This is the third part (Part 1, Part 2) of the how-to guide on installing and configuring an offline Root Certificate Authority on a Windows Server 2008 R2 core edtion.

Within this part we are going to install and configure Active Directory Certificate Services (ADCS) on the Root CA. Also we are going to backup the root certificate with private key to external storage and encrypt this drive Bitlocker to go.

Prerequisites

The following must be available before using this guide:

  • Part 1 and Part 2 of the installation guide must be completed;
  • Root access to the Root CA server (ILO, VMware, vSphere console);
  • SetupCA.vbs must be downloaded (click here) and stored on the Root CA (C:Temp)
  • One or two USB drives (dedicated for the backup of the root certificate and private key).

Installation steps

1. Open the Root CA and run the following command to install Certificate Services: start /w ocsetup.exe CertificateServices /norestart /quiet

2. Check if the installation succeeded by running the following command: Dism /online /get-features /Format:Table

3. Configure Active Directory Certificate Services by running the following command: Cscript /nologo C:TempSetupCA.vbs /is /sn <RootCA netbios name>  /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256

Note: Change <RootCA netbios name> to the netbios name of your Root CA server (in my case RootCA).

4. After the completion of step 3 type the following command to check if the configuration succeeded: type _SetupCA.log

5. Now we are going to stop the Certificate Services service by running the following command: net stop CertSvc

6. Now we are going to change the the validity period of the root certificate to 10 years by running the following command: Reg Add HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationRootCA /V ValidityPeriodUnits /t REG_DWORD /d 10 /f

Note: Change ConfigurationRootCA to ConfigurationNetbiosNameOfYourServer

7. Now start the Certificate Services service by running the following command: net start CertSvc

8. Now insert an formatted USB drive to the computer (if using VMware please allow USB drives to connect directly to the Root CA).

9. Now run the following command to backup the certificate: certutil –backupKey <drive letter of the USB drive>

10. You will need to provide a password for the P12 backup file. The password most be stored at a save location and managed by an security officer.

11. Now we are going to encrypt the drive with Bitlocker to go by running the following command: Manage-bde -on <drive letter of the USB drive> -pw <very complex password>

12. When all intermediate or issuing CAs are deployed this server must be shutdown.

  • Virtual server: Save the virtual harddrive of the VM to two USB drives (one for backup) and delete the server from the physical host. The USB drives must be stored in seperate secured locations (vault).
  • Physical server: Store the harddrives in seperate secured locations (vault).

In total we have the following security measures:

  • Password of the administrator account is complex.
  • Drive of the Root CA is encrypted with Bitlocker.
  • Startup disk of the Root CA is stored in a secure location and managed by an security officer.
  • Backup of the private key of the root certificate is stored on a encrypted password protected USB disk and managed by an security officer.
  • The Root CA is shutdown and all disks are stored in seperated secured locations.

To provide an extra level of security (and redundancy) divide all passwords and physical drives to two security officers. When the Root CA must be started two security officers are needed to start the server.