so far what I did:
Offline Root CA on a standalone win2k8 R2 machine.
Online CA. The following is the steps:
1.Offline Root CA
A. Give a good name.
B. Remember it's offline, so It's much secured, Root certificate backup is very important.
C. Root CRL file, we need a way to copy cross CRL to all online CA, make sure it's reachable and all the time it's updated.
2. Online CA
A. It's good idea to setup Enterprise Certificate CA if you have AD environment, so joining the machine to domain is the first step I reckon. Correct the computer name before you install and setup CA.
B. Install requested Certificate Services Role, CA and take Enterprise Certificate so that will publish to AD.
- On the Request Certificate From A parent CA page, save the request file to USB or DVD, for example: therequest.req.
C. Publish/Install Root CA's certificate and CRL
certutil -addstore -f Root "*.crt"
certutil -addstore -f Root "*.crl"
Publish to domain:
certutil -dspublish -f "*.crt" RootCA
certutil -dspublish -f "*.crt" SubCA
D. Issues the CA certificate based on the requested file gainned at B step, and installed it on the online CA machine.
- Export the issued certificate from the offline CA to .P7B file format ( Cryptographic Message Syntax Standard - PKCS#7 Certificates), for instance onlineca.q7b.
- On the online CA, install onlineca.q7b, then start the Certificate Service.