2005-12-01

Condensed Version of Implementing PKI on Win2003

Categories: tech

Setting up a Stand-Alone Root CA

1. Install and patch a Windows Server 2003 and put it in a Workgroup
2. Prepare a CAPolicy.inf file and put it in %SystemRoot%
3. Install Certificate Services from the Install CD according to following

      - Stand-Alone Root CA
      - Use custom settings to generate the key pair and CA certificate 
      - Microsoft Strong Cryptographic Provider
      - Hash Algorithm: SHA-1
      - Key length: 4096
      - Clear Allow this CSP to interact with the desktop and Use an existing key 
      - Create Common Name and Distinguished name suffix
      - Validation Period: 10 years
      - Set Certificate database and Certificate database log
      - Store configuration information in a shared folder and enter a local Path

4. Verify the Root CA Certificate

      - certutil –ca.cert CommonName.cer
      - certutil.exe CommonName.cer

5. Verify the CommonName Configuration Information

      - certutil –cainfo
      - certutil –getreg | find /I Directory

Configuring the Root CA

1. Map the Namespace of Active Directory to an Offline CA's Registry Configuration

      - certutil.exe –setreg caDSConfigDN CN=Configuration,DC=concorp,DC=contoso,DC=com

2. Configure CorporateRootCA Distribution Points for CRL and AIA (Look in the Source Document)
3. Finalize the CA Configuration

Source: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure