Condensed Version of Implementing PKI on Win2003
Setting up a Stand-Alone Root CA
1. Install and patch a Windows Server 2003 and put it in a Workgroup
2. Prepare a CAPolicy.inf file and put it in %SystemRoot%
3. Install Certificate Services from the Install CD according to following
- Stand-Alone Root CA
- Use custom settings to generate the key pair and CA certificate
- Microsoft Strong Cryptographic Provider
- Hash Algorithm: SHA-1
- Key length: 4096
- Clear Allow this CSP to interact with the desktop and Use an existing key
- Create Common Name and Distinguished name suffix
- Validation Period: 10 years
- Set Certificate database and Certificate database log
- Store configuration information in a shared folder and enter a local Path
4. Verify the Root CA Certificate
- certutil –ca.cert CommonName.cer
- certutil.exe CommonName.cer
5. Verify the CommonName Configuration Information
- certutil –cainfo
- certutil –getreg | find /I Directory
Configuring the Root CA
1. Map the Namespace of Active Directory to an Offline CA's Registry Configuration
- certutil.exe –setreg caDSConfigDN CN=Configuration,DC=concorp,DC=contoso,DC=com
2. Configure CorporateRootCA Distribution Points for CRL and AIA (Look in the Source Document)
3. Finalize the CA Configuration
Source: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
