The TFS Labs domain that is used in this guide is configured using a single Domain Controller in the corp.tfslabs.com (TFSLABS) domain. This Active Directory domain is used for critical functions in the TFS Labs domain and is necessary for a proper Active Directory Certificates Services (AD CS) deployment to be completed. The TFS-DC01 server will be used as a Domain Controller, and this section will focus on how to set it up correctly.
The TFS-ROOT-CA server will be used for hosting the Offline Root Certificate Authority. The TFS-ROOT-CA server is only ever used for issuing Subordinate certificates to other TFS Labs domain servers and is also used to revoke or add new Subordinate certificates if necessary. It is also used to refresh the Root CRL at least once a year, which means it needs to be powered on at least once a year to complete that task.
The TFS-ROOT-CA server will be used for hosting the Offline Root Certificate Authority. The TFS-ROOT-CA server is only ever used for issuing Subordinate certificates to other TFS Labs domain servers and is also used to revoke or add new Subordinate certificates if necessary. It is also used to refresh the Root CRL at least once a year, which means it needs to be powered on at least once a year to complete that task.
The TFS-CA01 server will be used for hosting the Subordinate Certificate Authority. The Subordinate CA server is used for issuing certificates to any device that requests one, whether it be automatically or manually requested. It will also be used to host all files that are required for the complete PKI for the domain, since the Offline Root CA has no network connections, as well as host the OCSP service for the domain.
3.1 Export the Root and Subordinate Certificates 3.2 Deploy the Root and Subordinate Certificates to the Domain 3.3 Optional: Deploy Certificates to iOS AD CS on Windows Server 2019 Guide 3.1 Export the Root and Subordinate Certificates The easiest method to deploy the certificates to your organization is to use Group Policy to deploy them automatically to your devices.
Open the Certificates console (certlm.
The TFS-CA01 server will be used for hosting the Subordinate Certificate Authority. The Subordinate CA server is used for issuing certificates to any device that requests one, whether it be automatically or manually requested. It will also be used to host all files that are required for the complete PKI for the domain, since the Offline Root CA has no network connections, as well as host the OCSP service for the domain.
4.1 Enable the Online Responder Role 4.2 Configure the Online Responder Role 4.3 Add the OCSP URL to the Enterprise CA 4.4 Configure and Publish the OCSP Response Signing Certificate 4.5 Configure Revocation Configuration on the Online Responder 4.6 Add the OCSP URL to Group Policy 4.7 Verify OCSP Status 4.8 Verify OCSP Connectivity AD CS on Windows Server 2019 Guide 4.1 Enable the Online Responder Role The OCSP Responder role is a component of Active Directory Certificate Services that is used to reduce overhead with CRLs on your Network.
The easiest and most efficient method to deploy the Root and Subordinate certificates to your organization is to use Group Policy to deploy them automatically to your devices. There are also methods of deploying those same certificates to devices manually, should automated processes be unavailable.
4.1 Export the Root and Subordinate Certificates 4.2 Deploy the Root and Subordinate Certificates to the Domain 4.3 Enable IIS for Certificate File Deployment 4.
The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of private keys that are generated by the Certificate Authority. This is very important if a certificate is deleted and needs to be restored.
5.1 Create the Key Recovery Agent Template 5.2 Create the Key Recovery Agent Certificate 5.3 Configure the Certificate Authority to Allow Key Recovery 5.4 Configure the Certificate Template for Archiving Keys AD CS on Windows Server 2019 Guide 5.
The Online Responder role is a component of Active Directory Certificate Services that is used to reduce the overhead with CRLs on a network. It can check for revoked certificates much faster than with regular CRLs and can update clients of their status. This type of functionality is entirely dependent on the size of the network that you have and how often you need to revoke certificates.
This entire section is optional.
