Implementing a Public Key Infrastructure (PKI), Windows Server 2003, Part I - Installing Microsoft Certificate Services

(Page 3 of 4 )

In this section I will describe the steps that you should follow to install a root CA by using a computer running Windows Server 2003, Standard Edition. The procedure is similar for implementing the root CA on a computer running Windows Server 2003, Enterprise Edition.

A good practice before installing Microsoft Certificate Services is to write the Certificate Policy (CP) and the Certificate Practice Statement (CPS) that govern the operation of the PKI. The first policy provides rules for issues such as the cryptographic algorithms that will be used, the minimum allowable length of encryption keys, and so forth; the second policy details how the Certification Authority will implement the Certificate Policy (CP) into its procedures. Please note that providing information on how to write these policies is out of the scope of this article.

Also, be prepared to use Windows Server 2003 CD.

1. Log on as Administrator. Click Start, point to Control Panel and click Add/Remove Programs.
 
2. In the Add/Remove Programs window, click the Add/Remove Windows Components button.
 
3. In the Windows Components dialog box, select the Certificate Services component and then click the Details button.

4. In the Certificate Services dialog box, select the Certificate Services CA component. A dialog box appears and informs you that you can not change the machine name or the domain membership of the machine while it acts as a certificate server (so, you need to verify correctness of machine name or change accordingly). Read the information in the dialog box and click Yes.

5. Select Certificate Services Web Enrollment Support in the same dialog box and click OK in the Certificate Services dialog box.

6. Click Next in the Windows Components dialog box.

7. In CA Type window, click Stand-alone root CA, select the Use custom settings to generate the key pair and CA certificate check box, and then click Next.

• It is expected that the enterprise root CA and enterprise subordinate CA options are not available because the computer is not a member of an Active Directory domain.
  
• You cannot change the CA type at a later time; you must uninstall the original CA and then reinstall the CA to change it from either a stand-alone CA to an enterprise CA or an enterprise CA to a stand-alone CA.

8. Do the following:

• In CSP (Cryptographic Service Provider), click Microsoft Strong Cryptographic Provider.
• In Hash algorithm, click the default hash algorithm, SHA-1.
• In Key length, click 4096.
  This value is recommended by Microsoft. According to the type of CA you choose there are other recommendations for the key length. Please note that there is no verification of the key length that you type into the box. So be careful of the value you define.

9. Confirm that both the selections Allow this CSP to interact with the desktop and Use an existing key are cleared, and then click Next.

Next: Finishing up the Installation, Conclusions >>
 

More Windows Security Articles
More By Eliana Stavrou

Comments On: Implementing a PKI, Windows 2003

· Hi to all readers,thank you for stopping by my article. As you can read in the...   >>> Post your comment now!