How to Set Up a Certification Authority on a Server Core Installation

Updated: July 21, 2010

Applies To: Windows Server 2008 R2

This guide describes procedures and provides an installation script for installing a certification authority (CA) on the Server Core installation option of Windows Server 2008 R2.

A CA can be installed on Server Core installations of Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 Datacenter. For more information about Server Core installation options, see Windows Server 2008 R2: Compare Server Core Installation Options. You cannot install a CA on Server Core installations of Windows Server 2008.

You can install a root CA or subordinate CA by using an enterprise or standalone configuration.

If you are migrating an existing CA to a Server Core installation, see the Active Directory Certificate Services Migration Guide.

In this guide

  • Installing and configuring Server Core

  • Adding the CA role service by using SetupCA.vbs

  • Managing a CA on a Server Core installation

Installing and configuring Server Core

Before adding the CA role service, complete the following procedure to install and configure Server Core.

To install and configure Server Core

  1. Install the Server Core installation option of Windows Server 2008 R2 by following the procedures described in Deploying a Server Core installation: Overview.

  2. After installation is complete, log on as an administrator.

  3. Type sconfig.cmd and press ENTER.

  4. Perform the following tasks by completing the procedures described in Configuring a Server Core installation of Windows Server 2008 R2 with Sconfig.cmd:

    1. Change the name of the computer according to your organization's naming convention.

Important

The name of the computer cannot be changed after the CA role service is installed.

2.  Configure network settings as required for your environment.  
      
3.  Join the server to your domain. This step is required if you are setting up an enterprise CA and optional if you are setting up a standalone CA.  
      
4.  Configure Remote Management to enable **MMC Remote Management** or **Server Manager Remote Management**.  
      
5.  Enable **Remote Desktop** (optional).  
      
  1. Type 13 and press ENTER.

Adding the CA role service by using SetupCA.vbs

The script SetupCA.vbs automates the setup of a CA. Several optional parameters can be used to customize the installation to meet your requirements.

To add the CA role service on a computer running the Server Core installation option of Windows Server 2008 R2

  1. Log on as a member of the local Administrators group, the Domain Admins group, or the Enterprise Admins group.

  2. Copy the script Setupca.vbs from AD CS Migration: Appendix A to a directory on the server.

  3. Review the command syntax, examples, and parameters to determine the correct parameters for your installation, type the command, and press ENTER.

    Cscript.exe Setupca.vbs [/IS | /IE | /IF | /IT] [/SN <CA Common Name>] [/DN <CA Distinguished Name Suffix>] [/SP <CSP or KSP>] [/SK <Key Length>] [/SA <Hash Algorithm identifier>] [/SR <Root CA Common Name>] [/OR <File Name>] [/RC | /RK] [/Interactive]

    The following table describes the parameters.

    Parameter Description

    /IE

    Installs an enterprise root CA.

    /IF

    Installs an enterprise subordinate CA.

    /IS

    Installs a standalone root CA.

    /IT

    Installs a standalone subordinate CA.

    /SN <CA Common Name>

    Optional. Specifies the CA common name.

    If not provided, the CA name will be based on the name of the host computer and will include -CA; for example, ComputerName-CA.

    /DN <CA Distinguished Name Suffix>

    Optional. Specifies the distinguished name suffix used in the CA certificate.

    /SP <CSP or KSP>

    Optional. The name of the cryptographic service provider (CSP) or key storage provider (KSP).

    If not provided, the Microsoft Software Key Storage Provider is used.

    /SK <Key Length>

    Optional. Specifies the key length to use when generating the CA's private key.

    If not provided, 2048 is used.

    /SA <Hash Algorithm Identifier>

    Optional. Specifies the hash algorithm.

    If not provided, SHA-1 is used.

    /SR <Root CA Common Name>

    Specifies the name of the issuing CA that the CA certificate request will be submitted to during installation.

    Optional when installing a root CA or when /OR is used.

    Required when installing a subordinate CA.

    /OR <File Name>

    Optional. Use when installing a subordinate CA to create an offline CA certificate request during installation. The offline request is saved to the specified file and must be submitted to an issuing CA after installation.

    See Completing certificate enrollment by using Certreq.exe.

    /RC

    Optional. Use if you are migrating an existing CA and want to reuse its CA certificate.

    See steps 4 through 8 in Adding the CA role service by using SetupCA.vbs.

    /RK

    Optional. Use if you are migrating an existing CA and want to reuse the private key in the new CA certificate.

    See steps 4 through 8 in Adding the CA role service by using SetupCA.vbs, but specify /RK instead of /RC.

    /Interactive

    Optional. Specifies that the CA service can interact with the desktop.

  4. Review the following Setupca.vbs output for setup details and error messages:

    • Command prompt output

    • Output file named _SetupCA.log

    • CA certificate request that is saved in a file named C:\<ServerName_CAName>.req

    If you are installing a subordinate CA, the CA certificate request is submitted to your root CA during setup and is pending until it is issued by a certificate manager.

    If you used the /OR parameter, you must manually submit the CA certificate request to your root CA by using certreq.exe -submit as described in step 6a.

  5. To issue a pending certificate request:

    1. Log on to your root CA by using an account that is a certificate manager.

    2. Start the Certification Authority snap-in.

    3. In the console tree, expand your root CA, and click Pending Certificates.

    4. In the details pane, right-click the pending CA certificate, and click Issue.

  6. To submit a CA certificate request and install the issued certificate on your subordinate CA:

    1. Type certreq -submit -config "<ServerName\CAName>" "<CertificateRequest.req>" "<CertificateResponse.cer>" and press ENTER.

    2. Type certreq -retrieve -config "<ServerName\CAName>" <RequestID> "<CertificateResponse.cer>" and press ENTER.

    3. Type certreq -accept -config "<ServerName\CAName>" "<CertificateResponse.cer>" and press ENTER.

    The following table describes the options available.

    Option Description  

    -config

    The -config option is followed by a string specifying a host name and CA name in the format ServerName\CAName.

    <ServerName>

    The name of the server that hosts the CA.

    <CAName>

    The CA name.

     

    <CertificateRequest.req>

    The path and name of the file containing the certificate request that was created by using either the Certificate Enrollment wizard or the certreq -new command.

    <CertificateResponse.cer>

    The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator.

    <RequestID>

    Numeric value used to retrieve a certificate from your CA. The RequestID value is included in the response from the CA when the certificate request is held in a pending state.

  7. Type net start certsvc and press ENTER.

  8. To verify CA setup, type certutil -ping and press ENTER.

Managing a CA on a Server Core installation

You can manage a CA on a Server Core installation by using the same applications that are used to manage a CA on a full installation of Windows Server 2008 R2: Server Manager, the Certification Authority snap-in, and Certutil.exe.

Certutil.exe can be used locally on the CA or from a remote computer. Server Manager and the Certification Authority snap-in must be used from a remote computer to manage the computer running the Server Core installation.

Because it is not possible to perform a CA database backup from a remote computer, the only way to back up a CA database and private key on a Server Core installation is by using Certutil.exe.

To back up a CA database and private key by using Certutil.exe

  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type certutil.exe -backupdb <BackupDirectory> and press ENTER.

  4. Type certutil.exe -backupkey <BackupDirectory> and press ENTER.

Note

BackupDirectory specifies the directory in which the backup files are created. The specified value can be a relative or absolute path. If the specified directory does not exist, it is created. The backup files are created in a subdirectory named Database.

  1. Type a password at the prompt, and press ENTER. You must retain a copy of the password to restore the key.

    Security Note
    Use a strong password; for example, at least eight characters with a combination of uppercase and lowercase characters, numbers, and symbols. Ensure only authorized CA administrators have access to the private key file to protect against unauthorized disclosure.

  2. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key

    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb