This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
I'm looking for some advise on building a MS PKI. The query I have is - do org build a enterprise PKI for Testing, and how is it integrated with Domain controller. What are the best practices for Test PKI
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Thanks - will have a Prod and a Test (used as dissection area prior to Prod changes). Test in its own domain env.
Thanks for the support.
Hi,
If you want to end this thread, and the answer was helpful for you, you can "Accept as answer" to help other community members find the helpful reply quickly.
Please feel free to let us know if you need further assistance.
Best Regards,
Hi,
I built 2 PKI environment in my lab .
Single tier PKI with one Enterprise CA, you can configure the CA on the DCs or a member server if you have additional servers.
Two tier PKI with one Offline Root CA and an Enterprise CA
For how to build the PKI, you can refer to the following links (step by step) , which one to choose, that depends on your requirements :
Best Regards,
Hi @Fan Fan - thanks for the links but what I'm trying to understand is; can I have 2 separate PKI's integrated with Active Directory. Based upon the digging I've done, it seems that its not a good advise but by having separate policy templates I could have 2 PKI in one domain.
I'm interested to find out how do companies manage a Test PKI, who don't have separate domain controller env.
Sorry for Misspell ,i said a 2 tier PKI.
As you dais It's a not good idea to have 2 PKI in one domain and it is not necessary .
It is not complicated to manage a PKI .When deploy ,we just need to do it step by step.
For a test environment, you can also build some VMs for it (just one DC, one or 2 CA servers ).
https://redmondmag.com/articles/2015/06/01/ad-certificate-services.aspxPlease note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.
Best Regards,