Microsoft PKI 2-Tier infrastructure build
In the past year I have been working on ransomware recovery/infrastructure improvements post-incident. One thing that is always missing at each customer location is a PKI infrastructure, to implement LDAPs amongst other things.
Last year I attempted to do so with a DSC script but I didn't like the end result, so I rebuilt it from scratch over the past 2 weeks.
Steps:
- Obtain your own OID at https://pen.iana.org/pen/PenApplication.page
- Create a DNS CNAME named "pki" or something else for your Enterprise Subordinate CA.
- This is designed to be deployed on Server Core servers (Tested on Windows 2019 Core)
- Deploy 2 server core instances.
- One for the Root CA
- One for the Enterprise Subordinate CA
- Setup your IP information on both servers (Root CA is not supposed to be network attached. While there is a small risk, I would say that having it connected for the duration of the build and then shut down after the Subordinate is issued isn't a major concern.)
- On the Root CA server (not domain joined), run the Build-RootCA.ps1
- On the Subordinate CA server (domain joined, and logged in using a domain account), run the Build-SubCA.ps1
- Root CA certificate is valid for 10 years.
- Subordinate Enterprise CA certificate is valid for 5 years
- Issued certificates are valid for 1 year
There are some prompts during the installation, so it's not fully unattended, but all prompts are made at the beginning of the script.
End result is a working PKI infrastructure in 15 mins max (if you're starting from Windows virtual templates).
NOTE: These scripts must be run LOCALLY on the servers, not through remote powershell
Video of the Root CA installation
