HOW TO: Install a Windows 2000 Certificate Services Offline Root Certificate Authority (271386)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q271386

IN THIS TASK

SUMMARY

This article explains how to set up an offline root certification authority (CA) with an online subordinate CA.

In a CA hierarchy, all trusts flows from the root. For this reason, the root CA is the most important CA in the hierarchy. If the root CA is compromised, then every certificate in the hierarchy is also compromised. You can maximize the security of the root by keeping the root CA disconnected from the network and using subordinate CAs to issue certificates to other subordinate CAs or to customers.

NOTE: For the steps in this article, one server must be designated as the offline root CA, and another server must be designated as the online CDP location.

To configure the offline root CA, install Certificate Services as a stand-alone root CA. An enterprise root requires access to the Active Directory, which is unavailable if the server is disconnected from the network. You should not install an enterprise root on an offline domain controller.

NOTE: For more information on installing Windows 2000 Certificate Services, see the "Installing and configuring a certification authority" topic in the Windows 2000 Help file.

back to the top

Creating the Online URLs

The root CA periodically publishes a certificate revocation list (CRL). Programs check the CRLs for all the CAs in the chain of certificates from the end entity to the root of the hierarchy to decide whether or not to trust a particular certificate. The location of the CRL is always included in the certificate in a field called the CRL Distribution Point (CDP). In this case, the root CA in the hierarchy is offline, so the root certificate must be modified to include a CDP that is accessible by users on the network.

A CA can publish its CRL to a file share (FILE://), a web URL (HTTP://), or in a Lightweight Directory Access Protocol (LDAP) directory (LDAP://). For clients to check the CRL for an offline root, one or more online URLs must be configured and placed in the certificates issued by the CA.

For the FILE: and HTTP: URLs:, perform the following steps:
  1. Select a network server to be the online CDP source. This server must have Internet Information Services (IIS) enabled.
  2. Create a folder on the server and share it out, enabling users to have read access.
  3. Add the folder to IIS by creating a virtual directory.
  4. On the offline root, copy the contents of the %Systemroot%\System32\Certsrv\CertEnroll folder to a floppy disk.
  5. Take the floppy disk to the online server and move the contents into the folder previously created.
  6. Record the universal naming convention (UNC) path to the share point, as well as the HTTP URL to the IIS virtual directory.
For the LDAP: URL, use the Resource Kit Dsstore.exe utility to publish the CRL to the Active Directory, by performing the following steps:
  1. At a command prompt, change into the directory previously created. It should already contain the .crl and .crt file copied from the offline root.
  2. To publish the CRL, use the following command:

    dsstore DC=MyForestRoot,DC=com -addcrl MyCAsCRLFile.crl MyCAsName CAServerName

    NOTE: The preceding Distinguished Name (DN) is the root domain of the forest, even if the CA is installed on a server in a child domain. Also, the DN component identifiers (DC=) must be capitalized. Finally, if any of the parameters contains spaces, enclose them in quotes.
  3. Record the LDAP: path returned by the command. This path needs to be added to the CDP in the certificates issued by the offline CA in the following steps.
  4. To publish the CAs root certificate to the Active Directory, use the following command:

    dsstore DC=MyForestRoot,DC=com -addroot MyCAsCRTFile.crt MyCAsName

    NOTE: The preceding DN is the root domain of the forest, even if the CA is installed on a server in a child domain. Also, the DN component identifiers (DC=) must be capitalized. Finally, if any of the parameters contains spaces, enclose them in quotes.
  5. Record the LDAP: path returned by the command. This path needs to be added to the Authority Information Access (AIA) in the certificates issued by the offline CA in the following steps.

back to the top

Modifying the CA Policy

When the online locations are created, the CA policy must be modified to include the new paths for the CDP and AIA in all future certificates that are issued.

back to the top

Adding a CDP

To add a CDP to the root CA certificate, perform the following steps:
  1. Determine the fully qualified domain name (FQDN) of the future subordinate CA. This is the full name of the server in the Domain Name Service (DNS). For example, if Server2 is in the Company.com zone in DNS, the FQDN for that computer is Server2.Company.com.
  2. On the root CA, click Start, point to Programs, point to Administrative Tools, and then click Certificate Authority.
  3. Right-click the root CA and click Properties.
  4. Click the Policy Module tab and click Configure.
  5. Click the X.509 Extension tab.
In the CRL Distribution Points section, three locations are listed by default, each is accessible by different protocols: LDAP, HTTP, or SMB. To add a CDP location on the online server accessible by the HTTP protocol, perform the following steps:
  1. Click Add CDP.
  2. In the Add URL dialog box, type the following

    http://FQDN/VirtualDir/%CA_NAME%%CRL_SUFFIX%.crl

    where FQDN is the fully qualified domain name of the online server and VirtualDir is the IIS virtual directory previously created. %CA_NAME% and %CA_SUFFIX% are replaceable parameters used by Certificate Services and must not be modified.

  3. Verify that the check box beside the new path is selected.
To add a CDP location on the online server accessible by the SMB protocol, perform the following steps:
  1. Click Add CDP.
  2. In the Add URL dialog box, type the following:

    file://\\FQDN/FileShare/%CA_NAME%%CRL_SUFFIX%.crl

    Where FQDN is the fully qualified domain name of the online server and FileShare is the sharepoint previously created. %CA_NAME% and %CA_SUFFIX% are replaceable parameters used by Certificate Services and must not be modified.

  3. Verify that the check box beside the new path is selected.
To add a CDP location in Active Directory accessible by the LDAP protocol, perform the following steps:
  1. Click Add CDP.
  2. In the Add URL dialog box, type the LDAP path returned by the Dsstore utility when the CRL had been published to Active Directory.
  3. Verify that the check box beside the new path is selected.
The check boxes beside the paths pointing to the offline CA can be cleared, but the locations should not be deleted. The unchecked paths are not included in published certificates.

back to the top

Adding an AIA

The AIA section contains locations where the CA's certificate can be downloaded, if needed. These locations are also included in a field in the certificates issued by the CA. Therefore, at least one of these paths should be accessible from the network.

To add an AIA location on the online server accessible by means of HTTP, perform the following steps:
  1. Click Add AIA.
  2. In the Add AIA dialog box, type the following:

    http://FQDN/VirtualDir/%SERVER_DNS_NAME%_%CA_NAME%%CERT_SUFFIX%.crt

    Where FQDN is the fully qualified domain name of the online server and VirtualDir is the IIS virtual directory previously created. %SERVER_DNS_NAME%, %CA_NAME%, and %CERT_SUFFIX% are replaceable parameters and must not be modified. The underscore between %SERVER_DNS_NAME% and %CA_NAME% must be included.

  3. Verify that the check box beside the new path is selected.
To add an AIA location on the online server accessible by means of SMB, perform the following steps:
  1. Click Add AIA.
  2. In the Add AIA dialog box, type the following:

    file://\\FQDN/FileShare/%SERVER_DNS_NAME%_%CA_NAME%%CERT_SUFFIX%.crt

    Where FQDN is the fully qualified domain name of the online server and FileShare is the sharepoint previously created. %SERVER_DNS_NAME%, %CA_NAME%, and %CERT_SUFFIX% are replaceable parameters and must not be modified. The underscore between %SERVER_DNS_NAME% and %CA_NAME% must be included.

  3. Verify that the check box beside the new path is selected.
To add an AIA location in Active Directory accessible by the LDAP protocol, follow these steps:
  1. Click Add AIA.
  2. In the Add AIA dialog box, type the LDAP path returned by the Dsstore utility when the root CA's certificate had been published to Active Directory.
  3. Verify that the check box beside the new path is selected.
The check boxes beside the paths pointing to the offline CA can be cleared, but the locations must not be deleted. The unchecked paths are not included in published certificates.

To complete the modification of the CA policy, perform the following steps:
  1. Click OK to accept the new CDP and AIA paths.
  2. Click OK to accept the informational message.
  3. Click OK.
  4. Stop and restart Windows 2000 Certificate Services.

back to the top

Configuring a Subordinate CA

Before you install a CA subordinate to the offline root CA, you must install the root CA's certificate into the trusted root store on the server. To do this, perform the following steps:
  1. Click Start, click Run, type MMC, and then press ENTER.
  2. In Microsoft Management Console (MMC), click Console, and then click Add/Remove Snap-in.
  3. Click Add.
  4. In the list of snap-ins, click Certificates and click Add.
  5. Click Computer Account and click Next.
  6. Click Local Computer and click Finish.
  7. Click Close.
  8. Click OK.
  9. Double-click Certificates, and then click Trusted Root Certificate Authorities.
  10. Right-click the Certificates folder, click All Tasks, and then click Import.
  11. When the Certificate Import Wizard starts, click Next.
  12. Map a drive letter to the sharepoint containing copied from the root CA.
  13. In the Files of Type box, click X.509 Certificates (*.cer,*.crt), and then change to the mapped drive previously created.
  14. Click the RootCA.crt file.
  15. Click Next.
  16. Click Next.
  17. Click Finish.
The server is now configured to trust any certificate issued by the offline root CA.

Next, install Certificate Services as either a subordinate stand-alone or a subordinate enterprise CA. For detailed steps on this procedure, refer to the topics for installing a subordinate CA in the Windows 2000 Help file. To access this information in the Help file, click the Index tab and type CAs, installing.

If the new subordinate CA starts successfully, the online CDP and AIA paths have been successfully created.

back to the top

Routine Maintenance

Clients should now be able to access the CRL for the root CA. By default, Certificate Services publishes a CRL every week. Each new CRL must be moved to the online location and published to Active Directory. Failure to do this can result in a broken chain when the previous CRL expires. See the topics regarding CRL publication in the Windows 2000 Help file for information on configuring publication. To access this information in the Help file, click the Index tab and type CRLs, publishing.

back to the top













Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbenv kbHOWTOmaster KB271386 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.