Share via

Setting Up a Certificate Authority


[This topic covers a procedure for working with the XML digital signatures support implemented in MSXML 5.0 for Microsoft Office Applications. XML digital signatures are not supported in MXSML 6.0 and later.]

To request a digital certificate, you must either create a certificate authority (CA) or have access to one. For testing purposes, you might want to set up a private certificate authority to issue certificates for code signing. The following steps outline the procedure for doing this on a Windows 2000 Server or Windows Server 2003 machine.

To set up a certificate authority (CA)

  1. Select a Windows 2000 Server or Windows Server 2003 machine to host the CA.

  2. From the CA host, open Control Panel.

  3. Double click Add/Remove Programs.

  4. Click Add/RemoveWindows Components.

  5. Check Certificate Services and then click Next.

  6. On the Certification Authority Types page of the wizard, select Stand-alone root CA. Also check the Advanced options box, and then click Next.

  7. On the Public and Private Key Pair page, highlight "Microsoft Enhanced Cryptographic Provider v1.0". You might want to set "1024" as the value in the Key length drop-down box. Click Next.

  8. On the CA Identifying Information page, fill out the blanks as appropriate. Click Next.

  9. On the Data Storage Location page, use the default locations. Click Next.

  10. Click Finish.


CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.

After you have set up your CA, or if you choose to access an existing CA, you can request a digital certificate.