Install Certification Authorities

You must install the CA hierarchies necessary to provide the required certificate services for your organization. Certification hierarchies with Windows 2000 CAs can include a mixture of enterprise CAs and stand-alone CAs. You can install the root CA first and then each subordinate CA in the hierarchy. For example, to create a three-level certification hierarchy, you can install CAs on servers in the following order:

  1. Root CA

  2. Intermediate CAs

  3. Issuing CAs

However, to install the CA software on computers, you are not required to install CAs in this order. Root CAs are certified by self-signed certificates, so they do not depend on another CA to complete the installation. However, the complete installation of child CAs requires the parent CA to process the certificate request and issue the subordinate CA certificate. You can install a subordinate CA at any time, save the certificate request to a file, and submit it to the parent CA later, after the parent CA is installed and running. After parent CAs are installed and running, you can submit the certificate request file by using the Advanced Certificate Request Web pages for the parent CA. After the certificate for the child CA is issued, you can install the certificate for the child CA by using the Certification Authority console. A CA must have a valid CA certificate to start.

Although you can install CAs on domain controllers, it is not a recommended practice. To distribute the network load and prevent excessive load conditions on computers, install CAs on Windows 2000 Server–based computers that are dedicated to providing CA services. Also consider installing the Web Enrollment Support pages on separate Windows 2000 Server–based computers.

For information about installing third-party CAs and using them with Windows certification hierarchies, see the documentation for the third-party CA product.

Upgrading from Certificate Server 1.0

If you upgrade a Windows NT 4.0–based server that is running Certificate Server 1.0 to Windows 2000 Server, Certificate Server 1.0 is upgraded automatically to the new version of Certificate Services. If the CA being upgraded is using a policy module other than the default policy module for Certificate Server 1.0, it continues to use its old policy module, which is referred to as the Legacy policy module. If the CA you are upgrading uses the default policy module that was provided with Certificate Server 1.0, the upgraded CA uses the Certificate Services stand-alone policy.

If you are not upgrading a Certificate Server 1.0 CA and, instead, are installing a separate Windows 2000 CA that is to replace the old CA, you might want to use the older policy module instead of the default policy module that is provided with Certificate Services. If you want to replace the policy module that is provided with Certificate Services with a custom policy module or a policy module developed for Certificate Server 1.0 and Windows NT 4.0, you must first register the policy module DLL file by using the Regsrv32 command, and then select the policy module by using the Certification Authority console. For more information about using Regsv32 and selecting policy modules, see Windows 2000 Server Help and Certificate Services Help.

Creation of an Issuer Statement for the Certification Authority (Optional)

When you install a CA, you have the option of adding an issuer statement for the CA that appears when users click Issuer Statement in the Certificate General dialog box. The issuer statement is a policy statement that gives legal and other pertinent information about the CA and its issuing policies, limitations of liability, and so forth.

The issuer statement file must be installed on the server before you install Windows 2000 Certificate Services. This file, named Capolicy.inf, must be placed in the directory in which Windows 2000 Server is installed — the systemroot directory. (The default systemroot is C:\Winnt.) CAPolicy.inf can contain the text you want to be displayed as the policy statement, or it can contain a URL that points to the policy statement, for example, a Web page. For more information about how to create the Capolicy.inf file, see Certificate Services Help.

Installing Windows 2000 Certificate Services

Before you can install a CA, you must be logged on as either a member of the local Administrator security group for stand-alone computers or a member of the Domain Administrator security group for computers that are connected to the domain.

To install Windows   2000 Certificate Services

  1. In Control Panel, click Add/Remove Programs .
    The Add/Remove Programs dialog box appears.

  2. Click Add/Remove Windows Components .
    The Windows Component wizard appears.

  3. In Windows Components, select the Certificate Services check box.

  4. Click Next , and use the Windows Component wizard to install the CA.

Tables 16.5 through 16.9 describe the available CA configuration options for each page of the Windows Component wizard.


After the CA is installed, the computer cannot be renamed, joined to a domain, or removed from a domain. Installing an enterprise CA requires Active Directory, so the CA computer must already be joined to the Windows 2000 domain.

Table   16.5 Certification Authority Type Selection Page



Enterprise root CA

Select to install an enterprise root CA.

Enterprise subordinate CA

Select to install an enterprise subordinate CA.

Stand-alone root CA

Select to install a stand-alone root CA.

Stand-alone subordinate CA

Select to install a stand-alone subordinate CA.

Advanced options

Select to configure advanced options in the Public and Private Key Selection page of the wizard.

Table   16.6 Public and Private Key Selection Page



Cryptographic service provider

Select the CSP to be used to generate the public key and private key set for the CA certificate. This CSP also manages and stores the private key. The default CSP is the Microsoft Base Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, depending on whether the server that is running Windows 2000 contains exportable or nonexportable cryptography. If you want to use another CSP, such as a hardware-based CSP to manage and store the CA's private key, you must select the appropriate CA from the list of CSPs.

Hash algorithms

Select the message digest that is to be used for the digital signature of the CA certificates. The default is SHA-1, which provides the strongest cryptographic security.

Key length

Select a key length from the list, or type a key length for the private key and public key. The default key length is 512 bits for the Base Cryptographic Provider and 1,024 bits for the Enhanced Cryptographic Provider. The minimum key length you can specify is 384 bits, and the maximum is 16,384 bits. Use a key of at least 1,024 bits for CAs. In general, the longer the key, the longer the safe lifetime of the private key. Use the longest key that is feasible and that meets both CA performance requirements and CSP key storage limitations.

Use existing keys

Enables the selection of an existing private key from the list. The existing private key is used for the CA. You might need to use this option to restore a failed CA.

Use the associated certificate

Enables the selection of the certificate that is associated with the existing private key which is used for the CA. This option is not available unless you first select Use the associated certificate . You might need to use this option to restore a failed CA.


Imports a private key that is not in the Use existing keys list. For example, you might import a private key from an archive for a failed CA.

View Certificate

Select this option to view the certificate associated with the private key in the Use existing keys list.

Table   16.7 CA Identifying Information Page



CA name
Organizational unit
State or province

Enter information that is to be used to uniquely identify the CA. This information is included in the CA certificate in the Subject field. The CA name that you enter here is used by Windows 2000 to identify the CA, so the CA name must be unique for each CA you install in your organization. However, all of the other information that is entered here can be the same if appropriate. Others can view the Subject field in the CA certificate to identify the CA or to find out how to contact the CA.

CA description

Enter a description for this CA (optional).

Validity duration

Enter the duration for the certificate lifetime for the root CA certificate, and select Years , Months , or Weeks from the list. The default certificate lifetime for root CAs is 2 years. You must choose a lifetime that supports your planned certificate life cycles. This option is not available for subordinate CAs because the certificate lifetime is determined by the parent CA.

Expires on

Lists the expiration date for the root CA certificate, which corresponds to the certificate lifetime in Validity duration .

Table   16.8 Data Storage Location Page



Certificate database
Certificate log

By default, the certificate database and the log are installed at < Drive :>\WINNT\System32\CertLog, where < Drive: > is the letter of the disk drive where the CA is installed. You have the option of storing the database and the log on different drives to manage storage space. If this is something you want to do, type the new path and folder name in the Certificate database box or in the Certificate log box, or click Browse to select the new location.

Store configuration information in a shared folder

Select to store configuration information in a shared folder, and then type the path and folder name in the Shared folder box; or click Browse to select an existing folder. Members of the local Administrators security group are granted full control for the folder. Members of the Everyone security group are granted read permissions for the folder. The shared folder acts as a location where users can find information about certification authorities. This option is useful only if you are installing a stand-alone CA and do not have Active Directory.

Preserve existing certificate database

Select to preserve an existing certificate database. This option is available only when you are reusing a private key and the associated certificate from an existing CA configuration. You can use this option to restore a failed CA.

Table   16.9 CA Certificate Request Page (Subordinate CAs Only)



Send the request directly to a CA already on the network

Type the name of the parent CA, or click Browse to select the parent CA from a list of CAs. The certificate request is submitted to this CA, and the certificate is then processed and issued to the subordinate CA. If you make a request from a stand-alone CA, the CA is not certified automatically. An administrator must approve the certificate request before the CA can issue the certificate. You must later use the Certification Authority console to install the CA's certificate.

Save the request to a file

Select to save the request to a file, and then type the path and file name in the Request file box; or click Browse to select the file location. This option saves the certificate request to a request file that you can submit to an offline CA for processing. The CA is not certified automatically. You must later use the Certification Authority console to install the CA's certificate.