Server 2008/2012: Install PKI (Part 3)

In the last part of this series of articles, we will look at the publication of certificates and revocation lists via HTTP.

Part 1 and part 2 can be found here:

https://www.frankysweb.de/server-20082012-pki-installieren-teil-1/

https://www.frankysweb.de/server-20082012-pki-installieren-teil-2/

First create a new share on the server that will later deliver the revocation lists and certificates via HTTP. I called the share CADATA in the last articles. The computer account of the sub-CA requires write permissions in the directory.

The revocation list of the sub-CA can now be published. To do this, right-click on "Revoked certificates" -> "All tasks" -> "Publish"

Now the certificate of the root CA and its revocation list and the certificate of the sub-CA must be copied to the directory. The files can be found under C:\Windows\System32\CertSrv\CertEnroll. We should now have 5 files in the CADATA directory.

The IIS web server can now be installed so that the revocation lists and certificates can be accessed via HTTP

The IIS can be installed in the default configuration using the server manager. As soon as the web server is installed, a new virtual directory can be added to the default website in the IIS Manager

"cert" is selected as the alias and the path corresponds to the CADATA path:

Once the directory has been created, select it and click on "Request filtering"

And then click on "Edit feature settings" on the right

Then check the "Allow double escape characters" box

Almost finished. Now create a new Host-A entry in the DNS server with the name CA and the corresponding IP. In my case it is ca.frankysweb.de with the IP 192.168.5.1.

Done.

Everything should now be OK in the "pkiview.msc" console:

If this is not the case and errors still occur, then revoke the "CAExchange" certificates in the sub-CA and run pkiview again: