Install an enterprise subordinate certification authority
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To install an enterprise subordinate certification authority
Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.
If any Windows 2000 enterprise certification authorities (CAs) currently exist or have ever existed in your enterprise, open Certificate Templates and when prompted to install new certificate templates, click OK.
Open Add or Remove Programs in Control Panel.
Click Add/Remove Windows Components.
In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes, and then click Next.
Click Enterprise subordinate CA.
(Optional) Select the Use custom settings to generate the key pair and CA certificate check box, and then click Next to specify the following.
When you are done, click Next.
To set this Do this
Cryptographic service provider (CSP)
In CSP, click the CSP that you want to use. The default is the Microsoft Strong Cryptographic Provider. Certificate Services does support third party CSPs, but you must refer to the CSP vendor's documentation for information about using their CSP with Certificate Services.
In Hash algorithm, click the hash algorithm you want to use. The default is SHA-1.
Use an existing key
Select the Use existing key check box, click Import, and then, in Open PFX File, type the file name and password of the public and private key pair. This is helpful if you are relocating or restoring a previously installed certification authority (CA). Note that, when using an existing key, a new certificate is generated.
Be sure that you select an existing key that you know to be uncompromised and trustworthy. Using a key that may be compromised or untrusted could cause this CA and all its issued certificates to be insecure.
In Key length, type or select a key length. The default key length using the Microsoft Strong Cryptographic Provider is 2048 bits. Default key lengths for other CSPs vary. In general, the longer the key length, the more secure the key is. Also, longer key lengths require more system resources for operations such as signing, encryption, and chain verification. For a root CA, you should use a key length of at least 2048 bits. This option is not available if you use existing keys.
Allow this CSP to interact with the desktop
Select the Allow this CSP to interact with the desktop check box. Without this option, system services cannot interact with the desktop of the user who is currently logged on.
Click Import. This imports an existing key in the PKCS #12 PFX format.
Click View certificate. This allows you to view the certificate that you select or generate during installation.
- Be sure that you select an existing key that you know to be uncompromised and trustworthy. Using a key that may be compromised or untrusted could cause this CA and all its issued certificates to be insecure.
Type the common name (CN) of the CA and click Next.
Specify the storage locations of the certificate database, the certificate database log, and the shared folder. Click Next.
Obtain the certificate for the subordinate CA. For instructions on how to do this, see Notes.
If Internet Information Services is running, the system will request that you stop the service before proceeding with the installation. Click OK.
If prompted, type the path to the Certificate Services installation files.
Once the certification authority is installed, add certificate templates to the certification authority and configure the certification authority to allow subjects to request a certificate that is based on a template.
For more information, see Related Topics.
The name of the CA and the other initial information cannot be changed after the CA setup is complete.
If Active server Pages are not enabled through Internet Information Services, you will be prompted to activate them. The Web interface for the certification authority requires running Active server Pages.
To obtain the certificate for a subordinate CA, you must submit a certificate request to a parent CA. The procedure for doing so differs depending on whether the parent CA is available online.
If a parent CA is available online:
- If a parent CA is available online:
Click Send the request directly to a CA already on the network.
In Computer Name, type the name of the computer on which the parent CA is installed.
In Parent CA, click the name of the parent CA.
If a parent CA is not available online:
Click Save the request to a file.
In Request file, type the path and file name of the file that will store the request.
Obtain this subordinate CA's certificate from the parent CA.
The procedure for doing this will be unique to the parent CA. At a minimum, the parent CA should provide a file containing the subordinate CA's newly issued certificate and, preferably, its full certification path. For the procedure to submit a certificate request using a file to a Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition CA, see Related Topics.
If you get a subordinate CA certificate that does not include the full certification path, the new subordinate CA you are installing must be able to build a valid CA chain when it starts. Thus you must install the parent CA's certificate in the Intermediate Certification Authorities certificate store of the computer (if the parent CA is not a root CA), as well as the certificates of any other intermediate CA in the chain, and you must install the certificate of the root CA in the chain into the Trusted Root Certification Authorities store. These certificates should be installed in the certificate store before you install the CA certificate on the subordinate CA you have just set up.
Open Certification Authority.
In the console tree, click the name of the CA.
Certification Authority (Computer)/CA name
On the Action menu, point to All Tasks, and then click Install CA Certificate.
Locate the certificate file received from the parent certification authority, click this file, and then click Open.
If the root CA is untrusted, click OK to trust the root CA's certificate.
Once the certificate is installed, start Certificate Services.
To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.
The enterprise subordinate CA selection requires that the host computer be a member of a domain and that it use the Active Directory directory service. The administrator who is installing an enterprise CA must have Write permission to Active Directory.
If you have Write permission to Active Directory, then specifying the shared folder is optional, and is not typically done for enterprise CAs.
To open Certification Authority, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
If you installed the enterprise subordinate certification authority as an Enterprise Admin or delegated user, then you must use the Enterprise Admin or delegated user account when you uninstall the enterprise subordinate certification authority.
To open Add/Remove Windows Components, click Start, click Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components.
Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.