Once the CAPolicy.inf file is installed, you can install Certificate Services on the root CA computer. The installation must be performed by a member of the local Administrators account on the CA computer, and the computer must not be a member of a domain. This will allow the computer to be removed from the network for long periods of time.
The following assumptions are made about the root CA computer:
■ The naming of the computer uses the naming scheme defined in Figure 6-1.
■ The computer has two mirrored partitions—drive C for the operating system and drive D for the CA database and log files.
Note IIS is not required for the installation of an offline root CA. The only certificate requests submitted to the root CA are for subordinate CA certificates, and these can be submitted by using the Certification Authority console.
You can use the following procedure to install the root CA:
1. Ensure that the date and time on the root CA computer is correct.
2. From the Start menu, click Control Panel and click Add or Remove Programs.
3. In the Add or Remove Programs window, click Add/Remove Windows Components.
4. In the Windows Components Wizard, in the Windows Components list, click the Certificate Services check box.
5. In the Microsoft Certificate Services dialog box, click Yes.
6. On the Windows Components page, click Next.
7. On the CA Type page, click Standalone Root CA, enable the Use Custom Settings To Generate the Key Pair and CA Certificate check box, and click Next.
8. On the Public and Private Key Pair page, set the following options:
■ CSP: Microsoft Strong Cryptographic Service Provider
■ Allow the CSP to interact with the desktop: Disabled
9. On the Public and Private Key Pair page, click Next.
10. On the CA Identifying Information page, enter the following information:
■ Common Name for this CA: Fabrikam Corporate Root CA
■ Distinguished name suffix: O=Fabrikam Inc.,C=US
■ Validity Period: 20 Years
11. On the CA Identifying Information page, click Next.
12. On the Certificate Database Settings page, provide the following settings and click Next:
■ Certificate database: D:\CertDB
■ Certificate database log: D:\CertLog
■ CA configuration: D:\CAConfig
13. In the Microsoft Certificate Services dialog box, click Yes to create the necessary folders.
14. If prompted, insert the Windows Server 2003, Standard Edition, CD in the CD-ROM drive and choose the \i386 folder.
15. In the Microsoft Certificate Services dialog box, click OK to identify that IIS is not installed.
16. On the Completing the Windows Components Wizard page, click Finish.
17. Close the Add or Remove Programs dialog box.
Was this article helpful?