Howto: Configuring a homelab online subordinate CA

A quick recap of where I got to. I have an offline Root CA (well, it’s still online because I’ll need it in a minute) and I’ve created a website on my online subordinate CA server to host the Root CA certificate and CRL files. The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are: Installing and configuring the subordinate CA Signing the subordinate CA’s certificate using the Root CA Delegating control of the subordinate CA to someone other than Domain Admins Some elements of this process are very similar to the process of setting up the Root CA in the first place […]

Read More

Howto: Publishing offline Root CA certs and CRLs

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run. The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that. The Server Rather than run my lab’s online CA on a domain controller, which might be tempting but causes other issues, I have a domain joined server setup that will eventually become my online subordinate CA. It’s a vanilla Windows 2012 R2 server as before and a domain member. DNS The VM is called “ca-01”, but I need to have pki.o11n.lab pointed to it too. […]

Read More