Install Sub-CA in SUB-Domain

Question

Hi All,

we have in a Customer AD a root domain (abc.local) and some sub domains (def.abc.local, xyz.abc.local ...).

In the Headquarter there is a root CA but it is not configured. We also have no access to the domain abc.local and are only domain admins in xyz.abc.local

C:\Users\castfadmin>certutil.exe

Entry 0:

Name: 'ABC-RootCA'.
Organizational Unit: ' Organization: '
Locality: ' State: '
Country/region: ' Config: abc-cert.abc.local\ABC-RootCA'
Exchange Certificate: ' Signature Certificate: '
Description: ' Server: abc-cert.abc.local'
Authority: ABC-RootCA' Sanitized Name: ABC-RootCA'
Short Name: ABC-RootCA' Sanitized Short Name: 'ABC-RootCA Flags: '1 Web Enrollment Servers: '

CertUtil: -dump command completed successfully.

Can I build my own PKI in the sub domain xyz.abc.local (Offline root CA and SUB CA)?

Kind Regards

Answer 1

Hello René Schwaiger :: Schwaiger BUSINESS_IT,

Thank you for posting in our Q&A forum.

Can I build my own PKI in the sub domain xyz.abc.local (Offline root CA and SUB CA)?

A: Do you want to set up two-tier PKI with one offline root CA (out of domain, even out of Internet) and one online enterprise sub CA(in the child domain)? If so, I think you can.

We can make the root CA server be out of any domain and set up root AIA and root CDP on root CA server, then join the sub CA server into the child domain and set up sub AIA and sub CDP on sub CA server.

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou