Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM

This is a step by step guide to install Root CA and Sub-Ordinate CA installation. Install Certificate Server – ROOT CA and Sub-Ordinate CA. This Installation is an Offline method for non-trusted domains.

This helps to install CA Servers for SCCM PKI/Internet clients, creating Certificate templates and How to Configure GPO for Certificate auto-enrollment.

Related Post – Learn The Basic Concepts of PKI – Intune PKI Made Easy With Joy Part-1

Patch My PC

Installation Root CA

Perquisites

To Install Certificate Authority roles that Server should be member server of the ROOT domain.

Pre-Configuration

Only Domain Admin can install CA Server, your account needs to be add in Domain Admins group before starting CA installaiton.

Installation of Root CA

Go to the CA Server and Install role “Active Directory Certificate Services” to install ROOT CA

1E Nomad
Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Select “Certificate Authority” and Click Next

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

If you are the member server of the domain, you can install Enterprises CA or else you can install Standalone CA

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 1
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 44

Select the “ROOTCA” and click next for continue

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 2
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 45

Select “Create a new Private key” and Click next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 3
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 46

Enter the ROOTCA name as you preferred, and click next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 4
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 47

After Installation completed you need to completed post Configuration by Open “Certificate Authority” Console

Validation

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Sub Ordinate CA Installation

In order to install Sub Ordinate CA on Non-Trusted domain we have follow some manual export, Import and Certificate generation steps to complete

Note! – Non-Trusted Domain Sub-Ordinate CA will not get auto enroll for new Sub-Ordinate CA, you need to complete create new Req file from Sub-Ordinate CA and generate new certificate from ROOT CA then Import and start services for Sub-Ordinate CA.

Perquisites

TCP/IP 80, 443 ports should allowed between ROOT CA and Sub-Ordinate CA servers

Copy below given 2 files from ROOT CA to Sub-Ordinate CA Server (Where you want to install Sub Ordinate CA)

C:\Windows\System32\certsrv\CertEnroll

  • .crt (Security Certificate file)
  • .crl (Certificate Revocation file)
Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

PreConfiguration

Connect Sub Ordinate CA (Non-Trusted Domain Server) and open PowerShell or CMD as Administrator go to the certificate folder (where you copied certs from ROOT CA)

And execute below commands to

"certutil –dspublish –f “CRTfilename.crt” RootCA"

Note! – This command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy.

"certutil –addstore –f root “'CRTfilename'.crt”"
"certutil –addstore –f root “'CRLfilename.crl”"

Note! – This 2 commands place the root CA certificate and CRL into the local store of the SUBCA. This provides SUBCA immediate trust of root CA public certificate and knowledge of the root CA CRL. SUBCA could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on SUBCA is helpful to speed the configuration of SUBCA as a subordinate CA.

Validation

Using the mmc command open the “Certificate snap-in” dialog box, select “Computer account“, and then click Next. In the “Select Computer” dialog box, ensure that “Local computer: (the computer this console is running on)” is selected, and then click Finish. In the console, expand “Trusted Root Certificate Authorities“, expand “Certificate Revocation List” verify ROOT CA and also expand “Certificates” validate ROOT CA

Install Sub Ordinate CA

Click Add Roles and Features and Select “Active Directory Certificates Services

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Select “Certificate Authority

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 5
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 48

Select “Install” to continue the CA role installation

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

CA Role installation in in-progress

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 6
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 49

Once installation complete close the windows and open open “Active Directory Certificate Services to configure CA on the server.

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Select “Certificate Authority” and click next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 7
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 50

Select “Enterprises CA” click next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 8
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 51

Select “Sub Ordinate CA” and Click Next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 9
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 52

Select “Create a new private key” click next

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 10
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 53

Select Required cryptographic and algorithm for signing certificates options as per your org requirements

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 11
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 54

Provide your CA Name which will update as CA certificate issuer.

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 12
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 55

Save the request file from Sub-Ordinate CA with this request file we need to generate New Sub-Ordinate CA certificate from ROOT CA server

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 13
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 56

Click “Configure” to complete Sub-Ordinate CA Installation

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 14
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 57

Successfully configured Certificate Server with some warring errors, due to unable to communicate ROOT CA from non-trusted domain.

We need to executive some manual steps to generate New Sub-Ordinate CA to start services and enroll certificates to Non-Trusted domain clients

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 15
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 58

Connect “ROOTCA” and copy the file Certificate request file from SubOrdinate CA to ROOTCA Server.

Open PowerShell with RunAsAdministrator and execute below command to create Sub Ordinate Certificate

"certreq -submit requestfile.req"
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 16
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 59

It will popup all your ROOT CA servers, select the correct ROOT CA and click OK to generate certificate

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 17
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 60

Save the Certificate file

Run below command to create CRT file for Sub Ordinate CA

"certreq -retrieve "RequestId" c:\filename.crt" to save CRT file
Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Connect Sub Ordinate CA Server, copy sub-ordinate CA crl and crt files from ROOT CA

Open “Certificate Authority” Console on Sub Ordinate CA

Right Click on Server Name – All Tasks – Install CA Certificate

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 18
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 61

Browse and select CRT file which is got generated from ROOT CA

Once Certificate install you can start service

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Once Service started you can see GREEN symbol for CA servers as it indicates CA services is running.

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 19
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 62

Configure Certificate Templet’s

Create “ConfigMgr Client Certificate” templet

Right Click on Certificate Templates and Click Manage to open Certificate Management Console

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 20
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 63

To create SCCM Client Authentication Certificate – right click on “Workstation Authentication” and click Duplicate Template

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 21
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 64

Give the name of Template “ConfigMgr Client Certificate

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 22
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 65

Provide allow permissions to “Read, Enroll and Autoenroll” for domain Computers

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 23
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 66

Click OK for Save “ConfigMgr Client Certificate” Templet.

To create Web Server Authentication Certificate – Right click on “Web Server” Templet and Click Duplicate Template

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 24
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 67

Give the name of Web Server Template “ConfigMgr Web Server Certificate

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 25
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 68

Go to “Request Handling” tab and select “Allow Private Key to be exported”

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 26
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 69

Go to the “Subject Name” Tab and Select “Supply in the Request”

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 27
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 70

Go to “Security” Tab and give allow permission to only our SCCM Server, As this certificate required for SCCM DP Server only.

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 28
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 71

Close Certificate manage window

To add newly created template in Certificate Template’s page by running below cmd.

certutil -SetCAtemplates +ConfigMgrClientCertificate
certutil -SetCAtemplates +ConfigMgrWebServerCertificate
Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

Once Templates add in Certificate Templates page it available for enroll to client machines.

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 29
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 72

Configure Group Policy for Auto Enrolment of Certificates

On the domain controller, launch the “Group Policy Management“. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here. In the “New GPO” dialog box, enter a name for the new Group Policy, such as “Autoenroll Certificates“, and click “OK

Install Root CA for SCCM ConfigMgr
Install Root CA for SCCM ConfigMgr

In the results pane, on the “Linked Group Policy Objects” tab, right-click the new Group Policy, and then click Edit. In the “Group Policy Management Editor“, expand Policies under “Computer Configuration“, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named “Certificate Services Client – Auto-enrollment“, and then click “Properties

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 30
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 73

From the “Configuration Model” drop-down list, select “Enabled“, select “Renew expired certificates, update pending certificates, and remove revoked certificates“, select “Update certificates that use certificate templates“, and then click “OK”. Close the GPMC.

Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 31
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 74

Verifying Certificate Installation on Computers

In the above steps we have configured auto enrollment of the workstation authentication template by using group policy. This procedure installs the client certificate on computers and verifies the installation. Restart the workstation computer, and wait a few minutes before logging on.

  • Using the mmc command open the “Certificate snap-in” dialog box
  • select “Computer account“, and then click Next.
  • In the “Select Computer” dialog box, ensure that “Local computer: (the computer this console is running on)” is selected, and then click Finish.
  • In the console, expand “Certificates (Local Computer)“, expand “Personal“, and then click “Certificates“.
  • In the results pane, confirm that a certificate is displayed that has “Client Authentication” displayed in the “Intended Purpose” column, and that “SCCM Client Certificate” is displayed in the “Certificate Template” column.
  • Close the console.
Install Root CA Sub-Ordinate CA Non-trusted domains |ConfigMgr | SCCM 32
Install Root CA for SCCM ConfigMgr

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.