An issue has been identified in situations where you would configure a Windows Server installation as an Offline Root Certification Authority (CA). The Install-ADCSCertificationAuthority Windows PowerShell Cmdlet would error out, while you could achieve the scenario without problems using the Graphical User Interface (GUI).
In multi-tier Public Key Infrastructure (PKI) implementations, you would implement multiple Certification Authorities (CAs) in a hierarchy (of tiers). Up in this hierarchy, you would place an offline Stand-alone Root CA. In tiers below you would implement domain-joined issuing Sub CAs. Devices and colleagues would request, renew certificates and check certificate revocation with the Sub CAs, where the Root CA’s only job would be to issue and (incidentally) revoke the certificates for the Sub CAs, invalidating all certificates issues by the Sub CA.
In such a multi-tier implementation you would build a Root CA and regularly copy the Certificate Revocation List (CRL) from it to a location accessible to all devices and colleagues. A webserver is best suited for that purpose.
As a best practice, the Root CA is in a secure location and not on a network.
You might read this best practice as an instruction to build a Windows Server installation without any Network Interface Cards (NICs) and thus no network connections. Placing this server in the locked server room and turning it off between the regular CRL copies, would make it inaccessible from the network and, in most cases, from outside attacks.
When you build a Windows Server without Network Interface Cards (NICs) and configure the server as a Certification Authority (CA) using the Install-ADCSCertificationAuthority Windows PowerShell Cmdlet, you receive an error:
Install-ADCSCertificationAuthority : Active Directory Certificate Services setup failed with the following error: The network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
However, using the AD CS Configuration Wizard as is accessible from Server Manager can be used to configure the offline Root CA in this scenario.
This error occurs because the Install-ADCSCertificationAuthority Windows PowerShell Cmdlet tries to write to files and folder via Universal Naming Convention (UNC) paths, implying shared folders and thus a TCP-IP stack. Without Network Interface Cards (NICs), there is no TCP-IP stack in Windows Server.
Vadims Podans posted a workaround on the PowerShell Crypto Guy’s Weblog.
As you use the Install-ADCSCertificationAuthority Windows PowerShell Cmdlet, add a local path for the database directory as a parameter to the command:
Install-ADCSCertificationAuthority <other parameters here> -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog")
Install-ADCSCertificationAuthority issue when installing an offline certification authority
Checklist: Creating a certification hierarchy with an offline root certification authority
Root Certification Authority (CA) CDP and AIA extension question
AIA/CRL locations for Offline Root
Thanks to Vadims Podans for posting this issue and the workaround on the PowerShell Crypto Guy’s Weblog.