Build and Deploy the Root Certificate Authority

Build and Deploy the Root Certificate Authority

You can use a Microsoft Windows Server 2003 public key infrastructure to provide a wide range of strong, scalable, cryptography-based solutions for network and information security. When you choose the level of security for your organization, consider both the value of the information that you want to protect and the costs involved with implementing a strong security system.

In the reference architecture for Microsoft Solution for Hosted Messaging and Collaboration version 4.0 , you create a simple public key infrastructure (PKI) deployment with a single Enterprise Root Certificate Authority on a domain member server.

In a full production environment, we recommend that you deploy a rooted trust model with an offline Root Certificate Authority. In a rooted trust model, the root certificate authority (CA) is the trust anchor and has a self-signed certificate. If needed, the root CA issues a certificate to all direct subordinate CAs, which in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent.

Tasks

• Prepare the Root CA
• Join the Fabrikam Domain
• Install Internet Information Services (IIS)
• Install Windows Server 2003 Certificate Services

Prepare the Root CA

In this section you prepare your Root CA, PKIRoot.

First, perform a default install of Windows Server 2003 R2, Enterprise Edition. This requires you to first install Windows Server 2003 with SP1, and then install Windows 2003 R2.

Procedure DWCM.14: To install Windows Server 2003 R2 on PKIRoot

1. Perform a default installation of Windows Server 2003, Enterprise Edition (with Service Pack 1 integrated), by using the CD boot method. Install the Support Tools from the Windows Server 2003 CD. Use appropriate naming conventions for your environment.
2. After Setup for Windows Server 2003 with SP1 is complete, log on to the computer as an administrator. Insert Disc 2 into your CD-ROM drive. Setup for Disc 2 should start automatically. If it does not start automatically, browse to Disk 2 (or the shared folder that contains the Setup files) and, in the \Cmpnents\R2 folder, click Setup2.exe. Follow the instructions on your screen to upgrade to R2.

Prepare this server by enabling Remote Desktop, installing Microsoft .NET Framework 2.0, installing the Windows Server 2003 Support Tools, and installing the latest updates from Microsoft.

Procedure DWCM.15: To prepare PKIRoot

1. Enable Remote Desktop. Click Start, point to Control Panel, click System, and then, on the Remote tab, select Enable Remote Desktop on this Computer.
2. Install the Microsoft .NET Framework 2.0.
3. Install Support Tools from the Support Tools directory on the Windows Server 2003 CD.
4. Apply any released updates to Windows Server 2003 by using Microsoft Update.

Join the Fabrikam Domain

After you have finished building and preparing PKIRoot, add the server to the Fabrikam domain, and then log on as Administrator@fabrikam.com.

Procedure DWCM.16: To add PKIRoot to the Fabrikam domain and log on as the domain administrator

Note

Joining a new domain will require you to restart the server.

1. Configure the local network interface to use the IP Addresses of AD01 and AD02 as Preferred and Alternative DNS server.
2. Join the server to the fabrikam domain.
3. Log on to the domain as Administrator@Fabrikam.com.

Install IIS

Before you install the Microsoft Certification Authority, you must install Internet Information Services (IIS) 6.0. IIS 6.0 runs the certificate server Web site that enables the administrator to issue certificates to intermediate Certificate Authorities. The certificate revocation list (CRL) is also published through this Web site.

Install IIS on the PKIRoot server using the Control Panel Add/Remove Programs utility. You should only install the following components:

• Common Files
• Internet Information Services Manager
• World Wide Web Service
• Active Server Pages

Procedure DWCM.17: To install IIS

1. On the Add or Remove Programs page, click Add/Remove Windows Components.
2. On the Windows Components Wizard page, select Application Server, click Details, and then click Internet Information Services (IIS).
3. Click Details, and then verify that only the following components are selected:
   • Common Files
   • Internet Information Services Manager
   • World Wide Web Service
4. Select World Wide Web Service, and then click Details.
5. Select Active Server Pages, verify that World Wide Web Service is selected, and then click OK.
6. Complete the IIS installation.

Install Windows Server 2003 Certificate Services

Install the Microsoft Certificate Authority on the PKIRoot server using the values in the following table.

Table: CA Identifying Information Values

Procedure DWCM.18: To install Certificate Services

1. Click Start, point to Control Panel, and then click Add or Remove Programs.

2. In the Add or Remove Programs dialog box, click Add/Remove Windows Components.

3. Select the Certificate Services check box, and then, when you receive the warning message, click Yes. Click Next.

4. On the Certificate Authority Type page, verify that Enterprise root CA is selected, and then click Next.

5. Enter the information for CA Identifying Information using the values in the preceding table. Click Next.

6. On the Certificate Database Settings page, click Next to accept the default database and log locations.

7. Click Yes to stop IIS.

8. If you are prompted, provide the path to the Windows Server 2003, Standard Edition files.

   Note

   A dialog box may appear indicating that Active Server Pages (ASP) must be enabled. In response to whether you want to enable ASP now, click YES and close the dialog box.

9. Click Finish.