How to Build a Secure Two-Tier PKI Lab with Microsoft Active Directory Certificate Services

Learn how to set up a secure two-tier PKI lab using Microsoft’s Active Directory Certificate Services. This guide covers deploying an offline Root CA and an online Issuing CA, best practices for securing keys, managing CRLs, and leveraging HSMs to protect your PKI infrastructure. Unique :

Step-by-Step Guide to Setting Up a 2-Tier PKI Lab

Public Key Infrastructure (PKI) forms the backbone of secure digital identity management. It enables encryption, digital signatures, and certificate-based authentication. However, setting up and managing PKI isn’t something most IT pros do regularly. Given the complexity, revisiting the topic through hands-on labs is the best way to stay sharp.

That’s why Rahul Jangda created a straightforward cheatsheet for deploying a secure two-tier PKI lab using Active Directory Certificate Services (AD CS) on Windows Server. This blog post breaks down his approach to building an offline Root Certification Authority (Root CA) and an online Issuing Certification Authority (Issuing CA).

What’s New: Two-Tier PKI Architecture Explained

The two-tier PKI setup consists of an offline Root CA and an online Issuing CA. The Root CA acts as the trust anchor and stays offline to protect its private key. Meanwhile, the Issuing CA operates online to issue certificates to users, computers, and services within the organization.

“The Root CA’s private key must be rigorously protected because if the root is compromised, all certificates in the hierarchy are compromised,” Rahul emphasizes. The Root CA is typically a standalone server, disconnected from the network, while the Issuing CA is domain-joined and integrated with Active Directory for automation.

Major Updates: Deploying the Offline Root CA

Setting up the offline Root CA involves several critical steps:

Provision a dedicated server with Windows Server 2022, ensuring it’s not domain-joined.
Assign a static IP and install all security updates before disconnecting it from the network.
Install the AD CS role, selecting the standalone Root CA option with a strong key (2048 or 4096 bits) and SHA-256 or higher hash algorithm.
Set a long validity period (e.g., 10 years) to minimize renewal frequency.

“Deploy a standalone offline root CA and an online enterprise subordinate CA” is the recommended best practice Rahul follows, mirroring real-world enterprise setups.

Why Use a Hardware Security Module (HSM)?

Integrating an HSM to secure the Root CA’s private keys is optional but highly recommended. HSMs provide tamper-resistant storage and protect against key compromise. If available, install the vendor’s software, initialize the device, and select the HSM’s cryptographic provider during CA setup.

Rahul points out, “For a root CA, you might employ M of N key splits—requiring multiple key custodians to collaborate to activate the HSM or key.” This adds an extra layer of security during key ceremonies.

What You Need to Know

Remember, the offline Root CA signs only the subordinate CA’s certificate and CRLs. The online Issuing CA handles day-to-day certificate issuance and publishes CRLs automatically. Keeping the Root CA offline drastically reduces attack surface and protects your entire PKI hierarchy.

By following this step-by-step approach, IT pros can confidently build and maintain a secure PKI lab environment. It’s a practical way to deepen your understanding of certificate services and PKI best practices.

Offline Root CA remains disconnected to protect its private key and acts as the trust anchor for the PKI.

Online Issuing CA handles certificate issuance and integrates with Active Directory for automation.

Step-by-step instructions include server preparation, AD CS role installation, and CA configuration.

Use of Hardware Security Modules (HSMs) is recommended to safeguard CA private keys.

CRL management involves manual publishing on Root CA and automated updates on Issuing CA.

From the New blog articles in Microsoft Community Hub