Skip to main content

Setting up a Standalone Root CA

This is the first AD CS role to be installed in an enterprise PKI. It is a trust anchor and establishes the root of a trust hierarchy. To secure the root CA, a common practice is to keep it offline to minimize the exposure. Bring it online only when issuing a subordinate CA certificate. The process is to simply add and configure AD CS role as a Certificate Authority (CA) on a non-domain joined server.

In case you want to migrate an operational CA to use the keys from Securosys Primus HSM or CloudHSM, refer to this chapter.

caution

The following Standalone Root CA setup procedure is shown as an example and provides a mainly based straightforward integration process. Please take notice that there may be other ways to configure and setup Microsoft AD CS.
Before moving forward with the example setup, please read through the Prerequisites and the Installing CNG Provider sections as they are required for further steps.

The following table lists the details used for this setup according the figure shown in section Installation:

VM/Name/DomainRole(s)OS TypeIP Address/MaskHSM Partition
Demo-CAR (workgroup)Standalone Offline Root CA AD CSWindows Server 2016Offline (10.250.100.20/24)DEMO-CAR
Demo-DC01.hsmtest.demoDomain Controller AD, DNS, LDAP, CDP/AIAWindows Server 201610.250.100.10/24DEMO -DC01
Demo-CAS.hsmdemo.testEnterprise Subordinate CA AD CSWindows Server 201610.250.100.25/24DEMO -CAS
Demo-IIS.hsmdemo.testIIS Web ServerWindows Server 201610.250.100.30/24DEMO -IIS
HSM Primus X 18376142 V2.8.43, DNS: hsm142.hsmdemo.testHSM Internal---10.250.100.100/24 CNG Provider: Port 2320---