Share via


Checklist: Creating a certification hierarchy with an offline root certification authority

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Checklist: Creating a certification hierarchy with an offline root certification authority

This checklist is provided for the cases where the root certification authority (CA) is not connected to your organization's network. You might choose to have an isolated, offline root CA for security reasons in order to protect it from possible attacks by intruders by way of the network.

Administrators of public key infrastructures (PKIs) must provide certificate verifiers with online certificate revocation checking. This checklist helps them to set up functional certificate revocation checking for certificates issued by an offline root CA.

  Step Reference
 

Review concepts

 
 

Review public key infrastructure concepts.

Deploying a Public Key Infrastructure

 

Review certificates concepts.

Certificates Concepts

 

Review concepts about certification authorities.

Certificate Services Concepts

 

Set up the offline root certification authority

 
 

Plan the certification hierarchy.

Certification authority hierarchies

 

Set up a server that runs Windows that you will use for the root certification authority. The server should not be a member of any domain, should be disconnected from the network, and should be physically secure. The server should also have Internet Information Services (IIS) installed as part of the setup process, although this is not required.

Checklist: Performing a new installation

 

Plan the renewal strategy you are going to use for the root certification authority

Renewing a certification authority

 

Log on to the server as the administrator and install Certificate Services to create a stand-alone root certification authority.

Install a stand-alone root certification authority

 

Prepare the offline root certification authority to issue certificates

 
 

On the new root CA, change the default action upon receipt of a certificate request so that all requested certificates are set to pending. This is to ensure only authorized requests are issued by the top-level CA.

Set the default action upon receipt of a certificate request

 

On the new root CA, change the URL location of the certificate revocation list (CRL) distribution point to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail.

Specify certificate revocation list distribution points in issued certificates

 

On the new root CA, change the URL location of the authority information access (AIA) distribution points to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default AIA points are not accessible to users on the network and, if they are left unchanged, certificate chain verification will fail.

Specify CA certificate access points in issued certificates

 

Schedule the publication of the certificate revocation list. Since publishing the CRL from an offline CA has the administrative overhead of having to physically copy the CRL to a server on the network, you may want to have a lengthy validity period.

Schedule the publication of the certificate revocation list

 

On the root certification authority, publish the certificate revocation list.

Manually publish the certificate revocation list

 

In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is:

\systemroot\system32\CertSrv\CertEnroll\CAname.crl

Right-click the CRL file and send it to a drive that has portable storage media.

 
 

Retrieve the certification authority's certificate and save it to a drive that has portable storage media.

Retrieve a certification authority certificate

 

Copy the certificate revocation list file and the CA certificate to every URL location that you specified as a CRL distribution point in the root CA's policy settings.

 
 

Copy the CA certificate file to every URL location that you specified as an authority information access distribution point in the root CA's policy settings.

 
 

If you are deploying your PKI in an Active Directory directory service environment

 
 

Publish the root certificate to the enterprise root store and add the certificate to the customary Authority Information Access (AIA) points in the directory. You need to use certutil.exe. You can also use this command to put the CA certificate from a third party root CA into Active Directory.

At a command prompt, type: certutil-dspublish-f.Crt File NameRootCA

 

Publish the CRL to the customary location in Active Directory. To do this, use certutil.exe. You can also use this command to put the CRL from a third-party root CA into Active Directory.

From the command line, type: certutil-dspublish-f.Crl File Name

 

To create a online certification authority that is subordinate to an offline root certification authority

 
 

Set up a server running Windows to use for the subordinate certification authority

Checklist: Performing a new installation

 

Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. During setup for each subordinate CA, choose to save the CA certificate request to a file, which will be a PKCS #10 request.

Install a stand-alone subordinate certification authority;Install an enterprise subordinate certification authority

 

Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority.

 
 

Using the Certificates Microsoft Management Console (MMC) on the offline CA, submit the certificate request (requestfilename) to the CA and copy the new certificate (newcertname) to the portable storage media.

Manage certificates for a computer

 

Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, then right-click each file and choose Install Certificate. Have the Certificate Import Wizard automatically place the certificates in stores based on the type of certificate.

Import a certificate