Blog Post

Microsoft Security Community Blog

25 MIN READ

Step by Step: 2-Tier PKI Lab

rahuljangda

Microsoft

May 20, 2025

Setting Up a Two-Tier PKI Lab with an Offline Root CA and Online Issuing CA using AD CS

Purpose of this blog Public Key Infrastructure (PKI) is the backbone of secure digital identity management, enabling encryption, digital signatures, and certificate-based authentication. However,...

Published May 20, 2025

Version 1.0

admin

attack surface management

enterprise security

exposure management

identity and access management

transport layer security

rahuljangda

Microsoft

Joined June 12, 2023

View Profile

Microsoft Security Community Blog

Follow this blog board to get notified when there's new activity

ChinmoyJoshi

Microsoft

May 22, 2025

Good read, Rahul — brought back memories from my support days!

🛑 Disclaimer (with a chuckle):
Before you dive into setting up that Offline CA, take a deep breath and double-check your setup. I’ve seen things… wild things. Like CAs running on Hyper-V VMs hidden on someone’s laptop — and then poof — formatted and forgotten like last year’s New Year’s resolutions. 😅

So please, for the love of certificates and operational sanity:

Document it.
Catalog it.
Treat it like the crown jewels of your PKI.

Because nothing says “oops” quite like realizing your root of trust was last seen on a dev’s coffee-stained ThinkPad.

rahuljangda
Microsoft
May 22, 2025
Couldn't agree more!
Goes back to having solid key ceremonies, security procedures, and processes in place. As you said - document every step (version-control it), catalog it, run formal Key Ceremonies with checklists and multiple approvers, audit/test often to prove the root CA is truly offline.