Install Microsoft AD DS PKI on Windows server 2019, Two Tier PKI Hierarchy Deployment, step by step.

Install Microsoft AD DS PKI on Windows server 2019, Two Tier PKI Hierarchy Deployment, step by step.
In this guide I will cover a enterprise installation of Microsoft PKI based on windows server 2019.
PKI implementation is one of most challenging operation in a office environment, require properly test and carefully implementation.
A few facts to consider before chose a design
Certificates it will be validated public, expose CRL/OCSP servers to internet
Computer and user certificates will be automatically distributed using AutoEnrolment via GPO for domain users/devices. Manual request for non domain object as web servers, vmware, etc.
A typical design has two tier, one offline root, one subordinate CA per geographical area, CRL farm with load balancer, OCSP array with load balancer, NDES
Design
Two tier
This design is the most recommended for enterprise env.
1x Offline workgroup Root CA
1x Domain Joined Enterprise CA
2x Domain Joined IIS servers load balanced (HA)
1x NDES/SCEP

 

PKI-two-tier-design

 

Root CA
In order to provide protection for the Root CA’s private key, the CA will be deployed offline as a Virtual Machine (VM). The CA will never be connected to the network.
The Root CA VM will be stored in an Open Virtualization Format (OVF). OVF is an open standard supported by all major hypervisors including open source VirtualBox and KVM. The VM image (set of files consisting of virtual disk and a configuration file) will be stored in an encrypted VeraCrypt container. VeraCrypt is a widely used open source encryption solutions. The container will be protected by a 20 character long passphrase. The password it will be split in two, at least to parties are required to get access to the root CA. Two copies of the container will be stored in two separate, physically secure locations. Single Level Cell (SLC) flash drives will be used as storage medium. SLC flash memory is more reliable than more widely available Multi-Level Cell (MLC) drives.
Certificate Lifetime, usually recommended 10 Years
Root CA key length, recommended if all apps are compatible, 4096 bits

Enterprise CA
Domain joined server, it will issue cert and publish CRL on IIS servers.

IIS servers, CDP CRL/OCESP
Domain joined servers in HA configuration, usually behind Load Balancer as F5. This is where Root CA and Enterprise will go to publish their CRL’s using SMB protocol. The http link is embedded and published with AIA and CRL information in all certificates.

Next, Step 1, Install IIS servers