Added doc for Active Directory Certificate Services

README.md

@@ -5,7 +5,7 @@
 - Setup `ALL_TZ` to the current timezone
 - Set `ALL_RESTART_POLICY` to `unless-stopped`
 
-## Generate CA
+## Generate Root and Intermediate CA
 
 ```shell
 mkdir -p data/step-ca/home/secrets
@@ -14,3 +14,23 @@ chmod 600 data/step-ca/home/secrets/password
 chown -R 1000:1000 data/step-ca/home
 docker run -it --rm -v `pwd`/data/step-ca/home:/home/step smallstep/step-ca:0.15.6 step ca init --ssh --address '0.0.0.0:443' --provisioner 'admin-provisioner' --password-file 'secrets/password' --dns '127.0.0.1,localhost,pki.example.com' --name 'Example Inc.'
 ```
+
+## Active Directory
+
+- Install AD-CS as Subordinate CA
+- Generate private key using the wizard
+- Finish the setup
+- Copy the generated csr to `data/step-ca/home/certs`
+- Run on the `step-ca` container
+    ```shell
+    step certificate sign --profile intermediate-ca certs/ad.csr certs/root_ca.crt secrets/root_ca_key
+    ```
+  Note: `step` might complaint if there's an emtpy trailing line at the end of the CSR
+- Copy the generated certificate on stdout AND `certs/root_ca.crt` somewhere to the AD-CS server
+- Run on the AD-CS server
+    ```shell
+    certutil -installcert C:\cert.crt # Install the signed certificate in AD-CS
+    certutil -f -dspublish C:\root.crt RootCA # Publish the root CA in AD 
+    ```
+- Optionally remove the root and intermediate certificates files as they now imported in the store
+- Start AD-CS