How can I configure PKI in a lab on Windows Server 2016 – Part 3

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In this part you will prepare the HTTP Web Server for CDP and AIA Publication. But before you get started with that, please have a read below of what a CDP and AIA actually are.

What is a CDP ?

A CDP (CRL Distribution Point) is an extension that contains links to the CRL of the issuer of the certificate which is being verified (1).


The certificate revocation list distribution point (CDP) is a path represented as one or more attributes on every certificate issued by a PKI. This path, literal, share, lightweight directory access protocol (LDAP), and HTTP is clearly defined and uses variables to simplify the configuration. After definition, the PKI publishes CRLs and delta CRLs (if you choose to publish delta CRLs) for the computers that hold certificates that it has issued (2).

What is an AIA ?

An AIA (Authority Information Access) is an extension that contains links to the certificate of the issuer of the certificate which is being verified.

Step 1. Join the web server computer to the domain

When you installed the web server virtual machine (#11_Webserver) in part 1, it was workgroup joined. To join the domain do as follows. Logon to the web server virtual machine as Administrator. In Windows File Explorer, right click on This PC and choose Properties. Click on Change Settings beside Computer name, domain and workgroup settings.

join domain.png

In the System Properties screen, click on Change.

system properties.png

In the Member of field select Domain and enter the domain name you configured in part 1.

member of domain.png

enter credentials required for Domain join membership (eg: windowsnoob\administrator)

windows noob credentials.png

click OK and click OK again when prompted with the welcome

welcome to the.png

click OK

restart now.png

Click OK, click Close then click Restart Now.

restart computer now.png

After the reboot login to the domain as windowsnoob\administrator

login as administrator.png

Alternatively, to join the domain automatically, use the joindomain.ps1 PowerShell script which you can download from here.


1. Copy the script to C:\Scripts on the webserver.

2. Edit the variables (lines 16-18) as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.


You can read the rest of this guide @ here

This entry was posted in PKI. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.