Installing and Configuring a Windows Server 2003 Stand-alone Certification Authority

 

Certification Authorities can issue certificates to users and computers for a variety of purposes. In the context of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit, certificates can be used for:

 

• Client authentication by the Web Proxy service on the ISA Server firewall
• User authentication by an OWA user on a remote network
• Creating an SSL link between the OWA client and Incoming Web Requests listener
• Creating an SSL link between the internal interface of the ISA Server firewall and the OWA site on the internal network
• Allowing certificate authentication for an IPSec transport mode connection between a front-end and back-end Exchange Server
• Secure SMTP/POP3/IMAP4/NNTP connections to the Exchange Server

 

A Microsoft Certificate Server can take on one of four roles:

 

• Enterprise Root CA
• Enterprise Subordinate CA
• Stand-alone Root CA
• Stand-alone Subordinate CA

 

A Microsoft Stand-alone CA has the following characteristics:

 

• The stand-alone CA does not require Active Directory. This makes the stand-alone CA the Certificate Authority of choice in environments where there is no Active Directory infrastructure in place
•  The stand-alone CA knows nothing about the user or computer account requesting the certificate. You must manually and explicitly include all details required to obtain the type of certificate you require.
• The stand-alone CA isn’t aware of the accounts in the Active Directory. If a user certificate is required, the user account must be in the local SAM of the stand-alone CA machine.
• The stand-alone CA does not immediately issue a certificate after the request is completed. By default, an administrator must approve the certificate request and then the client must retrieve the certificate after the request is approved. The reason for this is that the stand-alone CA does not check the validity of the user account.
• You cannot add or remove certificate templates to the stand-alone CA.
• The stand-alone CA can not issue user certificates that are stored on Smart Cards that allow the user to log on to a Windows Server 2003 domain
• The stand-alone CA’s self-signed certificate is not automatically added to the requester’s Trust Root Certification Authorities certificate store. You must add the CA certificate to the Root Store manually.
• The stand-alone CA can receive limited support from the Active Directory when it is installed by a domain administrator in an Active Directory domain. When the stand-alone CA is installed by a domain administrator, the CA certificate of the stand-alone CA will be added to the Trusted Root Certification Authorities certificate store for all domain users and computers.

 

We recommend that you install a stand-alone CA only if:

 

• You do not have an Active Directory domain, and/or
• You need do not require automatic deployment of certificates to users and computers

 

If you have users who require certificates and those users are not members of your Active Directory domain, then use a stand-alone Certificate Server. These users can obtain certificates from the stand-alone CA’s Web enrollment site. The Web enrollment site runs on Internet Information Server 6.0. You need to install IIS on the stand-alone CA computer before installing Certificate Services.

 

Installing Microsoft Internet Information Services World Wide Web Service

 

Perform the following steps to install IIS 6.0 on the Windows Server 2003 member server or domain controller computer that will be the stand-alone CA:

 

1. Click Start, point to Control Panel and click Add or Remove Programs.
2. Click the Add/Remove Windows Components button in the Add or Remove Programs window.

 

Figure 1

 

3. On the Windows Components window, click on the Application Server entry and click the Details button.

 

Figure 2

 

4. On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button.

 

Figure 3

 

5. In the Internet Information Service (IIS) dialog box, put a checkmark in the World Wide Web Service checkbox and click OK.

 

Figure 4

 

6. Click OK on the Application Server dialog box.

 

Figure 5

 

7. Click Next on the Windows Components dialog box.

 

Figure 6

 

8. Click Finish on the Completing the Windows Components Wizard page.

 

Figure 7

 

 

 

Installing Microsoft Certificate Services

 

Perform the following steps to install and configure a stand-alone CA on a Windows Server 2003 computer:

 

Note:
 We recommend that you install the stand-alone CA on a member server or domain controller on your internal network. This will allow the stand-alone CA’s certificate to be automatically placed in the Trust Root Certification Authorities certificate store for all users and computers.

 

1. At a member server or domain controller in your internal network, log on as a domain administrator. Click Start, point to Control Panel and click Add/Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.

 

Figure 8

 

3. In the Windows Components dialog box, click on the Certificate Services entry and click the Details button.

 

Figure 9

 

4. In the Certificate Services dialog box, put a checkmark in the Certificate Services CA checkbox. A Microsoft Certificate Services dialog box appears and informs you that you can not change the machine name or the domain membership of the machine while it acts as a certificate server. Read the information in the dialog box and click Yes.

 

Figure 10

 

5. Both the Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked. Click OK in the Certificate Services dialog box.

 

Figure 11

 

6. Click Next in the Windows Components dialog box.

 

Figure 12

 

7. Select the Stand-alone root CA option on the CA Type page. Click Next.

 

Figure 13

 

8. On the CA Identifying Information page, type in a Common name for this CA. The common name of the CA is typically the DNS host name or NetBIOS name (computer name) of the machine running Certificate Services. In this example, the name of the machine is WIN2003DC, so we will enter WIN2003DC in the Common name for this CA text box. The default Validity Period of the CA’s self-signed certificate is 5 years. Accept this default value unless you have a reason to change it. Click Next.

 

Figure 14

 

9. On the Certificate Database Settings page, use the default locations for the Certificate Database and Certificate Database Log. You do not need to specify a shared folder to store configuration information because this information will be stored in the Active Directory. Click Next.

 

Figure 15

 

10. Click Yes on the Microsoft Certificate Services dialog box that informs you that Internet Information Services must be stopped temporarily.

 

Figure 16

 

11. Click Yes on the Microsoft Certificate Services dialog box that informs you that Active Server Pages must be enabled on IIS if you wish to use the Certificate Services Web enrollment site.

 

Figure 17

 

12. Click Finish on the Completing the Windows Components Wizard page.

 

Figure 18

 

13. Close the Add or Remove Programs window.