Building an Enterprise Root Certification Authority in Small and Medium Businesses

On This Page

	Introduction
	Before You Begin
	Installing and Configuring an Enterprise Root Certification Authority
	Certificate Services Example Implementation: Establishing Autoenrollment for Wireless Users
	Related Information

Introduction

Unprotected information exchange across the Internet, extranets, intranets, and between applications presents potential security risks to any organization today. The challenges include preventing an unauthorized third party from eavesdropping on information traveling over the Internet, masquerading as an authorized person, or disrupting the ability of an organization to conduct business.

This step-by-step guide will help you set up a public key certification authority (CA) in a network with servers running Microsoft Windows Server 2003 operating systems. You can install a CA on a server that is running Microsoft Windows Server 2003, Standard Edition; Microsoft Windows Server 2003, Enterprise Edition; or Microsoft Windows Server 2003, Datacenter Edition.

A CA is a service that issues and manages electronic credentials or certificates in a public key infrastructure (PKI). PKI is a system of digital certificates, CAs, and other registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction through the use of public key cryptography. Standards for PKIs are still evolving, even as they are being widely implemented as a necessary element of electronic commerce. Many government agencies and private organizations have promulgated their own PKI standards. Consult with your legal counsel prior to implementing a PKI architecture to ensure compliance with all relevant local, state, federal, and international laws and regulations.

A Windows Server 2003 PKI, which can be integrated with Microsoft Windows XP Professional clients, can help secure network communications between an organization and its employees, partners, vendors, and customers. A server running Windows Server 2003 Certificate Services can issue public key certificates to a person, device, or service. The certificate holder uses PKI-enabled applications and technologies to enable centrally managed strong authentication, to ensure data confidentiality, and to secure data exchange. The PKI-enabled technologies supported by Windows Server 2003 provide a foundation for the following technologies and their associated business benefits:

In addition, with a Windows Server 2003 PKI, you can take advantage of the ability to integrate certificate services with the Active Directory directory service and Group Policy. In an Active Directory environment, a Windows Server 2003 CA uses certificate templates, which are published in Active Directory, to control the contents of the certificates that it issues. Certificate templates define the information that goes into a certificate and simplify the use and management of the CA by making technical details of certificate contents transparent to users. Depending on your organization's needs, you can use a single purpose template that generates certificates for a specific application, a multipurpose template that generates certificates for a number of applications, or even create new customized certificate templates.

The instructions provided in this document show you how to build an enterprise root CA, use a certificate template to enable client autoenrollment, and establish autoenrollment for wireless users. Specifically, you will learn how to perform the following tasks:

Note: The screenshots in this document reflect a test environment and the information might differ from the information displayed on your screen.

After you complete these steps, your network will include an enterprise root CA and you will have access to all of the certificate templates available by using the Certificate Templates snap-in. In addition, client autoenrollment will strengthen authentication for your wireless users by requiring them to use digital certificates during the authentication process. Autoenrollment can make this requirement virtually transparent to users by enabling them to automatically request certificates, retrieve issued certificates, and renew expiring certificates. You can also broaden the protection the Windows Server 2003 PKI provides to your network by expanding your use of the PKI to support additional applications such as digital signatures, IPSec, and so on, that were mentioned earlier.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Top of page

Before You Begin

This section describes the setup requirements for an enterprise CA. You must meet all these requirements before installing the CA. Failure to do so may cause your installation to fail or to limit the functionality of your CA.

The instructions in this document assume an existing PKI system has not been deployed. The solutions described in this document do not provide guidance for integrating additional Microsoft CA services into an existing PKI.

IT Infrastructure Prerequisites

Your organization must have the following IT infrastructure:

Windows Server 2003 Operating System Needed for Each Procedure

Enterprise CA Requirements

To effectively set up an enterprise CA using Windows Server 2003, the following actions must be taken:

An enterprise root CA can be created by using only one server.

The following table provides the recommended hardware specification for a server used as an enterprise root CA, based on Windows Server 2003 recommendations. However, you might not need to purchase new hardware if you have something that fits these criteria outlined in "Build Guide 2 - Implementing the Public Key Infrastructure." For more information about hardware recommendation for a Microsoft Server 2003 enterprise root CA, see "Build Guide 2 - Implementing the Public Key Infrastructure" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22696.

Suggested Hardware Specification for Enterprise Root CA Server

Choosing the Type of CA to Use

Some organizations use external commercial CAs, while other organizations run their own CAs. Because a CA is an important trust point in an organization, most organizations have their own CA. This document assumes your organization is deploying its own CA.

Windows Server 2003 provides two classes of CAs, determined by which policy modules are selected during installation-an enterprise CA or a stand-alone CA. The policy modules define the actions that a CA can take when it receives a certificate request.

Typically, you should install an enterprise CA if you will be issuing certificates to users or computers inside an organization that is part of a Windows Server 2003 domain. You should install a stand-alone CA if you will be issuing certificates to users or computers outside of a Windows Server 2003 domain.

An enterprise CA requires that all clients requesting certificates have an entry in Active Directory, whereas a stand-alone CA does not. Also, an enterprise CA can more easily issue certificates that are used to log on to a Windows Server 2003 domain than can a stand-alone CA.

Within the enterprise and stand-alone CA classes, there can be two types of CAs-a root or a subordinate. A root CA is the anchor for trust in an organization. If necessary, the root CA's certificate can be used to enable subordinate CAs for purposes such as implementing policy and issuing end user certificates. This document shows you how to install and configure an enterprise root CA, with no subordinate CAs.

For more information about the differences between enterprise, standalone, root, and subordinate CAs and key PKI design decisions, see "Determining CA Roles & Types" in "MSA Enterprise Design for Certificate Services" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22671.

What to Know Before You Start

What Cannot Change After CA Deployment

Top of page

Installing and Configuring an Enterprise Root Certification Authority

The installation process for a Certificate Services root authority generates a root CA certificate containing the CA's public key and the digital signature created by using the root's private key. This section provides the following step-by-step instructions for building an enterprise root CA, using a certificate template to enable client autoenrollment, and establishing autoenrollment.

Installing and Configuring an Enterprise Root CA

You now need to log on as an enterprise administrator; using our example, log on with an account which is a member of the Enterprise Admins group and the root domain's Domain Admins group.

Requirements

•

To install and configure an enterprise root certification authority 1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group. 2. Click Start, click Control Panel, click Add or Remove Programs, and then click Add/Windows Components. 3. In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes. Note: If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected by clicking Application Server (but do not select its check box), click Details, select Internet Information Services (IIS), and then click OK. Click Next. 4. On the CA Type page, select Enterprise root CA, and then click Next. Note: The private key is always stored locally on the server, except in the case where a cryptographic hardware device is used. In such a case, the private key is stored in the device. The public key is placed in the certificate. 5. On the CA Identifying Information page, supply identifying information appropriate for your site and organization: 1. In Common name for this CA, type the common name of the certification authority. The CA name (or common name) is critical because it is used to identify the CA object created in Active Directory. 2. In Validity period, accept the default of 5 years, and then click Next. The Validity period time is the length of time the CA will be valid; the actual duration is a tradeoff between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrative steps need to be taken to move the CA to a new certificate. A time period of five or more years is typically sufficient in most enterprise environments, although the period should conform to formal IT policies and procedures. Consult with legal counsel to ensure that your CA configuration meets all applicable legal requirements. 6. On the Certificate Database Settings page, click Next to accept the default storage locations of the certificate database, the certificate database log, and then confirm that select Store configuration information in a shared folder is not selected. Note: Setup might issue a warning about not being able to create a shared folder. This is expected because all network interfaces had been disabled. It is safe to ignore this and move on. You must place the certificate database and the Certificate database log on local NTFS drives. 7. If IIS is running, a message will prompt you to stop the service. Click Yes to stop IIS. IIS must be stopped before the Web components can be installed. Note: If you do not have IIS installed, you will not see this message, and Web enrollment will not be available unless IIS is installed. The Optional Component Manager then installs the Certificate Services components. If this requires the Windows Server 2003 installation media (CD), insert the Windows Server 2003 product CD into the CD drive. 8. Click OK to finish the installation. Click Finish to close the wizard.

Once the certification authority is installed, add certificate templates to the certification authority and configure the certification authority to allow subjects to request a certificate that is based on a template.

Note: If you have or plan to use the advice in this guide to tighten the security of domain controllers in your organization, you will need to modify your domain Group Policy settings to re-enable Certificate Services. For more information on how to accomplish this, see the document, "Securing Windows Server 2003 Domain Controllers," in the Security Guidance Kit.

Verifying CA Installation

The simplest way to verify the successful completion of the Certificate Services installation is to open a command window, and type net start to see if Certificate Services is running.

You can also view the Certificate Services setup log at systemroot\certocm.log for further verification or to help troubleshoot in the event of errors.

You can also use the following procedure.

Requirements

Installing Certificate Templates

This procedure shows you how to install and view the default certificate templates. For a description of each of these default certificate templates, see the section "Default Templates" in "Implementing and Administering Certificate Templates in Windows Server 2003" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22669.

Requirements

•

To install and view the default certificate templates 1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK. 2. If this is the first time you are running the Certificate Templates snap-in on this CA, you will get messages that the certificate templates need to be installed, click Yes to each message. 3. In the console tree, click Certificate Templates. All of the certificate templates will be displayed in the details pane. 4. Close Certificate Templates.

Creating a Custom Certificate Template

Certificate templates allow customization of certificates issued by Certificate Services, including both how certificates are issued and what they contain. A certificate template is the set of rules and settings that are applied against incoming certificate requests.

New certificate templates are created by copying an existing template and using the existing template's properties as the default for the new template. Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.

Requirements

Configuring a Certificate Template for Client Autoenrollment

Autoenrollment is a useful feature of Certification Services in Windows XP and Windows Server 2003, Enterprise Edition. Autoenrollment allows you to configure clients to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring client interaction. A client does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the client.

This section describes one way of modifying the certificate template: for client autoenrollment. For detailed information about autoenrollment, see "Certificate Autoenrollment in Windows Server 2003" on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22668.

To properly configure client autoenrollment, you must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of client autoenrollment.

Requirements

Granting Enroll Permissions for a Default Certificate Template

This procedure configures default templates to be used by clients that have been autoenrolled by the procedure in "Configuring a Certificate Template for Client Autoenrollment."

Requirements

Note: To disallow subjects from requesting a certificate based on a template, clear the Read and Enroll check boxes using the same steps as in this procedure.

Configuring the CA to Issue Certificates Based on the Certificate Template

This procedure adds a new certificate template to the CA to be issued by the CA.

Requirements

Removing a Certificate Template from a CA

After you have defined and configured the certificate templates that you plan to use, it is a best practice to remove from the CA any certificate templates that you do not plan to use. Removing a certificate template only unlinks a certificate from a CA instead of deleting it physically from the certificate template store. If you need any of the removed certificate templates in the future, you can repeat the procedures in the section "Installing Certificate Templates" to perform this task.

Requirements

Top of page

Certificate Services Example Implementation: Establishing Autoenrollment for Wireless Users

To configure your server to provide autoenrollment for computer and user certificates, perform the following steps:

Requirements

Creating a Certificate Template for Wireless Users

•

To create a certificate template for wireless users 1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK. 2. In the details pane of Certificate Templates, click the User template. 3. On the Action menu, click Duplicate Template. 4. On the General tab of the Properties of New Template page, in the Template display Name box, type Wireless User Certificate Template. 5. Click Apply and continue to the next procedure.

Configuring Certificate Template for Client Autoenrollment

•

To configure a certificate template for client autoenrollment 1. On the General tab of the Wireless User Certificate Template Properties page, make sure that the Publish certificate in Active Directory check box is selected. 2. Click the Security tab. 3. In the Group or user names list, click Domain Users. 4. In the Permissions for Domain Users list, under the Allow column, select the Read, Enroll, and Autoenroll check boxes. 5. Click the Subject Name tab, clear Include e-mail name in subject name and E-mail name, and then click OK. IMPORTANT: These two options are disabled because in this example for a lab deployment an e-mail name was not entered for the WirelessUser account in the Active Directory Users and Computers snap-in. You need to either enter an e-mail address for the WirelessUser account or not select the two e-mail boxes for the autoenrollment of the user certificate to be distributed to the client. 6. Click OK, and then close Certificate Templates.

Configuring the CA to Issue Certificates Based on the Template

•

To configure the CA to issue certificates based on the template 1. Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority. 2. In the console tree, expand the enterprise root CA, and then click Certificate Templates. 3. On the Action menu, point to New, and then click Certificate to Issue. 4. If necessary, scroll down, and then click Wireless User Certificate Template. 5. Click OK. 6. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 7. In the console tree, if necessary, double-click Active Directory Users and Computers, right-click the Contoso.com domain, and then click Properties. 8. On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in. 9. In the console tree, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then click Automatic Certificate Request Settings. 10. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. 11. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next. 12. On the Certificate Template page, click Computer, and then click Next. 13. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in. 14. In the console tree, if necessary, scroll down and then expand User Configuration, Windows Settings, Security Settings, and Public Key Policies. Click Public Key Policies. 15. In the details pane, double-click Autoenrollment Settings. 16. Click Enroll certificates automatically, select the Renew expired certificates, update pending certificates, and remove revoked certificates check box, select the Update certificates that use certificate templates check box, and then click OK. 17. Close Group Policy Object Editor and Active Directory Users and Computers.

When the updated default domain Group Policy object is in effect, clients must restart their computers and log on to the domain with a wired connection to allow the new Group Policy settings to be applied and the certificates to be issued. You can verify that the certificates have been issued by using the Certificates snap-in on the client computer to look in the personal certificate store for the user or computer.

For more information about wireless networking options, see "Microsoft Solution for Securing Wireless LANs" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=22676.

Top of page

Related Information

For more information about building an enterprise root CA, see the following:

For more information about Public Key Infrastructure and configuring and managing CAs in small- and medium-sized businesses, see the following:

Top of page