Hi all, I have a lab environment setup at home on hyper-v. I have two forests and each forest has two domains, each domain has a couple of client machines. In preperation for my exams i would like to better understand the workings of a PKI. Can anyone suggest a way i can setup a lab to simulate a PKI? I would like to install and configure a enterprise CA and a stand alone CA and other bits that are mentioned in the books. From what i can see PKI is not the easiest thing to simulate in a lab. Any suggestions would be much appreciated Thanks

Hi, I would recommend reading http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx and part two of the blog. create two more VM's and install. It can be as easy as next, next install. Regards, Rmknight

You can always use opensssl to test stuff, verry easy to configure and deploy. for basic understanding of a PKI this is the fastest way. http://www.openssl.org/ to create a CA: openssl genrsa -des3 -out CA.key 4096 openssl req -config openssl.conf -new -x509 -days 7305 -key CA.key -out certs/CA.cer If you want to test a full functional PKI infrastructure AD CS is the way. Check out cross-certification and qualified subordination if you want to use a PKI in both forests Active Directory Certificate Services: http://technet.microsoft.com/en-us/windowsserver/dd448615.aspx Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx AD CS Step-By-Step Guide: http://www.microsoft.com/en-us/download/details.aspx?id=22838 Certificate Autoenrollment in Windows XP: http://technet.microsoft.com/en-us/library/bb456981.aspx Troubleshooting autoenrollment: http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx Troubleshooting Certificate Enrollment: http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx Certificate Path Validation: http://technet.microsoft.com/en-us/library/cc770844.aspx Manage Revocation Checking Policy: http://technet.microsoft.com/en-us/library/cc753863.aspx How to refresh the CRL cache on Windows Vista: http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx CA Maintenance: http://technet.microsoft.com/en-us/library/cc782041(WS.10).aspx Troubleshooting Certificate Status and Revocation: http://technet.microsoft.com/en-us/library/cc700843.aspx Certificate Revocation Checking in Windows Vista and Windows Server 2008: http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx Qualified Subordination and Cross-Certification: http://technet.microsoft.com/en-us/library/cc787237(WS.10).aspx Walkthrough (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003): http://technet.microsoft.com/en-us/library/cc787276(WS.10).aspx