Certification Authority setup
Parent/Child – Parent or root domain should contain the Enterprise root CA and the child domains would be Enterprise subordinate CA.
You must be logged on as an enterprise administrator.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.
The Active Directory Users and Computers snap-in opens up. In the left pane, under example-cloud.com, click the Users folder.
Double-click the Enterprise Admins group.
In the Enterprise Admins Properties dialog, click the Members tab, and then click the Add button.
In the Select Users, Contacts, or Computers dialog, click John Doe and then click the Add button. Click OK.
John Doe is now an enterprise administrator with the necessary permissions to set up Certificate Authority in a Windows based network.
Close the Active Directory Users and Computers window.
You now need to log on as an enterprise administrator; using our example, log on as John Doe.
Note: You will also need to log on as an enterprise administrator when setting up the enterprise intermediary and enterprise-issuing certificate computers.
To set up the CA
Click Start, point to Settings and then click Control Panel.
Double-click Add/Remove Programs.
Click Add/Remove Windows Components to start the Windows Components Wizard.
Select the Certificate Services check box and then click Next.
If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected.
The wizard prompts you to specify the type of Certification Authority you want to install. Setup attempts to guess which option is selected in order to make installation simpler.
If no Active Directory is detected, the two enterprise options are disabled.
If an Active Directory is detected, the Enterprise root CA option is selected if there is no CA already registered in the Active Directory.
If there is a CA registered in the Active Directory, the Enterprise subordinate CA option is selected.
If you will be issuing certificates to entities in your organization, or if you need to have seamless integration with the Active Directory or to enable smart card logon, select an enterprise CA. Select one of the following:
Enterprise root CA -- This is if you do not have any CAs in your directory, or if you need a second enterprise root CA. The root CA will be registered in the directory, and all computers in your enterprise using that directory will automatically trust the root CA. It is good security practice to limit the root CA to issue certificates to subordinate CAs only, or to issuing only a few special purpose certificates. This means you want to install an enterprise subordinate after you finish installing the root. However, you can choose only the root CA.
Enterprise subordinate CA -- This is if you have already installed an enterprise root CA. Typically, you will have multiple enterprise-subordinate CAs. Each of these CAs either serves different communities of users or provides different types of certificates. If there is more than one subordinate, it is possible to revoke the subordinate’s certificate in case of disaster, and not have to reissue all certificates in the organization.
If you will be issuing certificates to entities outside your enterprise and do not want to use Active Directory or other Windows public key infrastructure (PKI) features, then you want a stand-alone CA. Select one of the following:
Stand-alone CA -- This is if you do not already have a stand-alone CA, or if you need a second root for a purpose different than the first.
Stand-alone subordinate CA -- This is if this CA will be a member of an existing CA hierarchy. The parent CA in the hierarchy can be a stand-alone CA, an enterprise CA, or an external commercial CA.
If you need to change the default cryptographic settings, select the Advanced Options check box. (Select Advanced Options only if you know how to change cryptographic settings). Click Next.
If you selected Advanced Options, the wizard prompts you to specify the cryptographic service provider to use.
In this dialog box, you can change the cryptographic settings, such as the Cryptographic Service Provider (CSP), hash algorithm, and other advanced options. In general, you will not need to modify the default settings. Users who need to modify these settings must be very familiar with cryptography, Certificate Server, and the CAPI 2.0 architecture.
The list of CSPs will vary depending on the software and hardware that has been installed on the server. The Key length specifies the length of the public and private key pair. A value of Default in this box generates a key pair whose default length is determined by the selected provider. Microsoft recommends that you use a long key length, such as 1024 or 2048, for a root CA or an enterprise CA. (Note that a long key length is computationally more expensive, and may not be accepted by all hardware devices. For example, some smart cards may not accept certificates issued by a CA that has a 4096 bit key, due to space limitations on the card.)
The Use existing keys option allows you to use keys that were generated previously or to reuse keys from a previously installed CA. When installing a CA, you should almost never reuse keys. The exception to this is when you are restoring a CA after a catastrophic failure. You will then import a set of existing keys and install a new CA that uses those keys. In addition, if you are restoring a CA after a failure, you must select the Use the associated certificate check box. This ensures that the new CA has a certificate that is identical to the old CA. If you do not check this box, a new certificate will be generated that makes the new CA different from the old CA.
Note The private key is always stored locally on the server, except in the case where a cryptographic hardware device is used. In such a case, the private key is stored in the device. The public key is placed in the certificate, and in the case of an enterprise CA, the certificate is published in Active Directory.
The wizard prompts you to supply identifying information appropriate for your site and organization.
Note that the CA name (or common name) is critical because it is used to identify the CA object created in the Directory. The Valid for time can only be set for a root CA. Set the root CA Valid for time to a reasonable value: the actual duration is a tradeoff between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrative steps need to be taken to move the CA to a new certificate. A time period of two or more years is usually sufficient. When you are finished entering the information, click Next.
A dialog box defines the locations of the certificate database, configuration information, and the location where the Certificate Revocation List (CRL) is stored. The Enterprise CA will always store its information, including the CRL, in the directory. It is recommended that you select the Shared folder check box. This option specifies the location of a folder where configuration information for the CA will be stored. You should make this folder a UNC path and have all your CAs point to the same folder. Then the administration tools can use this folder for determining CA configuration if the Active Directory is not available. If you have an Active Directory, this folder is optional. If you do not have an Active Directory, this folder is required.