PKI Infrastructure

Last updated: January 14, 2026

📚 Reference: This guide aligns with Active Directory Certificate Services Overview

My PKI Wake-Up Call

I learned the importance of proper PKI architecture the hard way. In an early project, I deployed a single Certificate Authority without proper planning. When that CA failed six months later and I couldn't restore it properly, I had to rebuild the entire PKI infrastructure – revoking and reissuing hundreds of certificates to servers, users, and devices.

That painful experience taught me that PKI isn't just "install a CA and issue certificates." It's a critical security infrastructure that requires careful design, proper hierarchy, and disaster recovery planning. This article shares what I've learned deploying PKI in production environments.

What is Public Key Infrastructure (PKI)?

PKI is the framework for creating, distributing, using, storing, and revoking digital certificates. In every enterprise environment I manage, PKI provides:

SSL/TLS certificates for secure web traffic (HTTPS)
Code signing certificates to verify software authenticity
Email encryption (S/MIME) for secure communications
User authentication via smart cards and certificates
Computer authentication for network access (802.1X, IPSec)
Document signing for non-repudiation

Why PKI Matters in Enterprise

From my experience, properly implemented PKI:

Enables secure communications: HTTPS, LDAPS, RDP over SSL
Supports strong authentication: Smart card logon, certificate-based VPN
Facilitates trust: Internal apps trust internal CA
Reduces costs: No need to purchase public certificates for internal resources
Enables compliance: Many standards require PKI (HIPAA, PCI-DSS)

PKI Architecture and Hierarchy

The Two-Tier CA Model (My Standard)

Root CA (Offline)

The root of trust for your entire PKI. In my deployments:

Characteristics:

Offline (turned off, locked in server room)
Not domain-joined (standalone server)
Long validity (15-20 years)
Only used to issue subordinate CA certificates
Powered on only for CA certificate renewal

Why offline?

If compromised, entire PKI is invalid
Reduces attack surface to near zero
Industry best practice

Subordinate/Issuing CA (Online)

Issues certificates to end entities (users, computers, servers). In my projects:

Characteristics:

Online (always running)
Domain-joined (enterprise CA)
Medium validity (5-10 years)
Integrated with Active Directory
Auto-enrollment capable

How many issuing CAs?

Small environment: 1 issuing CA
Medium environment: 2 issuing CAs (redundancy)
Large environment: Multiple issuing CAs (by function or location)

PKI Certificate Flow

Planning PKI Deployment

Server Specifications

Root CA Server (Offline)

Hardware:
- 2 vCPU (or physical server)
- 4 GB RAM
- 100 GB disk (OS) + 50 GB data disk
- No network adapter after initial setup

Software:
- Windows Server 2022 Standard
- Standalone CA role
- NOT domain-joined

Issuing CA Server (Online)

Hardware:
- 4 vCPU
- 8 GB RAM
- 100 GB OS disk + 200 GB data disk (for database)
- Redundant network connections

Software:
- Windows Server 2022 Standard/Enterprise
- Enterprise CA role
- Domain-joined
- SQL Server (optional, for large deployments)

Certificate Validity Periods

From my experience, these validity periods work well:

Root CA Certificate:        20 years
Subordinate CA Certificate: 10 years
Server Certificates:        2 years
User Certificates:          1 year
Computer Certificates:      1 year
Code Signing:               2 years

CAPolicy.inf Configuration

This file controls CA certificate properties and must be created before installing the CA role.

Root CA CAPolicy.inf

# C:\Windows\CAPolicy.inf on Root CA
[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=AllIssuancePolicy
Critical=False

[AllIssuancePolicy]
OID=2.5.29.32.0

[BasicConstraintsExtension]
PathLength=1
Critical=True

[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=10
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1

Issuing CA CAPolicy.inf

# C:\Windows\CAPolicy.inf on Issuing CA
[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=AllIssuancePolicy
Critical=False

[AllIssuancePolicy]
OID=2.5.29.32.0

[BasicConstraintsExtension]
PathLength=0
Critical=True

[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=1
LoadDefaultTemplates=1
AlternateSignatureAlgorithm=1

[CRLDistributionPoint]
[AuthorityInformationAccess]

Installing Root CA (Offline)

Step 1: Prepare Server

# On standalone (non-domain) server
# Rename computer
Rename-Computer -NewName "ROOTCA01" -Restart

# Set static IP temporarily for initial setup
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.1.10.100 -PrefixLength 24

# Install CA role
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

Step 2: Create CAPolicy.inf

# Create CAPolicy.inf with content shown above
$capolicy = @"
[Version]
Signature="`$Windows NT`$"

[PolicyStatementExtension]
Policies=AllIssuancePolicy
Critical=False

[AllIssuancePolicy]
OID=2.5.29.32.0

[BasicConstraintsExtension]
PathLength=1
Critical=True

[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=10
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
"@

$capolicy | Out-File C:\Windows\CAPolicy.inf -Encoding ASCII

Step 3: Install Root CA Role

# Install Standalone Root CA
Install-AdcsCertificationAuthority `
    -CAType StandaloneRootCA `
    -CACommonName "Company Root CA" `
    -CADistinguishedNameSuffix "O=Company Corporation,C=US" `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 20 `
    -Force

# Configure CRL and AIA paths
$crlPath = "C:\CertData\CRL"
$aiaPath = "C:\CertData\AIA"
New-Item -Path $crlPath, $aiaPath -ItemType Directory -Force

# Configure CRL Distribution Points
certutil -setreg CA\CRLPublicationURLs "1:$crlPath\%3%8%9.crl\n10:http://pki.company.com/crl/%3%8%9.crl"

# Configure Authority Information Access
certutil -setreg CA\CACertPublicationURLs "1:$aiaPath\%1_%3%4.crt\n2:http://pki.company.com/aia/%1_%3%4.crt"

# Restart CA service
Restart-Service CertSvc

# Publish CRL
certutil -CRL

Step 4: Export Root CA Certificate and CRL

# Export Root CA certificate
$rootCert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*Company Root CA*"}

Export-Certificate -Cert $rootCert -FilePath "C:\CertData\CompanyRootCA.cer"

# Copy to USB drive for distribution
Copy-Item "C:\CertData\CompanyRootCA.cer" -Destination "E:\PKI\"
Copy-Item "C:\CertData\CRL\*.crl" -Destination "E:\PKI\"

Step 5: Secure and Power Off Root CA

# Disable network adapter
Disable-NetAdapter -Name "Ethernet" -Confirm:$false

# Power off
Stop-Computer

Installing Issuing CA (Online)

Step 1: Publish Root CA Certificate to AD

# On a domain controller, run as Domain Admin
# Copy Root CA certificate from USB to DC

certutil -dspublish -f "C:\Temp\CompanyRootCA.cer" RootCA

# Verify publication
certutil -viewstore -enterprise Root

Step 2: Prepare Issuing CA Server

# Join domain
Add-Computer -DomainName "company.com" -Restart

# After reboot, create CAPolicy.inf (content shown earlier)
$capolicy = @"
[Version]
Signature="`$Windows NT`$"

[BasicConstraintsExtension]
PathLength=0
Critical=True

[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=1
LoadDefaultTemplates=1
AlternateSignatureAlgorithm=1
"@

$capolicy | Out-File C:\Windows\CAPolicy.inf -Encoding ASCII

# Install CA role
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

Step 3: Request Subordinate CA Certificate from Root CA

# Create certificate request on Issuing CA
Install-AdcsCertificationAuthority `
    -CAType EnterpriseSubordinateCA `
    -CACommonName "Company Issuing CA 01" `
    -CADistinguishedNameSuffix "O=Company Corporation,C=US" `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -OutputCertRequestFile "C:\SUBCA01.req"

# Copy request file to USB
Copy-Item "C:\SUBCA01.req" -Destination "E:\PKI\"

Step 4: Issue Certificate from Root CA

# On Root CA (power on temporarily)
# Copy request file from USB

# Submit request to Root CA
certreq -submit "C:\Temp\SUBCA01.req" "C:\Temp\SUBCA01.cer"

# Or use CA MMC console:
# - Certification Authority > Submit new request
# - Select SUBCA01.req
# - Pending Requests > right-click > All Tasks > Issue

# Export issued certificate
# Copy to USB
Copy-Item "C:\Temp\SUBCA01.cer" -Destination "E:\PKI\"

# Power off Root CA
Stop-Computer

Step 5: Install Issued Certificate on Issuing CA

# On Issuing CA
# Copy certificate from USB

# Install the certificate
Install-AdcsCertificationAuthority -CertFile "C:\Temp\SUBCA01.cer"

# Verify installation
Get-Service CertSvc
certutil -cainfo

Step 6: Configure CRL and AIA

# Create CRL and AIA paths
$crlPath = "C:\CertData\CRL"
$aiaPath = "C:\CertData\AIA"
New-Item -Path $crlPath, $aiaPath -ItemType Directory -Force

# Create share for CRL distribution
New-SmbShare -Name "CertData" -Path "C:\CertData" -FullAccess "Everyone"

# Configure IIS for HTTP distribution (install IIS first)
Install-WindowsFeature Web-Server, Web-Mgmt-Tools

# Create virtual directories
New-WebVirtualDirectory -Site "Default Web Site" -Name "crl" -PhysicalPath $crlPath
New-WebVirtualDirectory -Site "Default Web Site" -Name "aia" -PhysicalPath $aiaPath

# Enable directory browsing and double escaping
Set-WebConfigurationProperty -Filter "system.webServer/directoryBrowse" `
    -PSPath "IIS:\Sites\Default Web Site\crl" -Name "enabled" -Value $true

Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering" `
    -PSPath "IIS:\Sites\Default Web Site\crl" -Name "allowDoubleEscaping" -Value $true

# Same for AIA
Set-WebConfigurationProperty -Filter "system.webServer/directoryBrowse" `
    -PSPath "IIS:\Sites\Default Web Site\aia" -Name "enabled" -Value $true

Set-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering" `
    -PSPath "IIS:\Sites\Default Web Site\aia" -Name "allowDoubleEscaping" -Value $true

# Configure CRL URLs
certutil -setreg CA\CRLPublicationURLs "65:$crlPath\%3%8%9.crl\n79:http://pki.company.com/crl/%3%8%9.crl\n6:file://$crlPath\%3%8%9.crl"

# Configure AIA URLs
certutil -setreg CA\CACertPublicationURLs "1:$aiaPath\%1_%3%4.crt\n2:http://pki.company.com/aia/%1_%3%4.crt"

# Apply settings and restart
Restart-Service CertSvc

# Publish CRL
certutil -CRL

# Verify CRL paths in issued certificates
certutil -url "C:\Temp\SUBCA01.cer"

Certificate Templates

Templates define the properties and usage of certificates. In my deployments, I customize templates for specific needs.

Viewing Default Templates

# List all templates
Get-CATemplate

# View specific template
Get-CATemplate -DisplayName "Web Server"

Duplicating and Customizing Templates

I always duplicate default templates rather than modifying them:

# Open Certificate Templates console
certtmpl.msc

# Or use PowerShell
# Duplicate Web Server template
$template = Get-CATemplate -DisplayName "Web Server"

Common customizations I make:

1. Web Server Template with 2-year validity

1. Open certtmpl.msc
2. Right-click "Web Server" > Duplicate
3. General tab:
   - Template name: "Company Web Server"
   - Validity: 2 years
   - Renewal: 6 weeks
4. Request Handling tab:
   - Allow private key to be exported: YES (for backup)
5. Security tab:
   - Add "Web Servers" group
   - Grant: Read, Enroll, Autoenroll
6. Subject Name tab:
   - Supply in the request (for SAN certificates)

2. User Authentication Certificate

1. Duplicate "User" template
2. Template name: "Company User Certificate"
3. Validity: 1 year
4. Enable auto-enrollment
5. Security: Grant Domain Users > Read, Enroll, Autoenroll

3. Computer Certificate with Auto-Enrollment

1. Duplicate "Computer" template
2. Template name: "Company Computer Certificate"
3. Security: Grant Domain Computers > Read, Enroll, Autoenroll
4. Enable auto-enrollment in GPO

Publishing Templates to CA

# Open Certification Authority console
certsrv.msc

# Right-click "Certificate Templates" > New > Certificate Template to Issue
# Select your custom templates

# Or via PowerShell
# Add template to CA
certutil -SetCATemplates +CompanyWebServer
certutil -SetCATemplates +CompanyUserCertificate
certutil -SetCATemplates +CompanyComputerCertificate

Auto-Enrollment Configuration

Auto-enrollment reduces administrative overhead significantly.

GPO Configuration for Certificate Auto-Enrollment

# Create GPO for certificate auto-enrollment
$gpoName = "Certificate Auto-Enrollment"
New-GPO -Name $gpoName

# Link to domain
New-GPLink -Name $gpoName -Target "DC=company,DC=com"

# Configure Computer Certificate Auto-Enrollment
Set-GPRegistryValue -Name $gpoName `
    -Key "HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment" `
    -ValueName "AEPolicy" -Type DWord -Value 7

# Value 7 = Enabled, Renew expired certificates, update pending certificates, remove revoked certificates

# Configure User Certificate Auto-Enrollment
Set-GPRegistryValue -Name $gpoName `
    -Key "HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment" `
    -ValueName "AEPolicy" -Type DWord -Value 7

# Force GPO update on client
gpupdate /force

# Verify on client
certutil -pulse

Manual Certificate Enrollment

# Request certificate manually
certreq -new request.inf request.req

# Sample request.inf for web server
$requestInf = @"
[Version]
Signature="`$Windows NT`$"

[NewRequest]
Subject = "CN=webapp.company.com"
KeyLength = 2048
KeySpec = 1
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=webapp.company.com&"
_continue_ = "dns=webapp.company.local&"
_continue_ = "dns=webapp"
"@

$requestInf | Out-File C:\Temp\request.inf -Encoding ASCII

# Create request
certreq -new C:\Temp\request.inf C:\Temp\request.req

# Submit to CA
certreq -submit -config "SUBCA01.company.com\Company Issuing CA 01" C:\Temp\request.req C:\Temp\cert.cer

# Install certificate
certreq -accept C:\Temp\cert.cer

Certificate Revocation

Revoking Certificates

# Revoke certificate by serial number
certutil -revoke <SerialNumber> <ReasonCode>

# Reason codes:
# 0 = Unspecified
# 1 = Key Compromise
# 2 = CA Compromise
# 3 = Change of Affiliation
# 4 = Superseded
# 5 = Cessation of Operation
# 6 = Certificate Hold

# Example: Revoke due to key compromise
certutil -revoke 1A2B3C4D5E6F 1

# Publish new CRL immediately
certutil -CRL

CRL Management

# View current CRL
certutil -getcrl C:\CertData\CRL\*.crl

# Configure CRL publication schedule
certutil -setreg CA\CRLPeriod Weeks
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLDeltaPeriod Days
certutil -setreg CA\CRLDeltaPeriodUnits 1

# Restart and publish
Restart-Service CertSvc
certutil -CRL

Online Responder (OCSP)

For real-time revocation checking:

# Install OCSP role
Install-WindowsFeature -Name ADCS-Online-Cert -IncludeManagementTools

# Configure OCSP
Install-AdcsOnlineResponder

# Create revocation configuration
# This is typically done via GUI (certsrv.msc > Online Responder Management)

Smart Card Authentication

Configure Smart Card Logon Template

# Open Certificate Templates console
certtmpl.msc

# Duplicate "Smartcard Logon" template
# Set validity to 1 year
# Enable auto-enrollment for smart card users
# Publish template to CA

# Enroll smart card
# Insert smart card
certutil -scinfo

# Request certificate to smart card
certreq -new -user -smartcard smartcard.inf smartcard.req

Enable Smart Card Logon in AD

# Configure user for smart card required logon
Set-ADUser -Identity jsmith -SmartcardLogonRequired $true

# Create GPO for smart card settings
$gpoName = "Smart Card Policy"
New-GPO -Name $gpoName
New-GPLink -Name $gpoName -Target "OU=Users,DC=company,DC=com"

# Configure smart card removal policy
Set-GPRegistryValue -Name $gpoName `
    -Key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" `
    -ValueName "ScRemoveOption" -Type String -Value "2"
# 0 = No action, 1 = Lock workstation, 2 = Force logoff

Monitoring and Maintenance

Health Checks

# CA service status
Get-Service CertSvc | Select-Object Name, Status, StartType

# Certificate expiration check
Get-ChildItem Cert:\LocalMachine\My | 
    Where-Object {$_.NotAfter -lt (Get-Date).AddDays(60)} | 
    Select-Object Subject, NotAfter, Thumbprint

# CA certificate validity
certutil -cainfo cert

# Database integrity
certutil -verify

# CRL validity
certutil -URL http://pki.company.com/crl/CompanyIssuingCA01.crl

Backup CA

# Backup CA database and private key
$backupPath = "D:\CABackup\$(Get-Date -Format 'yyyy-MM-dd')"
New-Item -Path $backupPath -ItemType Directory -Force

# Backup using certutil
certutil -backup $backupPath

# Backup includes:
# - CA database
# - CA private key (encrypted)
# - CA certificate

# Protect backup
$acl = Get-Acl $backupPath
$acl.SetAccessRuleProtection($true,$false)
Set-Acl $backupPath $acl

Restore CA

# Stop CA service
Stop-Service CertSvc

# Restore CA database
certutil -restore "D:\CABackup\2026-01-14"

# Restart CA service
Start-Service CertSvc

# Verify
certutil -cainfo

Certificate Database Maintenance

# View database information
certutil -catemplates
certutil -cainfo

# Defragment database (offline)
Stop-Service CertSvc
esentutl /d "C:\Windows\System32\CertLog\company.edb"
Start-Service CertSvc

# Archive revoked certificates
certutil -deleterow <CutoffDate> CA

# Example: Archive certificates older than 1 year
certutil -deleterow 01/14/2025 CA

Security Best Practices

1. Protect CA Private Key

# Use Hardware Security Module (HSM) for Root CA in production
# Or ensure strong ACLs on key storage

$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
$acl = Get-Acl $keyPath
# Remove unnecessary accounts
Set-Acl $keyPath $acl

2. Restrict CA Administration

# Create dedicated CA admin group
New-ADGroup -Name "CA-Administrators" -GroupScope Global

# Grant minimal permissions
# CA Management: CA-Administrators group only
# Certificate Templates: Template-Administrators group
# Revocation: Certificate-Managers group

3. Enable Auditing

# Enable CA auditing
certutil -setreg CA\AuditFilter 127

# Audit categories:
# 1 = Backup and restore
# 2 = Certificate requests
# 4 = Certificate revocation
# 8 = CA property changes
# 16 = CA state changes
# 32 = Security events
# 64 = Key archival

# All events = 127 (sum of all values)

Restart-Service CertSvc

# View audit events
Get-WinEvent -LogName Security | 
    Where-Object {$_.ProviderName -eq "Microsoft-Windows-Security-Auditing"} | 
    Select-Object TimeCreated, Id, Message

4. Implement Key Archival (for recovery)

# Configure Key Recovery Agent certificate
# Only for user certificates, not recommended for server certs

# Create KRA template (GUI required)
# Assign KRA to CA
certutil -setreg CA\KRACertUsedCount 1
certutil -setreg CA\KRACert 0 <KRA_Certificate_Thumbprint>

Restart-Service CertSvc

Real-World Scenarios

Scenario 1: Issue SSL Certificate for ADFS

# Create certificate request for ADFS
$requestInf = @"
[Version]
Signature="`$Windows NT`$"

[NewRequest]
Subject = "CN=adfs.company.com,O=Company Corporation,C=US"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=adfs.company.com&"
_continue_ = "dns=enterpriseregistration.company.com&"
_continue_ = "dns=certauth.adfs.company.com"
"@

$requestInf | Out-File C:\Temp\adfs.inf -Encoding ASCII

certreq -new C:\Temp\adfs.inf C:\Temp\adfs.req
certreq -submit -config "SUBCA01\Company Issuing CA 01" C:\Temp\adfs.req C:\Temp\adfs.cer
certreq -accept C:\Temp\adfs.cer

Scenario 2: Configure 802.1X with Computer Certificates

# Ensure Computer template is published
# Enable auto-enrollment via GPO (shown earlier)

# Force certificate enrollment on clients
gpupdate /force
certutil -pulse

# Configure Network Policy Server (NPS) for 802.1X
# Install NPS role
Install-WindowsFeature -Name NPAS -IncludeManagementTools

# Register NPS in AD
netsh nps add registeredserver

# Configure network policy (GUI or netsh)
# Require computer certificates for authentication

Scenario 3: Email Encryption (S/MIME)

# Create Email certificate template (duplicate User template)
# Enable Key Archival
# Publish template

# Users auto-enroll for email certificates
# Configure Outlook to use S/MIME
# Send encrypted/signed emails

Troubleshooting Common Issues

Issue: Certificate Auto-Enrollment Not Working

# Check GPO application
gpresult /r

# Test auto-enrollment
certutil -pulse

# Check application event log
Get-WinEvent -LogName Application | 
    Where-Object {$_.ProviderName -like "*Certificate*"} | 
    Select-Object TimeCreated, Message

# Verify template permissions
# User/Computer must have Read and Enroll permissions

Issue: CRL Not Accessible

# Test CRL URL
certutil -URL http://pki.company.com/crl/CompanyIssuingCA01.crl

# Verify IIS configuration
Get-Website | Where-Object {$_.Name -eq "Default Web Site"}

# Check CRL file exists
Test-Path "C:\CertData\CRL\*.crl"

# Republish CRL
certutil -CRL

Issue: Certificate Validation Fails

# Test certificate chain
certutil -verify -urlfetch cert.cer

# Check root certificate is trusted
certutil -viewstore -enterprise Root

# Verify AIA and CRL URLs in certificate
certutil -url cert.cer

Conclusion

PKI is the foundation of enterprise security. From my experience deploying PKI across organizations of all sizes, success depends on:

Proper architecture: Offline root CA, online issuing CAs
Careful planning: Certificate lifetimes, template design, CRL distribution
Security first: Protect CA private keys, restrict access, enable auditing
Automation: Auto-enrollment reduces errors and administrative overhead
Maintenance: Regular backups, CRL publication, certificate monitoring

In the next article, we'll explore IIS and Web Application Proxy deployments, where we'll use the certificates issued by this PKI infrastructure.

hashtagMy PKI Wake-Up Call

hashtagWhat is Public Key Infrastructure (PKI)?

hashtagWhy PKI Matters in Enterprise

hashtagPKI Architecture and Hierarchy

hashtagThe Two-Tier CA Model (My Standard)

hashtagRoot CA (Offline)

hashtagSubordinate/Issuing CA (Online)

hashtagPKI Certificate Flow

hashtagPlanning PKI Deployment

hashtagServer Specifications

hashtagCertificate Validity Periods

hashtagCAPolicy.inf Configuration

hashtagInstalling Root CA (Offline)

hashtagStep 1: Prepare Server

hashtagStep 2: Create CAPolicy.inf

hashtagStep 3: Install Root CA Role

hashtagStep 4: Export Root CA Certificate and CRL

hashtagStep 5: Secure and Power Off Root CA

hashtagInstalling Issuing CA (Online)

hashtagStep 1: Publish Root CA Certificate to AD

hashtagStep 2: Prepare Issuing CA Server

hashtagStep 3: Request Subordinate CA Certificate from Root CA

hashtagStep 4: Issue Certificate from Root CA

hashtagStep 5: Install Issued Certificate on Issuing CA

hashtagStep 6: Configure CRL and AIA

hashtagCertificate Templates

hashtagViewing Default Templates

hashtagDuplicating and Customizing Templates

hashtagPublishing Templates to CA

hashtagAuto-Enrollment Configuration

hashtagGPO Configuration for Certificate Auto-Enrollment

hashtagManual Certificate Enrollment

hashtagCertificate Revocation

hashtagRevoking Certificates

hashtagCRL Management

hashtagOnline Responder (OCSP)

hashtagSmart Card Authentication

hashtagConfigure Smart Card Logon Template

hashtagEnable Smart Card Logon in AD

hashtagMonitoring and Maintenance

hashtagHealth Checks

hashtagBackup CA

hashtagRestore CA

hashtagCertificate Database Maintenance

hashtagSecurity Best Practices

hashtag1. Protect CA Private Key

hashtag2. Restrict CA Administration

hashtag3. Enable Auditing

hashtag4. Implement Key Archival (for recovery)

hashtagReal-World Scenarios

hashtagScenario 1: Issue SSL Certificate for ADFS

hashtagScenario 2: Configure 802.1X with Computer Certificates

hashtagScenario 3: Email Encryption (S/MIME)

hashtagTroubleshooting Common Issues

hashtagIssue: Certificate Auto-Enrollment Not Working

hashtagIssue: CRL Not Accessible

hashtagIssue: Certificate Validation Fails

hashtagConclusion

hashtagFurther Reading