Building a Certificate Authority in Windows Server 2019 Part 8 - Final Steps
Overview
Now available for purchase, a complete book version of this guide. Includes an expanded version of this guide which includes over 300 screenshots, CLI configuration commands, quick start guide, additional details and more.
Note: This guide is archived and is no longer updated on this website. For any future updates to this guide, please refer to the version that can be found on docs.mjcb.io.
8.1 Implementation File Cleanup
Once the Certificate Authority Implementation has been successfully implemented and completed there are a few files that should be deleted.
8.1.1 TFS-CA01 Server
Delete the following files on the TFS-CA01 Server:
- C:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
- C:\TFS Labs Certificate Authority.cer
- C:\TFS Labs Enterprise CA.cer
- C:\TFS Labs Enterprise CA.p7b
These files should all be present on the C:\RootCA folder on the TFS-ROOT-CA Server. Those files don’t need to be deleted.
8.1.2 Virtual Floppy Disk
Depending on your virtualization platform, the location of the RootCAFiles virtual floppy disk will vary. This file also needs to be deleted. Ensure that if you setup BitLocker on the TFS-ROOT-CA Server that you backup up the recovery key.
8.2 Recurring Tasks
The only major task that you should need to perform on your PKI Infrastructure is that you will need to renew the CRL from the Root CA at least once a year. It is best that once the implementation is completed that you setup a yearly recurring task in order to make sure this task is not forgotten.
8.3 Root CA Shutdown
Once the Certificate Authority has been successfully implemented, the Root CA needs to be powered off as it is no longer needed. The TFS-ROOT-CA virtual machine will need to be powered on at least once every 52 weeks in order to update the CRL.
Ensure that you do not delete this virtual machine. If you do it will break your entire PKI and there will be no way of recovering from this.
Certificate Authority in Windows Server 2019
- Introduction
- Part 1 - Offline Root CA Setup
- Part 2 - Subordinate CA Setup
- Part 3 - Deploy Root and Subordinate Certificate
- Part 4 - Certificate Revocation Policies
- Part 5 - Configure Private Key Archive and Recovery
- Part 6 - Certificate Template Deployment
- Part 7 - Certificate Auto-Enrollment
- Part 8 - Final Steps