Root CA Setup

VM Information

Setting	Value
VM ID	310
Hostname	srv-rca-zrh-01
IP	10.30.30.20
OS	Windows Server 2025
Domain	WORKGROUP (not domain-joined!)
Start at boot	NO

Network Configuration

New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.30.30.20 -PrefixLength 24 -DefaultGateway 10.30.30.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.30.30.15
Rename-Computer -NewName "srv-rca-zrh-01" -Restart

CAPolicy.inf

Create C:\Windows\CAPolicy.inf BEFORE installing AD CS:

[Version]
Signature="$Windows NT$"

[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Weeks
CRLPeriodUnits=52
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

[CRLDistributionPoint]
URL=http://pki.microsoftlab.ch/crl/%3.crl

[AuthorityInformationAccess]
URL=http://pki.microsoftlab.ch/aia/%3.crt

CAPolicy.inf Variables

Variable	Description	Result
%3	CA Name	MicrosoftLab Root CA 01

Resulting URLs

CRL: http://pki.microsoftlab.ch/crl/MicrosoftLab Root CA 01.crl
AIA: http://pki.microsoftlab.ch/aia/MicrosoftLab Root CA 01.crt

AD CS Installation

# Install role
Install-WindowsFeature AD-Certificate -IncludeManagementTools

# Configure Root CA
Install-AdcsCertificationAuthority `
    -CAType StandaloneRootCA `
    -CACommonName "MicrosoftLab Root CA 01" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 20 `
    -Force

Export Root Certificate and CRL

# Create export folder
New-Item -Path "C:\RootCA-Export" -ItemType Directory -Force

# Copy files
Copy-Item "C:\Windows\System32\CertSrv\CertEnroll\*.crt" "C:\RootCA-Export\"
Copy-Item "C:\Windows\System32\CertSrv\CertEnroll\*.crl" "C:\RootCA-Export\"

# Verify
Get-ChildItem "C:\RootCA-Export"

Shutdown Root CA

After exporting certificate and CRL:

Stop-Computer -Force

Important: Root CA should remain offline. Only start for CRL renewal (annually).