how to deploy two Tier PKI with two different domains/Forests ?

Mohamed khairy 66 Reputation points
2021-09-04T12:18:05.357+00:00

Hi Gents

i want to design PKI environment using Two Tier hierarchy. below are my requirement

1.i want to use offline Root Certificate Authority which is standalone machine "not joined to any domain"

2.two subordinate Certificate authority is located in two different domains in two different forest " Trust between the two domains should be avoided"

All tutorial i found are explaining deploying Two Tier hierarchy in the same domain for subordinate

here is the tutorial i followed

https://www.youtube.com/watch?v=uZqDjh1FMSw&list=PLUZTRmXEpBy0VB8ojNFzgmoC1s-\_JwZW7&index=7
however i am stuck at the step of Domain " **Certutil -setreg CA\DSConfigDN "CN=Configuration,DC=xxxx,DC=xxxx" "registration in Root CA** "which require the distinguish name for the domain "refer to video number 07" so i donot know how to proceed or how to configure my Root CA for two domain to be able to publish the certificate for the two subordinate.

also i found another lab but also it focus only on one domain :

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh...

please advise if there simple clear procedure to accomplish this
Note:
we prefer 2 CAs in two domains and we offline RA server "not joined any domain " will e connected through firewall to the CAs in the two domains

Thanks in advance

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,840 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,721 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 8,866 Reputation points MVP
    2021-09-05T10:36:26.24+00:00

    The only problem you may have in multi-forest environments -- CDP/AIA URL reachability from each forest. The problem is greatly reduced if you do not use LDAP URLs in CDP/AIA extension for all CAs in the chain. In this case, you don't need to configure certutil -setreg ca\DSConfigDN entry. It won't be used.

    What you will need -- is a shared HTTP web server where your root CA will host its CRT/CRL files. This HTTP endpoint must be reachable from both forests.

    Further, I would recommend to read my blog post on this subject which explains best practices on how to properly design CDP/AIA extensions on your CAs and avoid issues you entered in this thread: Designing CRL Distribution Points and Authority Information Access locations

    1 person found this answer helpful.
    0 comments