You must upload the trusted root certificates for the PKI method. These certificates must meet the following requirements:
Root CA certificate is in the .pem format.
You can also upload intermediate certificate if the root certificate is not self signed or it is cross signed by another CA.
All certificates in the certification path (except Root CA) contain AIA and CDP http link to check revocation status.
The certificate for PKI device contains a key pair: public and private key in the x509 format. The certificates that do not comply with the requirements are ignored and hidden during enrollment.
For more information, see Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy Deployment.
To upload a new trusted root certificate, perform the following steps:
Click Add in the PKI page.
Click Browse.
Choose a .pem certificate file and click Upload.
Click Save.
You can configure the PKI method (with certificates) in one of the following ways:
NOTE:Advanced Authentication supports the p7b format of parent certificates. These p7b format files can contain certificates and chain certificates, but not the private key. They are Base64 encoded ASCII files with extensions .p7b or.p7c.
For generating the root CA certificate on Microsoft Windows Active Directory Certificate Services (ADCS), perform the following steps:
Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to the Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install Enterprise Root CA using Server Manager.
Enable Object Access Auditing on CA.
Configure the AIA and CDP.
Publish the Root CA Certificate to AIA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by Root CA) with private key and place it on a PKI device.
For generating the subordinate CA certificate on Microsoft Windows Active Directory Certificate Services (ADCS), perform the following steps:
Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install the Standalone Offline Root CA.
Create a CAPolicy.inf for the standalone offline root CA.
Installing the Standalone Offline Root CA.
Enable Auditing on the Root CA.
Configure the AIA and CDP.
Install Enterprise Issuing CA.
Create CAPolicy.inf for Enterprise Root CA.
Publish the Root CA Certificate and CRL.
Install Subordinate Issuing CA.
Submit the Request and Issue subordinate Issuing CA Certificate.
Install the subordinate Issuing CA Certificate.
Configure Certificate Revocation and CA Certificate Validity Periods.
Enable Auditing on the Issuing CA.
Configure the AIA and CDP.
Install and configure the Online Responder Role Service.
Add the OCSP URL to the subordinate Issuing CA.
Configure and publish the OCSP Response Signing Certificate on the subordinate Issuing CA.
Configure Revocation Configuration on the Online Responder.
Configure Group Policy to provide the OCSP URL for the subordinate Issuing CA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by subordinate CA) with private key and place it on a PKI device.