High level instructions for installing a Standalone CA
NOTE: If you have an Enterprise or Datacenter edition server, the preferred install will be an Enterprise Root. If you have only Standard Edition WS08R2 Server, then you are not able to install an Enterprise CA and you will have to do a Standalone Root CA.
Start with a Windows 2008 R2 server. I used a DC, but there are some who think that is an issue. You should choose what you think works best for your environment or what matches your security model. If you choose to do a Standalone RootCA, then you will need this entire document to include the CLI work at the end.
1. Open servermanager
2. Add roles
3. Choose Active directory certificate services
4. Say next on the Intro screen…
5. Select as shown here:
6. Choose appropriately here. I recommend the Enterprise, it really is easier. However, you can choose Standalone also.
7. Choose Root
8. Choose new key
9. Setup like this:
10. You can rearrange the name as appropriate… take note of it though!
11. I choose to use a LONG period of time… I don’t like to have to renew certs more than I have to…your security paradigm may require you to keep this figure below the default of five years.
12. Accept these defaults… you can change them if you wish…if you change them, be sure to document the change from the default.
13. The webserver setup is so that you can get certs if you are authorized. Exchange UM,OCS, Lync, SQL, and SharePoint come to mind.
14. Because I let the wizard choose for me, these options were filled in for me and will support what I need for the aforementioned applications.
Total install time was less than 15 minutes.
16. If you chose to use a standalone edition, then you will need to publish the resulting trusted root cert into Active Directory…
Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:
- If you are using a Microsoft Enterprise root certification authority, the root certificate is automatically installed on computers in the forest, using Active Directory Domain Services.
- If you are not using a Microsoft Enterprise root certification authority but want all computers in the forest to automatically trust the root certification authority, you can publish the root certificate in the Enterprise Trust Store, using Group Policy or the Certutil command.
- If you not using a Microsoft Enterprise root certification authority and want only groups of computers in the forest to automatically trust the root certification authority, you can publish the root certificate to domains or organizational units (OUs) using Group Policy. Only computers that have the Group Policy applied will automatically trust the root certification authority. Add the root certificate to the Group Policy object Trusted Root Certification Authorities under the Public Key Policies folder for the Computer Configuration container.
- If you are using Microsoft Certificate Services with Internet Information Services (IIS), you can request and install the root certificate with the Web enrollment service.
- You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
- You can export the certificate to a file and import it if exporting the public key is enabled within the certificate.
17. To accomplish this using certutil.exe:
Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory:
certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>
The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll
You don’t have to do the CRL but it does make things go smoothly when the host server starts looking for the CRL and can find it because you did publish it….
If you use a standard edition with Standalone Root CA, then you will need to do this command to allow the CA to issue SAN certs:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
One additional thing you can do is to change the certificate issue period from the default 1 year to something a little more lengthy. Using regedit, goto:
HKLM\system\currentcontrolset\services\certsvc\configuration\<CAname> – where CAname is whatever you called the CA in the previous steps.
What you want to do is modify the “ValidityPeriodUnits” as shown here.
If you followed things all the way through, you have a Standalone RootCA, with a trusted root cert for a period of 20 years, the trusted root is published into your AD DS (along with the CRL), individual certificates can be SAN/UCC, and the issued certificates will be for a two-year period.