Hello @Vinod Reddy ,
Thank you for posting here.
Based on the description above, I understand you want to set up two-tier PKI with one offline root CA and three parallel online enterprise sub CAs.
And here are my suggestions for your references.
1) Add all three sub CA's in CDP and AIA http address on the root
A: Prepare four Windows servers, one server for offline root CA and three servers for online enterprise sub CAs.
And then deploy it based on the steps in the following link.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity
A: Deploy two-tier PKI based on the steps in the following link, you do not need to assign template to all sub CA's.
3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity
A: The common CDP and AIA is one location that you can put CRL files and CRT files in it. You can create one or more CDP and AIA locations based on your requirements.
Usually, for CDP and AIA locations, we can set up one or more locations (file, http and ldap locations).
Configure the CDP and AIA Extensions on CA1
https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1
4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?
A: For CRL and CRT files on sub CAs, you do not need to copy, because they are in the domain, for CRL and CRT files on offline root CA, you can copy using a script at regular intervals or you can copy them manually after you republish CRL and renew root CA cert (Because usually the validity period of the CRL or certificate of the root CA is relatively long).
For more information, please refer to link below.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
Tip: Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and then record all these steps in a document if needed, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @Vinod Reddy ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.