Search

How to install Stand-alone offline Root Certificate Authority (CA)

If you are planning to implement a multi-tier Certificate Authority (CA) hierarchy, you should implement an offline Root Certificate Authority (CA) (Stand-alone root CA), so that the computer can be removed from the network for long periods of time.

Internet Information Service (IIS) is not required for the installation of a stand-alone offline Root CA because the only certificate requests submitted to the Root CA are for subordinate CA certificates. This is normally submitted by using the Certification Authority MMC console.

Before Installing, the Stand-alone offline Root CA make sure that the Server Date and time are correct. The name of the server cannot be changed once you configure the Certificate Authority (CA) on this server.

Open "Add or Remove Programs" applet from the Control Panel (Start > Control Panel > Add.

Installing Standalone offline Root CA - Add Remove Programs

Click "Add/Remove Windows Components".

Installing Standalone offline Root CA - Add/Remove Windows Components

"Windows Components Wizard" will pop up and select "Certificate Services" from the list box.

Installing Standalone offline Root CA - Machine Name Change confirm

A dialog box will be displayed stating that once you have installed the certificate services in this server, you cannot change the name of the server. Click "Yes" to accept it and continue or "No" to exit from the wizard.

Installing Standalone offline Root CA - Select Standalone Root CA

Select the Certificate Authority Type from the CA type screen. In this case, select "Stand-alone root CA". Check the "Use custom settings to generate the key pair and CA certificate" check box. Checking the above check box is only required if you want to change the default settings.

Installing Standalone offline Root CA - Key Settings

In the "Public and Private Key Pair" screen, you can select the CSP (Cryptographic Service Provider), Hash Algorithm, and the other settings like Key length. For a Root CA, you must select a high key length value. Some CSPs might not be supported for generating certificates from some templates. The Microsoft Strong Cryptographic Provider CSP is the default choice. Other CSPs can be used if you have the software installed or you have the related hardware.

You can also select the Hash Algorithm here and it allows you to select the required Hash Algorithm for signatures. MD4 is the weakest and SHA1 is the strongest Hash Algorithm from the available choices.

The "Use An Existing Key" check box allows you to use an existing key pair, if it was generated with algorithms compatible with the selected CSP and the Import button lets you import certificates from a file.

Installing Standalone offline Root CA - Common Name

In the "CA Identifying Information" screen, enter the common name of the CA.

Installing Standalone offline Root CA - Key generation

It will take a few seconds to generate the keys and a progress bar will be displayed.

Installing Standalone offline Root CA - Database and log location

In the "Certificate Database Settings", select the CA's certificate database and log files will be stored. In this location CA’s own certificates are stored and it should be backed up regularly.

Installing Standalone offline Root CA - Insert CD

The wizard need some setup files to copy now and insert your Windows 2003 Operating System installation CD inside the CD drive. After inerting the CD, click "Browse" button in the "Copy Error" dialog box to show the "i386" folder inside the Windows 2003 Operating System installation CD.

Installing Standalone offline Root CA - Select i386 folder

Click "Open" button in the "Locate File"dialog box and then click "Retry" button in the "Copy Error" dialog box.

Installing Standalone offline Root CA - Configuring Components

"Configuring Components" screen with a progress bar will be displayed. If Internet Information Services (IIS) is not installed on your computer, a dialog box will be displayed stating that.

Installing Standalone offline Root CA - IIS not installed on this computer

Click "OK" to continue.

Installing Standalone offline Root CA - Completing Installation

"Completing Windows Components Wizard" will be displayed. Click "Finish" to complete the installation. Once the installation is over, you can open the "Certification Authority" Console from Administrative tools.

Certification Authority MMC Console

Related Tutorials