Skip to content
MicrosoftLab.ch
Blog

Issuing CA Setup

VM Information

Section titled “VM Information”
SettingValue
VM ID311
Hostnamesrv-ica-zrh-01
IP10.30.30.21
OSWindows Server 2025
Domaincorp.microsoftlab.ch

Prerequisites

Section titled “Prerequisites”
  1. Root CA installed and configured
  2. Root CA certificate and CRL published to PKI repositories
  3. PKI Web repositories operational
  4. DNS record pki.microsoftlab.ch resolving

Network Configuration

Section titled “Network Configuration”
Terminal window
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.30.30.21 -PrefixLength 24 -DefaultGateway 10.30.30.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.30.30.15
Add-Computer -DomainName "corp.microsoftlab.ch" -NewName "srv-ica-zrh-01" -Credential (Get-Credential "CORP\Administrator") -Restart

CAPolicy.inf

Section titled “CAPolicy.inf”

Create C:\Windows\CAPolicy.inf BEFORE installing AD CS:

[Version]
Signature="$Windows NT$"


[PolicyStatementExtension]
Policies=InternalPolicy


[InternalPolicy]
OID=1.2.3.4.5.6.7.8.9.10
Notice="MicrosoftLab Issuing CA - Internal Use Only"


[Certsrv_Server]
RenewalKeyLength=3072
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=7
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=1
LoadDefaultTemplates=0


[CRLDistributionPoint]
URL=http://pki.microsoftlab.ch/crl/%3%8%9.crl


[AuthorityInformationAccess]
URL=http://pki.microsoftlab.ch/aia/%3%4.crt

AD CS Installation

Section titled “AD CS Installation”
Terminal window
# Install role
Install-WindowsFeature AD-Certificate -IncludeManagementTools


# Configure Issuing CA (creates certificate request)
Install-AdcsCertificationAuthority `
    -CAType EnterpriseSubordinateCA `
    -CACommonName "MicrosoftLab Issuing CA 01" `
    -KeyLength 3072 `
    -HashAlgorithmName SHA256 `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -Force

Note: This creates a certificate request file. CA service will NOT start until certificate is signed and installed.

Sign Certificate on Root CA

Section titled “Sign Certificate on Root CA”
  1. Start Root CA VM (srv-rca-zrh-01)
  2. Copy request file to Root CA
  3. Submit and issue:
Terminal window
# Via GUI: certsrv.msc
# 1. Right-click CA → All Tasks → Submit new request
# 2. Select request file
# 3. Pending Requests → Right-click → Issue
# 4. Issued Certificates → Export as .cer
  1. Copy signed certificate back to Issuing CA
  2. Shutdown Root CA

Install Signed Certificate

Section titled “Install Signed Certificate”
Terminal window
certutil -installcert "C:\path\to\signed.cer"
Start-Service CertSvc

Status

Section titled “Status”

Note: Issuing CA setup is in progress. Certificate signing step pending.