The TFS Labs domain that is used in this guide is configured using a single Domain Controller in the corp.tfslabs.com (TFSLABS) domain. This Active Directory domain is used for critical functions in the TFS Labs domain and is necessary for a proper Active Directory Certificates Services (AD CS) deployment to be completed. The TFS-DC01 server will be used as a Domain Controller, and this section will focus on how to set it up correctly.

The TFS-ROOT-CA server will be used for hosting the Offline Root Certificate Authority. The TFS-ROOT-CA server is only ever used for issuing Subordinate certificates to other TFS Labs domain servers and is also used to revoke or add new Subordinate certificates if necessary. It is also used to refresh the Root CRL at least once a year, which means it needs to be powered on at least once a year to complete that task.

The TFS-ROOT-CA server will be used for hosting the Offline Root Certificate Authority. The TFS-ROOT-CA server is only ever used for issuing Subordinate certificates to other TFS Labs domain servers and is also used to revoke or add new Subordinate certificates if necessary. It is also used to refresh the Root CRL at least once a year, which means it needs to be powered on at least once a year to complete that task.

The TFS-CA01 server will be used for hosting the Subordinate Certificate Authority. The Subordinate CA server is used for issuing certificates to any device that requests one, whether it be automatically or manually requested. It will also be used to host all files that are required for the complete PKI for the domain, since the Offline Root CA has no network connections, as well as host the OCSP service for the domain.

The easiest method to deploy the certificates to your organization is to use Group Policy to deploy them automatically to your devices.

1. Open the Certificates console (certlm.msc) under the Local Computer Account on the TFS-CA01 server.
2. Open the Trusted Root Certification Authorities > Certificates Store and export the TFS Labs Certificate Authority Certificate as a DER encoded binary to the C:\ Drive.
3. Open the Intermediate Certification Authorities > Certificates Store and export the TFS Labs Enterprise CA certificate as a DER encoded binary to the C:\ Drive.
4. On the root of the C:\ Drive on the TFS-DC01 server, create a folder called Certificates (C:\Certificates).
5. Copy the C:\TFS Labs Certificate Authority.cer and C:\TFS Labs TFS Labs Enterprise CA.cer files from the TFS-CA01 server to the C:\Certificates folder on the TFS-DC01 server.
6. Optional: If you are going to be using IIS to deploy certificates within your organization as defined in Step 2.15, you can copy the C:\TFS Labs Certificate Authority.cer and C:\TFS Labs TFS Labs Enterprise CA.cer files to the C:\Certificates folder on the TFS-CA01 server. You will need to change the extension on these files from *.cer to *.crt for iOS to be able to download them.

For initial deployment of the certificates to the TFS Labs domain, it will be applied to the root of the Active Directory domain. This is something that can be refined later depending on your requirements.

The TFS-CA01 server will be used for hosting the Subordinate Certificate Authority. The Subordinate CA server is used for issuing certificates to any device that requests one, whether it be automatically or manually requested. It will also be used to host all files that are required for the complete PKI for the domain, since the Offline Root CA has no network connections, as well as host the OCSP service for the domain.

The OCSP Responder role is a component of Active Directory Certificate Services that is used to reduce overhead with CRLs on your Network. It can check for revoked certificates much faster than with regular CRLs and can update clients of their status.

The easiest and most efficient method to deploy the Root and Subordinate certificates to your organization is to use Group Policy to deploy them automatically to your devices. There are also methods of deploying those same certificates to devices manually, should automated processes be unavailable.

The Root and Subordinate certificates can be easily exported into a format that can be used for ease of deployment. Once the certificate files are exported, they can be deployed using Group Policy. To export the certificate files, perform the following steps on the TFS-CA01 server:

The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of private keys that are generated by the Certificate Authority. This is very important if a certificate is deleted and needs to be restored.

1. In the Certification Authority console on the TFS-CA01 server, ensure that the TFS Labs Enterprise CA server is expanded in the console tree.
2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console will open and display the certificate templates stored in Active Directory.
3. In the details pane, right-click on the Key Recovery Agent Certificate Template and then click Duplicate Template.
4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Recovery Agent. Ensure that the Validity Period is set to 1 year.
5. On the Issuance Requirements tab, uncheck the option for CA certificate manager approval.
6. On the Security tab verify that Authenticated Users do not have the Enroll or Autoenroll permissions enabled.
7. On the Security tab select Domain Admins and Enterprise Admins and enable the Enroll permission. Click OK to close the window.
8. Close the Certificate Templates Console window.
9. In Certification Authority console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
10. In the Enable Certificate Templates dialog box, click TFS Labs Key Recovery Agent and then click OK.

Once the Certificate Template has been created it can now be requested for the Domain Administrator account.

The Online Responder role is a component of Active Directory Certificate Services that is used to reduce the overhead with CRLs on a network. It can check for revoked certificates much faster than with regular CRLs and can update clients of their status. This type of functionality is entirely dependent on the size of the network that you have and how often you need to revoke certificates.

This entire section is optional. Not implementing the Online Responder role will have no adverse affect on the functionality of your Certificate Authority, nor will it interfere with any later steps. This role can be added at any time in the future if needed.

1. Open the DNS Manager console.
2. Under the DNS Node, expand the TFS-DC01 server and then expand Forward Lookup Zones. Select and the corp.tfslabs.com Zone. Right-click New Alias (CNAME).
3. In Alias name (uses parent domain if left blank), enter OCSP as the name. In the Fully qualified domain name (FQDN) field, enter tfs-ca01.corp.tfslabs.com. and then click OK.
4. Close the DNS Manager console.

To validate that the CNAME record was created correctly, you should be able to ping the address. The ping request should fail because by default the Windows Firewall will deny the request, but the name should still resolve.