If you are planning to implement a multi-tier Certificate Authority (CA) hierarchy, you should implement an offline Root Certificate Authority (CA) (Stand-alone root CA), so that the computer can be removed from the network for long periods of time.
Internet Information Service (IIS) is not required for the installation of a stand-alone offline Root CA because the only certificate requests submitted to the Root CA are for subordinate CA certificates. This is normally submitted by using the Certification Authority MMC console.
Before Installing, the Stand-alone offline Root CA make sure that the Server Date and time are correct. The name of the server cannot be changed once you configure the Certificate Authority (CA) on this server.
Open "Add or Remove Programs" applet from the Control Panel (Start > Control Panel > Add.
Click "Add/Remove Windows Components".
"Windows Components Wizard" will pop up and select "Certificate Services" from the list box.
A dialog box will be displayed stating that once you have installed the certificate services in this server, you cannot change the name of the server. Click "Yes" to accept it and continue or "No" to exit from the wizard.
Select the Certificate Authority Type from the CA type screen. In this case, select "Stand-alone root CA". Check the "Use custom settings to generate the key pair and CA certificate" check box. Checking the above check box is only required if you want to change the default settings.
In the "Public and Private Key Pair" screen, you can select the CSP (Cryptographic Service Provider), Hash Algorithm, and the other settings like Key length. For a Root CA, you must select a high key length value. Some
CSPs might not be supported for generating certificates from some templates. The
Microsoft Strong Cryptographic Provider CSP is the default choice. Other CSPs can be used if you have the software installed or you have the related hardware.
You can also select the Hash Algorithm here and it allows you to select the required Hash Algorithm for signatures. MD4 is the weakest and SHA1 is the strongest Hash Algorithm from the available choices.
The "Use An Existing Key" check box allows you to use an existing key pair, if it was generated with algorithms compatible with the selected CSP and the Import button lets you import certificates from a file.
In the "CA Identifying Information" screen, enter the common name of the CA.
It will take a few seconds to generate the keys and a progress bar will be displayed.
In the "Certificate Database Settings", select the CA's certificate database and log files will be stored. In this location CA’s own certificates are stored and it should be backed up regularly.
The wizard need some setup files to copy now and insert your Windows 2003 Operating System installation CD inside the CD drive. After inerting the CD, click "Browse" button in the "Copy Error" dialog box to show the "i386" folder inside the Windows 2003 Operating System installation CD.
Click "Open" button in the "Locate File"dialog box and then click "Retry" button in the "Copy Error" dialog box.
"Configuring Components" screen with a progress bar will be displayed. If Internet Information Services (IIS) is not installed on your computer, a dialog box will be displayed stating that.
Click "OK" to continue.
"Completing Windows Components Wizard" will be displayed. Click "Finish" to complete the installation. Once the installation is over, you can open the "Certification Authority" Console from Administrative tools.