• This article is only available to VIP subscribers. Sign up now and get instant access!
  • [December 18, 2001]
  • Using Win2K Certificate Services to Configure a Standalone CA, Part 1
  • By:  Ken Spencer
  • Feature
  • InstantDoc #23373
  • Web Exclusive from Windows IT Pro

Installing Certificate Services
You can now begin the installation process. All Win2K Server products include Certificate Services, which is essentially an upgrade of the Windows NT 4.0 Option Pack's Certificate Server. Certificate Services is no longer an add-on but rather a component of the Win2K Server installation. To install Certificate Services, you can simply select the Certificate Services check box during installation.

If you've already installed Win2K Server, follow these steps:

  1. Open the Control Panel Add/ Remove Programs applet and select Add/Remove Windows Components from the icon list.
  2. Select the Certificate Services check box.
  3. Win2K will warn you that you won't be able to rename the computer or remove it from a domain. Click Yes to continue.
  4. The Windows Components Wizard appears. Click Next.
  5. In the Certification Authority Type dialog box, select the Stand-alone root CA option, as Figure 1 shows. If you need to set options for controlling public/private key pairs, select the Advanced options check box. (You probably don't need to configure Advanced options for your extranet users unless they use certificates for a secondary purpose that requires generating public/private key pairs.) Click Next.
  6. Complete the steps necessary to identify your CA. Be sure to use a descriptive name for your CA's identification information: Don't simply enter CA or CA1. Whenever someone uses or references the CA name (e.g., to request a certificate through a browser), a descriptive name will clearly identify the CA server. For our purposes, I named the CA 32XRootServer, as Figure 2 shows. Click Next.
  7. To use the default folders as the CA database locations, click Next. In some cases, changing the CA database locations can be useful. For example, if you have several CAs, you can put their folders on a network disk and point all the CAs to the same certificate store at the network location.
  8. If IIS is running on the server, click OK to stop IIS. After the installation is complete, the system will restart IIS.

The system might prompt you to insert the Win2K SP2 or SP1 CD-ROM or enter the path to the requested service pack's setup files. As the installation proceeds, the setup process will pause while the system configures IIS and Certificate Services. When the setup is complete, click Finish.

To verify that Certificate Services is running, go to Start, Programs, Administrative Tools, Certification Authority and open the Microsoft Management Console (MMC) Certification Authority snap-in. If a Stop button (i.e., a black square icon) appears on the snap-in's toolbar, as it does on the snap-in that Figure 3 shows, Certificate Services is enabled. You can also check Certificate Services' status by entering the following Ping command at a command prompt:

C:\>certutil -ping

If the server is running, you'll see a message that resembles the following: Connecting to bigboat2001\32XRootServer ... Server "32XRoot-Server" is alive. (As you can see, even pinging a CA returns the CA name—yet another reason for naming each CA carefully.)

You're Ready to Go
Several new folders now reside under the Default Web Site directory, the \system32 folder, and the hard disk's root (e.g., C:\):

  • The CertServ folder contains the .asp files that the system uses to access Certificate Services. This folder also contains a copy of the CertControl folder.
  • The CertEnroll folder contains the certificate revocation list (CRL) and the server's certificate. Copies of this folder reside in both the \iis and \system32 folders.
  • The CertControl folder contains Certificate Services control files.
  • The CertLog folder in the \system32 folder contains the Certificate Services database. If necessary, you can move this database after installation. For more information about moving the database, see the Microsoft article "How to Move the Certificate Server Database and Log Files" (http://support.microsoft.com/ support/kb/articles/q283/1/93.asp).
  • The CAConfig folder also contains the server's certificate and a text file that identifies the CA. The system creates this folder below the hard disk root and shares this folder (for remote access over the LAN) as CertConfig.

Now that Certificate Services is running, you're ready to issue certificates. In Part 2 of this series, I'll show you how to set up your CA to issue certificates to your extranet users.

End of Article

Prev. page     1 [2]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

JFKLDLJKFDJLKFDJLDLK

joneill28- October 10, 2008

Article Rating 3 out of 5

 
 

ADS BY GOOGLE