To finish this series, in this article we will configure DNS records and the website which will host AIA and CDP locations. In the end, we will have a fully operational Two Tier PKI Hierarchy in Windows Server 2016
You can retrieve the other articles of this series following these links:
- Installing a Two Tier PKI Hierarchy in Windows Server 2016 – Part 1
- Installing a Two Tier PKI Hierarchy in Windows Server 2016 – Part 2
You can obviously adapt theses steps to your environment and your needs as your configuration match to the AIA and CDP path options.
As explained at the beginning of this article, in this deployment we will use our subordinate CA to host the website serving AIA and CDP check requests. First, create the DNS alias based on an A record on our DNS pointing to our subordinate CA (AUTH01.lab.local).
Then create the associated website and the physical folder path.
You will need to give modification rights on your website root folder, subfolders and file to Cert Publishers AD group.
Once the configuration is done, simply copy your CRL file to CDP folder and the root CA to AIA folder. Then you can start certsrv service on the subordinate CA and check the configuration as below.
Finally, don’t forget to distribute the root CA certificate to your domain computers through GPO to validate the trust chain. Now you can use your two tier PKI to issue certificates and certificate policies in your domain!
I hope this article has been useful, don’t hesitate to ask questions in the comment section if you encounter some issues or if you need more information.