Professional Documents
Culture Documents
Deploying A Two-Tier Certificatio Authority Infrastructure
Deploying A Two-Tier Certificatio Authority Infrastructure
a Two-Tier Standalone
Certification Authority Infrastructure
This type of CA infrastructure is appropriate for both Active Directory domain-based and Non-domain
based environments. With this type, we can issue certificates to any device and user, i.e. Cisco ASA
firewalls, routers, switches, computers, Web servers, domain controllers etc.
Following are the steps for configuring a Root CA and Subordinate CA. We will call the Root CA RootCA
and Subordinate SubCA.
Configuring RootCA
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Configuring SubCA
The following steps must be followed to successfully configure the SubCA. In RootCA configuration we
cleared on revocation check points (CRL, and Authority Information Access) because normally those
resources are not configured by default and the SubCA will not be able to access them, therefore it will
fail and the service will not start at all. If we leave those CRL check points, they will be included as
parameters in the SubCA certificate. We can do the same for SubCA, but at least should leave the
checkpoint at C:\Windows\System32\CertSrv. This way will have at least on check point to refer to for
revoked certificate. In case of configuring a Cisco ASA with our CAs for SSL VPN with certificate
authentication, we will have to configure IIS on SubCA and point a virtual directory to the above
location.
1. Copy RootCA certificate to Trusted Root Certification Authorities store
2. Make sure the date and time are correct
3. Select Standalone
1
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.