Establishing a Root CA

Creating a Stand-Alone Root CA on Windows Server 2003

Realistically speaking, there are very few reasons why you would have a root CA that is configured as an Enterprise CA. Enterprise CAs represent significant risk, primarily caused by the fact that they cannot be taken offline. A stand alone CA can be configured on a server that is not a member of a domain and taken offline for a significant period of time. This provides a high level of security for the root CA’s private key. By configuring an offline root CA and an enterprise subordinate CA you can take advantage of both security and ease of management.

You being to create an offline root CA by installing certificate services is installed from the Add/Remove programs control panel. Before installing any root CA, you should consider the following

  • Physical security of the CA computer
  • Storage of the CA’s private key
  • Who will have access to the CA computer
  • How will you recover if the CA computer fails

The certificate services installation wizard will present you with several decision points. These decision points represent configuration options and are listed in the following table, along with some guidance on which decision to make.

Table

The root certificate is create during the installation of certificate services, so some of these parameters must be configured prior to it’s installation. This is accomplished by configuring the CAPolicy.inf file and placing it in the \windows folder. This file is read during the installation of certificate services and is used to configure certificate services. From the above table, the validity period, keylength, AIA and CDP points of the root certificate can only be configured using this file. Additionally, if you wish to change any of these values, you would alter the CAPolicy.inf file and renew the root certificate. A sample CAPolicy.inf file is shown below.

[Version]
Signature= "$Windows NT$"

[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=16

[CRLDistributionPoint]
Empty=true

[AuthorityInformationAccess]
Empty=true
Use notepad to create a file named capolicy.inf and save it in your \windows folder. Do this prior to installing certificate services.