Checklist: Creating a certification hierarchy with an offline root certification authority
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Note
A revised version of this information has been placed on the TechNet Wiki in the Offline Root Certification Authority (CA) article (https://social.technet.microsoft.com/wiki/contents/articles/2900.aspx). The Checklist section (https://social.technet.microsoft.com/wiki/contents/articles/2900.aspx#Checklist_Creating_a_certification_hierarchy_with_an_offline_root_certification_authority) is the replacement for the information below.
Checklist: Creating a certification hierarchy with an offline root certification authority
This checklist is provided for the cases where the root certification authority (CA) is not connected to your organization's network. You might choose to have an isolated, offline root CA for security reasons in order to protect it from possible attacks by intruders by way of the network.
Administrators of public key infrastructures (PKIs) must provide certificate verifiers with online certificate revocation checking. This checklist helps them to set up functional certificate revocation checking for certificates issued by an offline root CA.
| Step | Reference | |
|---|---|---|
Review concepts |
||
Review public key infrastructure concepts. |
||
Review certificates concepts. |
||
Review concepts about certification authorities. |
||
Set up the offline root certification authority |
||
Plan the certification hierarchy. |
||
Set up a server that runs Windows that you will use for the root certification authority. The server should not be a member of any domain, should be disconnected from the network, and should be physically secure. The server should also have Internet Information Services (IIS) installed as part of the setup process, although this is not required. |
||
Plan the renewal strategy you are going to use for the root certification authority |
||
Log on to the server as the administrator and install Certificate Services to create a stand-alone root certification authority. |
||
Prepare the offline root certification authority to issue certificates |
||
On the new root CA, change the default action upon receipt of a certificate request so that all requested certificates are set to pending. This is to ensure only authorized requests are issued by the top-level CA. |
Set the default action upon receipt of a certificate request |
|
On the new root CA, change the URL location of the certificate revocation list (CRL) distribution point to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail. |
Specify certificate revocation list distribution points in issued certificates |
|
On the new root CA, change the URL location of the authority information access (AIA) distribution points to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default AIA points are not accessible to users on the network and, if they are left unchanged, certificate chain verification will fail. |
||
Schedule the publication of the certificate revocation list. Since publishing the CRL from an offline CA has the administrative overhead of having to physically copy the CRL to a server on the network, you may want to have a lengthy validity period. |
||
On the root certification authority, publish the certificate revocation list. |
||
In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is: \systemroot\system32\CertSrv\CertEnroll\CAname.crl Right-click the CRL file and send it to a drive that has portable storage media. |
||
Retrieve the certification authority's certificate and save it to a drive that has portable storage media. |
||
Copy the certificate revocation list file and the CA certificate to every URL location that you specified as a CRL distribution point in the root CA's policy settings. |
||
Copy the CA certificate file to every URL location that you specified as an authority information access distribution point in the root CA's policy settings. |
||
If you are deploying your PKI in an Active Directory directory service environment |
||
Publish the root certificate to the enterprise root store and add the certificate to the customary Authority Information Access (AIA) points in the directory. You need to use certutil.exe. You can also use this command to put the CA certificate from a third party root CA into Active Directory. |
At a command prompt, type: certutil-dspublish-f.Crt File NameRootCA |
|
Publish the CRL to the customary location in Active Directory. To do this, use certutil.exe. You can also use this command to put the CRL from a third-party root CA into Active Directory. |
From the command line, type: certutil-dspublish-f.Crl File Name |
|
To create a online certification authority that is subordinate to an offline root certification authority |
||
Set up a server running Windows to use for the subordinate certification authority |
||
Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. During setup for each subordinate CA, choose to save the CA certificate request to a file, which will be a PKCS #10 request. |
Install a stand-alone subordinate certification authority;Install an enterprise subordinate certification authority |
|
Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority. |
||
Using the Certificates Microsoft Management Console (MMC) on the offline CA, submit the certificate request (requestfilename) to the CA and copy the new certificate (newcertname) to the portable storage media. |
||
Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, then right-click each file and choose Install Certificate. Have the Certificate Import Wizard automatically place the certificates in stores based on the type of certificate. |