Installing a Two Tier PKI Hierarchy in Windows Server 2016 – Part 3

Installing a Two Tier PKI Hierarchy in Windows Server 2016 – Part 3

To finish this series, in this article we will configure DNS records and the website which will host AIA and CDP locations. In the end, we will have a fully operational Two Tier PKI Hierarchy in Windows Server 2016

You can retrieve the other articles of this series following these links:

You can obviously adapt theses steps to your environment and your needs as your configuration match to the AIA and CDP path options.
As explained at the beginning of this article, in this deployment we will use our subordinate CA to host the website serving AIA and CDP check requests. First, create the DNS alias based on an A record on our DNS pointing to our subordinate CA (AUTH01.lab.local).

Then create the associated website and the physical folder path.

You will need to give modification rights on your website root folder, subfolders and file to Cert Publishers AD group.

Once the configuration is done, simply copy your CRL file to CDP folder and the root CA to AIA folder. Then you can start certsrv service on the subordinate CA and check the configuration as below.

If you encounter some issue or want to have a more detailed view you can use the pkieview.msc console.

Finally, don’t forget to distribute the root CA certificate to your domain computers through GPO to validate the trust chain. Now you can use your two tier PKI to issue certificates and certificate policies in your domain!

I hope this article has been useful, don’t hesitate to ask questions in the comment section if you encounter some issues or if you need more information.

19 thoughts on “Installing a Two Tier PKI Hierarchy in Windows Server 2016 – Part 3

    1. I have the same issue… The CDP Location #2 is “OK” in the Status, but the AIA Location #2 has the Status “Unable to Download”.

      Any ideas?

      Thanks and Kind regards

      1. Oh, it was actually my mistake. I accidentally did the wronge config settings for the Root CA in the Extensions tab. I wrote .crl instead of .crt, small mistake but it’s enough for PKI.
        Anyway, had to Renew the Certificate for the Changes to apply, just incase anyone else did the same error.

        1. I’m finding this to be a huge problem. What’s the point of guide to learn from when it’s incorrect. Did you go back and change the instructions because I still have these errors.

        2. Jack, I did the same thing and actually had “servername”/cdp/…” instead of “servername”/CertEnroll…” I made the change now do I just have to renew the sub cert?

  1. Thanks for this guide. With this, i could use it for Air Watch to request user certi for exchange profiles?

  2. I must be missing something here. Whenever I try to turn on my subordinate CA, I get the error:

    “The revocation function was unable to check revoation because the revoation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)”

    Any ideas?

    1. I fixed it. Typos are a serious thing when it comes to this! Make sure you type your CDP locations correctly guys! It’s a pain to re-do all of the certs.

      This process is a lot easier than what I have seen around. You can get pretty granular with it.

  3. Thanks for this guide. We are planing to migrate from tier 1 to tier 2 hierarchy and was wondering if anyone has done it and if there is a way to export everything from the former tier 1 CA to the new tier 2 CA without braking anything?


  4. I see you’re using PKVIEW to validate the installation. I’m using server 2012 R2 as my platform but don’t seem to find PKVIEW. Do you know if its installed as part of the VA role?

    I’ve used in the past when I was using 2008 R2 as the platform. Am I missing something here?

  5. Great article, thank you.
    Small typo on the last step of part 3 – should be “pkiview.msc”, not pkieview.msc (without the first “e”)

  6. Hey Arthur, thanks for the guide. Quick question, im attempting to configure 1 offline ROOTCA with Subordinates CAs on different domains without any type of trust, how can i achieve this task? Is it possible to configure the root CA to point to different Subordinates and IIS servers?

Leave a Reply

Your email address will not be published. Required fields are marked *