Installation and Configuration

Once you've made the decisions necessary to set up a new CA, you're ready to install the software and configure it to meet your needs.

Installing Certificate Services

You install Certificate Services using the Windows Components Wizard. You can install the CA, the Web enrollment component, or both from the wizard. To complete the installation, follow these steps:

1. Launch the Windows Components Wizard by opening Add/Remove Programs in Control Panel and clicking Add/Remove Windows Components.
2. When the wizard opens, select Certificate Services from the component list. The installer warns you that once the CA software is installed, you can't change the name of the server or move it into or out of an Active Directory domain. If you have a server that you want to use as an enterprise CA, make sure you've used dcpromo to make it Active Directory-capable before continuing with the installation.
3. If you want to install only one of the components (for example, if you want to set up a CA with no Web-enrollment capacity), click Details and clear any component you don't want installed.
4. The Certification Authority Type Selection screen appears (Figure 20-1). Select the option that corresponds to the CA type you want: Enterprise Root, Enterprise Subordinate, Stand-Alone Root, or Stand-Alone Subordinate. If you want to change the CSP list for this CA, make sure to select the Advanced Options check box. (See the section entitled CAs Linked into a Hierarchy, later in this chapter, for more details.)

   

   Figure 20-1. The Certification Authority Type selection screen of the Windows Components Wizard.

5. If you selected the Advanced Options check box, you'll see the Public And Private Key Pair Selection screen shown in Figure 20-2. Use this screen to select the CSP you want your CA to use (bearing in mind that some CSPs might not be supported for generating certificates from some templates). The Microsoft Base Cryptographic Provider 1.0 CSP is the default choice; other CSPs will be available, depending on the software you have installed and whether you have any smart cards or special-purpose cryptographic tokens available.

   

   Figure 20-2. The Public And Private Key Pair Selection screen of the Windows Components Wizard.

6. In the Public And Private Key Pair Selection screen, choose among its various options to configure Certificate Services the way you want it and click Next.
   • The Hash Algorithms box allows you to choose the hash algorithm you want to use for signatures. Don't use MD4; if possible, don't use MD5 either. Both algorithms have known (albeit mostly theoretical) weaknesses. Instead, leave the default setting of SHA-1 alone.
   • The Key Length drop-down list lets you select a key length if you're generating a key pair. You can leave the default value of 1024 bits, or you can go all the way up to 4096 bits if you need to. However, some non-Microsoft PKI components can't handle sizes above 1024 bits.
   • The Use Existing Keys check box allows you to recycle an existing key pair, provided that it was generated with algorithms compatible with your selected CSP. As you choose different CSPs, you'll see that this check box (and the contents of the list below it) changes to reflect whether any keys exist that you could potentially use.
   • The Import button lets you import certificates from a PFX/PKCS #12 file, and the View Certificate button shows you the properties for the selected certificate.
   • The Use The Associated Certificate check box lets you use an existing certificate if the key pair you've selected has one associated with it and if it's compatible with your chosen CSP.
7. The CA Identifying Information screen appears, shown in Figure 20-3. Enter identifying information for this particular CA, including a unique name for it and the organization, organizational unit, locality, state/province, and country where the CA is located. You can also enter an e-mail address for the CA and a comment. By default, newly generated CA certificates are valid for two years; you can adjust that period with the Valid For controls. Click Next.

   If you enter an organization name that includes special characters (like &, *, [ ], and so on), the CA has to encode them in Unicode to remain compliant with the X.509 standard. This might prevent some applications from decoding and verifying your CA certificate, so the installer warns you and gives you a chance to remove the special characters before proceeding.

   

   Figure 20-3. The CA Identifying Information screen of the Windows Components Wizard.

8. In the Data Storage Location screen (Figure 20-4), specify where the CA's certificate database and log files will be stored. Note that the location you specify isn't where issued certificates and CRLs are stored; it's actually where the CA's own certificates are stored. Make sure you specify a location that is regularly backed up!

   

   Figure 20-4. The Data Storage Location screen of the Windows Components Wizard.

9. In the Data Storage Location screen, also consider these options:
   • If you're going to be interoperating with clients that aren't using Active Directory, or if you're not using it, you can specify that you want the CA to maintain a shared folder to store newly created certificates in—just select the Store Configuration Information In A Shared Folder check box, and then supply the name of an existing folder.
   • If you're reinstalling Certificate Services on a machine that's already been acting as a CA, selecting Preserve Existing Certificate Database forces the installer not to overwrite the existing certificates, meaning that you will still be able to use old certificates after the installation finishes.
10. If you're installing a subordinate CA, you'll have to request a certificate for this subordinate CA from whatever root CA you're using. The section entitled CAs Linked into a Hierarchy later in the chapter details how this process works and covers the specifics; if you're installing a subordinate CA now, jump ahead and see what you need to do before proceeding with the wizard. Click Next.
11. If you're running the IIS WWW service, the installer tells you that it must stop the service to complete the installation.
12. When the wizard finishes the installation, you'll be prompted to restart your server. After rebooting, notice that the CA service starts automatically.

Installing the Certification Authority Snap-in

You might have already installed the Certificates snap-in, as described in Chapter 19. Before you can manage any CAs, however, you'll need the Certification Authority snap-in. You can add it to an MMC console by following these steps:

1. Open MMC with whatever console you want the CA to be managed from.
2. Choose Add/Remove Snap-In from the Console menu to open the Add/Remove Snap-In dialog box. Click Add.
3. The Add Stand-Alone Snap-In dialog box appears. Choose the Certification Authority item in the list of snap-ins and then click Add.
4. The Certification Authority dialog box shown in Figure 20-5 appears. Use the controls in the This Snap-In Will Always Manage group to determine which CA you want this snap-in to configure. By selecting a particular CA, you can limit what the console user is permitted to do. The Allow The Selected Computer To Be Changed When Launching From The Command Line check box gives you added flexibility by letting you change the snap-in's target at any time.

   

   Figure 20-5. The Certification Authority dialog box.

5. Click Finish to close the Certification Authority dialog box. Click Close to close the Add Stand-Alone Snap-In dialog box, and then click OK to close the Add/Remove Snap-In dialog box.