Install Offline Root CAs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In addition to the configuration options that you selected for your offline root CA, configure the following options when installing your offline root CA:

  • Select Certificate Services Web Enrollment Support. Hosting the Web Enrollment service for an Offline Root CA on a separate system forces you to run both systems during the enrollment or renewal of subordinate CAs, which requires you to enable network connectivity between the two systems at that time.

  • In the Public and Private Key Pair dialog box, leave the default CSP selection (Microsoft Strong Cryptographic Provider) and default Hash selection (SHA-1). Increase the Key length to meet your needs — for most root CAs, use the largest interoperable key length (4,096 bits).

    Note

    • For the purposes of Microsoft CAs, the Strong and Enhanced CSPs are considered equivalent. Both provide support for large key lengths (1024-bit keys or greater). Also, it is recommended that you use a hardware cryptographic service provider (CSP) or Hardware Security Module (HSM) to enhance the security of the signing keys of the certification authority.

  • If you are installing a stand-alone CA as the root CA, the CA identification data must be entered manually. If you plan to publish the root CA certificate and CRL in your Active Directory environment, you have to enter the namespace of your Active Directory forest as the distinguished name suffix. In the CA Identifying Information dialog box, enter a customized distinguished name if you plan to publish your offline CA to a directory other than Active Directory. Use a customized distinguished name if you plan to use the offline CA as a trust anchor outside the enterprise.

    Note

    • The Common name for this CA fieldmust be filled in, but the customized field distinguished name suffix is optional. Your common name and distinguished name for the CA must reflect the organization and purpose of the CA to make the CAs easy for administrators and users to identify. The name of the CA must be unique within the organization, and possibly outside the organization as well. This information is filled in automatically if your CA is joined to an Active Directory–based domain.

  • When you are asked to enter the Data Storage Locations, format the paths as local paths (such as C:\WINDOWS\System32\CertLog).

    Note

    • Although it is generally good practice to place the Certificate Database and Certificate Database log directories on a separate volume from the system partition, you do not need to do this for a root CA. The only data that is generated and must be stored concerns the certificates that correspond to a few subordinate CAs.