Setting up a Certification Authority

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, negating the need to purchase a commercial certificate.

This procedure is performed on a computer running Windows Server 2003 or Windows 2000 Server. For a stand-alone root CA, this can be any computer. An enterprise root CA must be installed on a server that is a member of a domain.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.

Set up a certification authority

  1. Open the Control Panel.

  2. Double-click Add or Remove Programs .

  3. Click Add/Remove Windows Components .

  4. Double-click Application Server .

  5. Double-click Internet Information Services (IIS) .

  6. Double-click World Wide Web Service .

  7. Select the Active Server Pages check box.

  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  9. Select Certificate Services .

  10. Review the warning regarding the computer name and domain membership.

  11. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.

  12. On the CA Type page, choose one of the following, and then click Next :

    • Enterprise-root CA . An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).

    • Stand-alone root CA . A stand-alone root CA requires that the administrator issue each requested certificate.

  13. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next .

  14. On the Certificate Database Settings page, review the default settings.

    You may revise the database locations.

  15. Click Next .

  16. On the Completing the Windows Components Wizard page, review the summary, and then click Finish .

Note: To allow access to the CA Web site, you must publish it. To limit access, you can publish only specific folders to a specific set of users. For more information about Web publishing, see Publishing Web Servers Using ISA Server2004 .