Building a Certificate Authority in Windows Server 2019 Part 8 - Final Steps

Practical Guide to PKI with Windows Server - First Edition

Now available for purchase, a complete book version of this guide. Includes an expanded version of this guide which includes over 300 screenshots, CLI configuration commands, quick start guide, additional details and more.

Note: This guide is archived and is no longer updated on this website. For any future updates to this guide, please refer to the version that can be found on

Table Of Contents

8.1 Implementation File Cleanup

Once the Certificate Authority Implementation has been successfully implemented and completed there are a few files that should be deleted.

8.1.1 TFS-CA01 Server

Delete the following files on the TFS-CA01 Server:

  • C:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
  • C:\TFS Labs Certificate Authority.cer
  • C:\TFS Labs Enterprise CA.cer
  • C:\TFS Labs Enterprise CA.p7b

These files should all be present on the C:\RootCA folder on the TFS-ROOT-CA Server. Those files don’t need to be deleted.

8.1.2 Virtual Floppy Disk

Depending on your virtualization platform, the location of the RootCAFiles virtual floppy disk will vary. This file also needs to be deleted. Ensure that if you setup BitLocker on the TFS-ROOT-CA Server that you backup up the recovery key.

8.2 Recurring Tasks

The only major task that you should need to perform on your PKI Infrastructure is that you will need to renew the CRL from the Root CA at least once a year. It is best that once the implementation is completed that you setup a yearly recurring task in order to make sure this task is not forgotten.

8.3 Root CA Shutdown

Once the Certificate Authority has been successfully implemented, the Root CA needs to be powered off as it is no longer needed. The TFS-ROOT-CA virtual machine will need to be powered on at least once every 52 weeks in order to update the CRL.

Ensure that you do not delete this virtual machine. If you do it will break your entire PKI and there will be no way of recovering from this.

Certificate Authority in Windows Server 2019

This site uses cookies. By continuing to use this website you agree to their use. To find out more about how this site uses cookies, including how to control cookies used for this website, please review the Privacy Policy and Cookie Policy.