Setting up a Stand-Alone Root CA

1. Install and patch a Windows Server 2003 and put it in a Workgroup
2. Prepare a CAPolicy.inf file and put it in %SystemRoot%
3. Install Certificate Services from the Install CD according to following

      – Stand-Alone Root CA
      – Use custom settings to generate the key pair and CA certificate 
      – Microsoft Strong Cryptographic Provider
      – Hash Algorithm: SHA-1
      – Key length: 4096
      – Clear Allow this CSP to interact with the desktop and Use an existing key 
      – Create Common Name and Distinguished name suffix
      – Validation Period: 10 years
      – Set Certificate database and Certificate database log
      – Store configuration information in a shared folder and enter a local Path

4. Verify the Root CA Certificate

      – certutil –ca.cert CommonName.cer
      – certutil.exe CommonName.cer

5. Verify the CommonName Configuration Information

      – certutil –cainfo
      – certutil –getreg | find /I Directory

Configuring the Root CA

1. Map the Namespace of Active Directory to an Offline CA’s Registry Configuration

      – certutil.exe –setreg caDSConfigDN CN=Configuration,DC=concorp,DC=contoso,DC=com

2. Configure CorporateRootCA Distribution Points for CRL and AIA (Look in the Source Document)
3. Finalize the CA Configuration

Source: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure