Select ‘Save certificate request to a file on the target machine’ > Next.

Sub CA Certificate

Next > Next > Install > Close.

Note: The warning is fine, we haven’t installed the certificate yet, that’s our next step

CA Offline REquest

Copy your certificate request file, (ending .req) and put it on your floppy drive. 

Note: I’m aware we are in the 21st century! I’m using virtual floppy drives.

CA Request submit

Present the floppy drive to your offline Root CA and execute the following command;

certreq -submit “A:\filename.req

When prompted with the CA name > OK > Take a note of the RequestID you need this in a moment. (Leave the command window open!)

Submit CA rEquest

Open the Certificate Services Management Console > Server-name > Pending Requests > Locate your request > Issue the certificate.

Issue SubCa Certificate

Back at command line issue the following command;

certreq -retrieve {RequestID}A:\SubCA.crt

When prompted with the CA name > OK.

Retrive SubCA Certificate

Check the certificate has appeared on your floppy drive, and present that back to your SubCA server > Open the Certificate Services Management console > Server-name > All Tasks > Install CA Certificate > Locate the cert  > Open.

Install SubCA Cert

Start the Service (If it errors at this point you may have a problem with your CRL server see the following link for a temporary workaround until you can fix the CRL).

Certificate Services – Disable CRL Checking

Troubleshooting: Open an MMC Snap-in and Add the Enterprise PKI snap-in to point you towards problems.

Start Certificate Services

At this point I like to copy the Sub CA Cert to C:\Windows\Sytem32\Certsrv\CertEnroll. You should see the CRL for the SubCA already there (and maybe a delta CRL like the image below).

Publish SubCA and CRL

Now we are going to publish those into AD, open an administrative command window and issue the following commands;

cd  C:\Windows\Sytem32\Certsrv\CertEnroll
certutil -dspublish -f SubCA.crt SubCA
certutil –addstore –f root SubCA.crt
certutil –addstore –f root SubCA.crl
certutil -dspublish  SubCA.crl


Publish SubCA and CRL

Restart Certificate Services;

net stop certsvc
net start certsvc


Back in Certificate Services > Properties > Extension > Remove the http and file entries. NOT the ldap or the one that’s pointing to C:\Windows.

Sun CA Remove CRL

With CRL Distribution Point showing > Add > Type in http://pki.{your-domain}/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl 

Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!


Add http CRL Location

With your new URL selected, tick;

  • Include in CRLs. Clients use this to find DeltaCRL locations.
  • Include in the CDP extension of issued certificates.

Apply > OK > Services will Restart.

Publish CRL Windows Server

Once Again, click Add, this time type in the UNC path to your hidden PKI share on your CRL Server, e.g.


Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!


CRL UNC Path Windows 2016

With your UNC path selected, tick;

  • Publish CRLs to this location.
  • Publish Delta CRLs to this location.

Apply  > OK > Services will restart.

UNC Path for Windows CRL

That’s your PKI environment stood up and ready to go, you may also want to setup OCSP, see the following article;

Microsoft Certificate Services Configuring OCSP

You can now issue certificates, some of the things you might want to consider setting up are;

Windows Server 2012 – Enable LDAPS

Deploying Certificates via ‘Auto Enrollment’

Windows Server 2012 – Secure RDP Access with Certificates

Install and Configure Certificate Enrolment Policy Web Service

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. A wonderful articular! Was nice to see something that was descriptive and walked people though the process. This helped a greatly in my deployment!

    I think the only thing I would add to the articular was that in the SubCA needs to be joined to the domain, and when you log in, a domain account needs to be used with Enterprise Admin rights. I created a dedicated a PKI “service account” with a complex password for the subCA to use. Not sure that was needed but did not want to use the admin account and have something mess up because of a PW change.

    Thanks again!

    Post a Reply
    • Hi Rick, Thanks for the feedback.


      Post a Reply
  2. Hi Pete, thanks for the guide. At the end of this i’m trying to follow your guide to setup OCSP but I’m getting confused regarding the address for it. I’m trying to run the responder from the same server you setup as a CRL server in this guide.
    All the instructions for OCSP suggest putting however at no point does any guide suggest creating the /ocsp directory. Another guide makes it seem like this is automatically created, but that wasn’t the case for me.
    Based off this guide should i actually be pointing it at /pki? or have i just missed a step?

    Post a Reply
    • The directory will get created for you, (if you try and browse to it you might get an error though that’s fine), you would add the OCSP URL as an Extension (like a CRL entry) but you add it as a AIA.


      Post a Reply
  3. Hello again,
    Your article helped me a lot.
    I don’t know if I miss, but PKIView was showing an error in the CDP Container tab, because the Sub-CA CRL file was not in the PKI folder on the web server. I copied it there and everything is ok.
    Thanx again.

    Post a Reply
  4. Thank you Pete, it is a great write.

    I was following it and doing the configs to setup a 2019 issuing server, but publishing the SubCA cert in AD is failing. The other three commands are successful tho. I could not find anything helpful on MS forums as fix. Thanks for the help, below is the command and error messages:

    certutil -dspublish -f SubCA.crt SubCA
    CertUtil: -dsPublish command FAILED: 0x8007003a (WIN32: 58 ERROR_BAD_NET_RESP)
    CertUtil: The specified server cannot perform the requested operation

    Post a Reply
  5. Thank you Pete for the write up, I have followed several of your articles in the past and they have helped me immensely. I know that this is an older article but I was wondering if you just left the AIA fields on the sub server with defaults or if those should be populated with similar values to the pub?

    Thanks again!

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *