Getting a Certificate Authority (CA) up and running in Windows 2000 is by no means a difficult task. Nonetheless, it will go a lot smoother if you put some forethought into the installation. The key is to use Certificate Services, which will help you better manage your Certificate Authority in a Windows 2000 environment. In this Daily Drill Down, I will walk you through the setup of a CA using Certificate Services.
For the purposes of this Daily Drill Down, I’m going to assume that you know what the basic CA types and roles are. If you’re not familiar with some of the basic Certificate Services terms, see the Daily Drill Down “Learn the concepts behind Certificate Services for Windows 2000.”
Certificate Services system requirements
To install Certificate Services, you will need to be running Windows 2000 in an Active Directory domain. Of course, running Active Directory requires that you have TCP/IP and DNS configured and running properly on your network as well. In order to install and configure Certificate Services, you must log on to your server with a user ID that is a member of the Enterprise administrator privileges on the DNS server, the Domain Controllers, and the server on which you are installing Certificate Services.
Installing the Enterprise Root Certificate Authority
Now you are ready to install and configure your first CA, an Enterprise Root CA. The Enterprise Root CA sits at the top (root) of the enterprise certificate chain. The Enterprise Root CA issues certificates to the Enterprise Subordinate CAs, which in turn issue certificates to users and other computers. Due to its position at the root of the certificate hierarchy, all certificates within the organization can ultimately be traced back to the Enterprise Root CA. Enterprise Root CAs sign their own certificates, thereby asserting their place at the root of the chain.
To install an Enterprise Root CA, use an account that has Domain Admin rights to log on to the server you want to turn into a CA. Click Start | Settings | Control Panel | Add/Remove Programs. When the Add/Remove Programs window appears, click the Add/Remove Windows Components Tab. When the Windows Add Or Remove Windows Components screen appears, click Components. Doing so will start the Windows Components Wizard, as shown in Figure A. Select the Certificate Services check box.
|Select Certificate Services from the Windows Component Wizard.|
The wizard will display an error that warns you that you can’t change the computer’s name or have its domain membership status changed after installing Certificate Services. Click Yes to acknowledge the warning and then click Next to proceed.
Because you’re starting by configuring an Enterprise Root CA, click the Enterprise Root CA radio button on the Certification Authority Type page. If you want to configure advanced options for your CA, you can do so by selecting the Advanced Options check box. Advanced options you can choose from include:
- Cryptographic service provider (CSP): The default CSP is the Microsoft Base Cryptographic Provider, although Certificate Services does support third-party CSPs.
- Hash algorithm: The default is SHA-1 but can be changed to any of the available options.
- Existing keys: Selecting this option allows you to use an existing public key and private key pair instead of generating new ones. This is helpful if you are relocating or restoring a previously installed certification authority (CA).
- Key length: The default key length using the Microsoft Base Cryptographic Provider is 512 bits, but you can change this value as your needs dictate. In general, the longer the key length, the more secure the key is. Microsoft recommends that you make the key length for Root CAs 2048 bits (which I did not do in this walkthrough). The option to configure the key length is unavailable if you are using an existing key set.
When you’ve chosen the proper Certification Authority type and any advanced options you want to select, click Next to continue.
On the CA Identifying Information page, shown in Figure B, you should supply as much information as possible. Be careful to ensure that all of the information is correct. After you set up the CA, you can’t change any of the information you enter on this page. The default value for the Valid For field is two years, however, you can change to whatever you want. The Valid For field specifies how long issued certificates will be valid. When you’ve configured all of the information as needed, click Next to continue.
|Be careful entering this information, because you can’t change it later.|
On the Data Storage Location page, specify the locations of the certificate database, the certificate database log, and the shared folder. In most cases, you will most likely just leave the default entries alone. A possible reason to change them is if you want to locate the files on a faster hard drive on your server other than the default. Click Next to continue.
The Windows Component Wizard will check to see if the WWW Publishing Service is running. If so, the wizard will prompt for permission to stop the service. Click OK to allow the wizard to stop the service.
The files will copy to your server. You may be prompted to supply the path to the Certificate Services files. The Wizard will do this if it can’t find the installation files on your server. Put the Windows 2000 Server CD-ROM in your server, enter the path to the CD-ROM in the Open box, and click OK. When you see the Windows Component Wizard summary page, you're finished. You may have to restart your server to activate Certificate Services.
Installing an Enterprise Subordinate Certificate Authority
After you’ve created the Enterprise Root CA, you might also want to create an Enterprise Subordinate CA. Enterprise Subordinate CAs typically field requests from network clients (users and computers) and fulfill these requests based on the configuration chosen during CA setup. Enterprise Subordinate CAs can also issue certificates to other Enterprise Subordinate CAs should the need arise.
To install an Enterprise Subordinate CA, you follow the same basic procedure that you did when installing the Enterprise Root CA. However, there are two minor differences. First, on the Certification Authority Type page, click the radio button for Enterprise Subordinate CA, as shown in Figure C.
|To install an Enterprise Subordinate CA, select the appropriate radio button.|
After you complete the CA Identifying Information page, you will be presented with a new page, the CA Certificate Request page, as shown in Figure D. On this page, you will need to configure the Enterprise Subordinate CA with instructions on how to handle certificate requests. In most cases, you will just want to send the request to either the Parent CA or a specific computer. After specifying the appropriate value, click Next to continue through the rest of the process.
|You must tell Certificate Services what to do with incoming certificate requests.|
Configuring the Certificate Services MMC
You can administer Certificate Services either from your Windows 2000 server or your administration workstation running Windows 2000 Professional. However, to do so, you must create the Certification Authority Console. Like most Windows 2000 administration utilities, the Certification Authority Console is an MMC snap-in. It allows you to:
- Manage multiple CAs.
- Start and stop the CA.
- Back up and restore the CA.
- Set security permissions and delegate administrative control for the CA.
- View or modify certificate revocation list (CRL) distribution points.
- Schedule and publish CRLs.
- View information about certificates that have been issued and revoked.
- View, approve, and deny pending certificate requests.
- Renew the CA’s certificate.
To create the Certification Authority Console, click Start | Run and type MMC in the Run dialog box. When the Console1 window opens, click Console | Add/Remove Snap-in. You’ll then see the Add/Remove Snap-in Window. Click Add.
You’ll then see the Add Standalone Snap-in window appear. Select Certification Authority from the list of snap-ins in the Available Standalone Snap-ins list box, and click Add. The Certification Authority dialog box appears. On this screen, you’ll see two choices: Local Computer or Another Computer. If you’re going to run the MMC on the same server that’s running the CA, select Local Computer. If you’re going to use the MMC to manage a CA running on another server, select the Another Computer check box. You must also type the domain name of the server you want to manage in the Another Computer field. Or you can find it on the network by clicking Browse and selecting the server from a list. Click Finish when you’re done.
When the Available Standalone Snap-ins window reappears, click Close. Doing so causes the Add/Remove Snap-in window to reappear. Click Ok to save your choices and close the window. To keep from having to recreate the console every time, you should save it. Click Console | Save As. When the Save As window appears, give the console a meaningful name like Certificate Authority, and click Save.
In the left pane of the Certificate Authority Console, click the plus sign to expand the tree. The first thing you’ll see is the name of the certificate you created when installing Certificate Service. Double-click the certificate to expand the branch again. You’ll then see the following containers:
- Revoked Certificates: This container shows information about all revoked certificates for this CA.
- Issued Certificates: This container shows information about all certificates that have been issued by this CA.
- Pending Requests: This container shows information about all certificates that are pending for this CA.
- Failed Requests: You can use this container to see information about all certificate requests that have failed. The information in the Request Disposition Message column explains why the request failed.
- Policy Settings: You’ll see this container only on Enterprise CAs. This container shows the types of certificates that the enterprise CA can issue.
You can completely control your CA using this MMC. To view a certificate, double-click the certificate. To revoke a certificate, right-click the certificate, and then click All Tasks and click Revoke.
That’s all there is to it
As you can see, the actual process of setting up and configuring your own Certificate Authority is not too difficult, provided you understand some of the background material involved. Going into the setup of a CA without doing your homework is certainly a recipe for disaster—I've tried it, and it does not work! Maintaining an effective certificate program in your domain is something that you will want to pay attention to, ensuring that Certificate Revocation Lists are being published to their distribution points on schedule and that you do not have any bad certificates on your Certificate Trust List.