Build and Deploy the Root Certificate Authority
You can use a Windows Server 2008 public key infrastructure to provide a wide range of strong, scalable, cryptography-based solutions for network and information security. When you choose the level of security for your organization, consider both the value of the information that you want to protect and the costs involved with implementing a strong security system.
In the reference architecture for the Microsoft Solution for Hosted Messaging and Collaboration version 4.5, you create a simple public key infrastructure (PKI) deployment with a single Enterprise Root Certificate Authority on a domain member server.
In a full production environment, we recommend that you deploy a rooted trust model with an offline Root Certificate Authority. In a rooted trust model, the root certificate authority (CA) is the trust anchor and has a self-signed certificate. If needed, the root CA issues a certificate to all direct subordinate CAs, which in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent.
Tasks
Install Prerequisites for the Root Certificate Authority Server
Modify Windows Firewall Settings for the Root Certificate Authority Server
Install IIS on the Root Certificate Authority Server
Install Windows Server 2008 Certificate Services
Install Prerequisites for the Root Certificate Authority Server
Procedure W08-DWCM.7: To install prerequisites for the root certificate authority server (PKIROOT)
Install Windows Server 2008 Enterprise Edition on PKIROOT
Install the Windows Server 2008 Support Tools.
Enable Remote Desktop
Join the Fabrikam domain
Modify Windows Firewall Settings for the Root Certificate Authority Server
Procedure W08-DWCM.8: To modify Windows firewall settings for the root certificate authority server
Log on to PKIROOT as Fabrikam\Administrator and open the Server Manager console.
Configure properties for Windows firewall with advanced security by setting the firewall state to Off.
Install IIS on the Root Certificate Authority Server
Install Internet Information Services (IIS) on PKIROOT.
Procedure W08-DWCM.9: To install IIS the root certificate authority server
Log on to PKIROOT as Fabrikam\Administrator and open the Server Manager console.
Add the Web Server (IIS) role. Add the features required for Web Server (Windows Process Activation Service) when prompted.
Accept the default web server role services.
Confirm your selections and start the installation.
Install Windows Server 2008 Certificate Services
Install the Microsoft Certificate Authority on the PKIRoot server.
Install Certificate Services
Install Active Directory certificate services on the PKIROOT server.
Procedure W08-DWCM.10: To install certificate services
Log on to PKIRoot as Fabrikam\Administrator and open the Server Manager console.
Add the Active Directory Certificate Services role.
Select the following role services:
Certification Authority
Certification Authority Web Enrollment
Add role services required for Certification Web Enrollment when prompted.
Follow the on-screen instructions and ensure the following information:
Setup Type: Enterprise
CA Type: Root CA
Private Key: Create a new private key
Common Name for this CA: Fabrikam-PKIROOT-CA
Distinguished name suffix for the CA: DC=fabrikam, DC=COM
Confirm your selections and start the installation.
Request a Certificate for the Default Web Site
Before remote users or computers can request certificates via the Certificate Authority Web site, an internal SSL certificate must be requested and assigned to the CA Web site.
Procedure W08-DWCM.11: To request a certificate for the default Web site
On PKIROOT, open Internet Information Services (IIS) Manager and expand PKIROOT.
Create a domain certificate with following information:
Common name: pkiroot.fabrikam.com
Organization: fabrikam
Organizational Unit: Hosting
Online Certificate Authority: fabrikam-PKIROOT-CA
Friendly name: pkiroot.fabrikam.com
Bind the Certificate to the Default Web site
Procedure W08-DWCM.12: To bind the certificate to the default Web site
On PKIROOT, open Internet Information Services (IIS) Manager
In the left-hand pane, expand PKIROOT, expand Sites, and then select Default Web Site.
Add a site binding with the following information:
Type: https
SSL certificate: pkiroot.fabrikam.com