Install a stand-alone root certification authority · Install a stand-alone root certification...
Transcript of Install a stand-alone root certification authority · Install a stand-alone root certification...
Install a stand-alone root certification
authority
Applies To: Windows Server 2012
Introduction:
Depending on the CA hierarchy to be designed, this article focus on the steps required to install
offline root CA on Windows Server 2012. Following are the assumptions
a) Server will not be joined to the Active Directory domain
b) Root CA is configured as Offline
c) CAPolicy.inf is created under C:\windows and configured as per the CA hierarchy
d) Networking and Storage considerations are considered
e) Provision of User accounts are done ( local administrator permissions are configured
accordingly )
Install a stand-alone root certification authority on Server 2012
1. Log on to the system as an Administrator or the user with local administrator privileges.
2. Start Server Manager located on Task Bar, click Add Roles and Features wizard and
select your Server from Server Pool
3. Select Active Directory Certificate Services and select the Features as shown below
4. Select Certificate Authority option and click Next
5. Wait for the installation to complete and will be presented with the below wizard
Once you have successfully installed the Certificate Services on the Workgroup Server, it’s time
to configure the Server.
1. From the Server Manager select the “AD CS” role and click More option as shown
below
2. From All Server Task Details and Notifications window, select Configure Active
Directory Certificate Services on the destination Server option which should launch
the below wizard
Provide the necessary credentials, because this server is configured as workgroup, I have
configured with local administrator privileges and click Next.
3. From the Select Role Services to configure window, select Certificate Authority and
click Next
4. On Specify the setup type of the CA window, select Standalone CA option and click
Next
5. On Specify the type of the CA, select Root CA and click Next
6. On Specify the type of the private key, select Create a new Private Key and click
Next
7. On Specify the cryptographic options , select the following
a) Select a cryptographic provider: RSA#Microsoft Software Key Storage
Provider. CSP does support 3rd party but for our lab we select Microsoft CSP
b) Key Length: Select 2048 which is the default key length supported by CSP. This
might change if you import the existing keys which may not be 2048 in length.
c) Hash Algorithm: Though default is SHA1 , for better Hash select SHA 256
Click Next
8. On Specify the name of the CA, enter the following as shown in below wizard
Click Next
9. On Specify the validity period, select 20 years and click Next
10. On the Specify the database locations, Select the storage location and click Next
11. Click Configure from the following wizard
12. Configuration Succeeded message should be displayed as shown below