0

I have 2 windows server 2019. e.g. server1 and server2. server1 is the domain controller. server1 has below roles installed: ADDS, ADCS, DNS, FILE STORAGE, IIS.

server2 is connected to that domain controler. server1 has below roles installed: ADCS, FILE STORAGE, IIS.

I have setup PKI on server1 and everything works fine. I am able to use CRL as well as OCSP feature for certificate validation.

I wanted to make server2 as subordinate CA of server1(root CA), and installed corresponding roles(ADCS) and able to distribute user certificate and its working fine. But I am not able to test CRL functionality on server2 as it required ldap binding with server2.

As I debugged it further, I found that LDAP server is not running on server2. I checked port 389 is listening on server1 but not server2.

So how to enable ldap service on server2 ? I am not able to test CRL functionality of PKI, because CDP url is ldap address.

Ghansham
  • 101
  • 3

1 Answers1

0

LDAP is not a prerequisite for ADCS. If your company uses ADDS, then you have the option to deploy a Enterprise CAs to simplify certificate issuance and deployment to users and computers.

If you do not have a AD domain, then you install Standalone CAs.

That is why your approach makes no sense. You would not install ADDS on server2 only to run an intermediate CA.

There are many ways how to set up a PKI infrastructure, and it seems you should read up on that topic, to get a little understanding of how to achieve your need. I suggest you start with this guide: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/designing-and-implementing-a-pki-part-i-design-and-planning/ba-p/396953

But to answer your question: Join server2 to the same AD domain as server 1 and install an Enterprise Subordinate CA. If you plan on having your Root CA online (which I assume), then it should be an Enterprise Root CA.

However, if you plan on implementing a multi-tier PKI your root CA should be standalone and offline. You also should never install a CA on your domain controller. And your CDP and AIA locations should be on an HTTP server only, optionally also deploying an additional OCSP server.

In small businesses where certificate are required only internally, you could get away with installing a single Enterprise Root CA and also use LDAP as your CDP and AIA locations.

I strongly suggest you read up on the article, if you plan to put your PKI to production.

Daniel
  • 6,940
  • 6
  • 33
  • 64