Create a sub-certificate authority with AD CS

In this tutorial, I will explain how to create a sub CA with Windows AD CS.

Sub-CAs are underused on firewalls when SSL decryption is implemented, generating a sub-CA with Windows AD CS allows you to avoid deploying the firewall certificate if you have already deployed the root certificate.

Before you begin, verify that the Secondary Certification Authority template is active, i.e. present in Certificate Templates from the AD CS administration console.

Generate Certificate Request for Secondary Authoritative

Open the Certificate Management MMC console with the Local Computer account on the AD CS server, we will start by making a certificate request, i.e. generating the CSR.

Right-click on the Personal folder, then go to All Tasks / Advanced Operation and click on Create Custom Request 1.

When launching the wizard, click on the Next button 1.

Then click Next 1.

Select Secondary Certification Authority 1 and then click Next 2.

Expand Details and click the Properties button 1.

Customize the request in the Subject and General tabs.

Go to the Private Key tab 1, check the Allow private key export 2 box, then click the Apply 3 and OK 4 buttons.

Back to Certificate Information, click the Next button 1.

Specify the location and name of the request file 1 for the certificate and click Finish 2.

The request is generated, we will now submit it to the ADCS certification authority.

Import the request into the ADCS Certificate Authority

Go to the ADCS administration console, right-click on the certificate authority name, then go to All Tasks and click Submit New Request 1.

Fetch the request file to submit it.

Next, save the CA response file.

Import the response from the certification authority

Now you need to import the response file to access the certificate of the sub-certification authority.

Return to the computer’s certificate management console, go to the Personal / Certificate location. Right-click in the central area then go to All tasks and click on Import 1.

When the wizard starts, click Next 1.

Go to the answer file 1 and click Next 2.

Leave the Personal store, click Next 1.

Click the Finish button to finalize the certificate import.

A new window opens indicating that the import was successful, click OK to close it.

The secondary authority certification is now in the Personal store.

Export the certificate from the sub-certification authority

Last step, export the certificate so that you can use it.

Right click on it then go to All Tasks and click Export 1.

When the wizard opens, click Next 1

Select Yes, export private key 1 and click the Next button 2.

Choose PFX format 1 and click Next 2.

Enter the password for the PFX file 1 then click Next 2.

Specify the location and name of the file 1 for export and click on the Next button 2.

Click Finish 1 to close the wizard.

Close the window that indicates that the export was successful.

The certificate pfx file is available.


You know how to generate a secondary CA from ADCS.




Leave a Comment