Checklist: Deploy a NAP CA

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This parent checklist includes cross-reference links to important concepts about deploying a NAP certification authority (CA). It also contains links to subordinate checklists that will help you complete the required tasks. Perform these tasks after you have completed lab testing of NAP.


Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist: Deploy a NAP CA

Task Reference

Review concepts and examples for the Health Registration Authority (HRA) server.

Planning the Placement of a NAP CA Server

Planning Redundancy for a NAP CA Server

Capacity Planning for NAP CAs

Review the hardware, software, network, and client requirements for the NAP CA.

Appendix A: NAP Requirements

Install Active Directory Certificate Services (AD CS) on a NAP CA server.

This guide includes procedures for installing a standalone or an enterprise NAP CA. Configuration differs slightly for each. In its recommended configuration, the NAP CA is a dedicated standalone subordinate CA.

Install a NAP CA

Configure health certificate exemptions and templates.

> [!NOTE] > Perform these procedures on an enterprise CA. The enterprise CA can be used to issue NAP health certificates or NAP exemption certificates.

Create an IPsec NAP Exemption Group

Create Health Certificate Templates

Publish NAP Certificate Templates

Configure Template Validity Period

Configure NAP CA properties.

Configure NAP CA Properties

See Also


Checklist: Implementing an IPsec Enforcement Design
IPsec Enforcement Configuration
Design an Exception Management Strategy