Overview
In this post, we’ll look at how to set up an offline standalone root CA in Windows Server 2012 R2. This is the most secure way to set up your CA because it means you can set up subordinate issuing CAs and power off the root CA when not required to issue subordinate CA certificates.
Having a powered off server means you cannot possibly have it compromised (unless someone has physical access to it or you decide to store the CA private key on an unencrypted USB key and gave it to a friend to get some movies but that’s beside the point!).
How to install an offline standalone root CA
Before we start, make sure you have a clean build of Windows Server 2012 R2 without any other roles installed. Make sure your server is not joined to a domain. The server in this example is called LITCA01 (our root CA in the Litware organization).
- Install AD CS role and select Certificate Authority role service:
- Either user Powershell
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority
- Or use the GUI:
- Select Active Directory Certificate Services
- Click next
- Click next
- Select Certificate Authority
- Click next
- Configure CA and select standalone CA:
- After installation, the wizard prompts you to configure the CA. If you used PowerShell then you can continue CA configuration by opening up Server Manager.
- Click through the wizard and select defaults and then when prompted, for a CA type, select root CA:
- Create certificate or use an existing one (if you have one already). In our case, we don’t already have one so we create a new one.
- Accept defaults and complete the wizard. You now have a standalone Certificate Authority.
Conclusion
Your standalone CA is now set up. So, that’s great! How do I make sure things will work when it’s offline? How do you get a certificate from an offline CA? How will domain joined clients autoenroll certificates? Well, we’ll need a subordinate CA but first we need to configure our CA and prepare it for a subordinate CA. We’ll go through this in part 2.