Setting up an enterprise root certificate authority

An enterprise root CA is used to issue certificates to the Online Responder service, client computers, and publish certificate information to the Active Directory Domain Services (ADDS). To set up an enterprise root certificate authority, you must complete the tasks described below.

Install ADCS and CA role

To set up an enterprise root certificate authority, you must first install ADCS and the CA role.

To install ADCS and CA role

1. Log on to OCSPCA as a Domain Administrator.

2. From the Start menu, select Administrative Tools and Server Manager.

3. In the Server Manager Dashboard (in the right pane of the window), select Manage and Add Roles and Features.

4. In the Add Roles and Features Wizard, select Next.

5. On the Installation Type page, select the Role-based or feature-based installation check box and Next.

6. On the Server Selection screen, select a server from the server pool, the listed server, and Next.

7. Select Active Directory Certificate Services > Add Features > Next.

8. On the Features page, select Next.

9. On the ADCS page, select Next.

10. On the Role Services page, select the Certificate Authority and Certificate Authority Web Enrollment check boxes in the Role Services list. The Add Features dialog displays.

11. Select Add Features and Next.

12. On the Web Server Role (IIS) page, select Next.

13. On the Role Services page, select Next.

14. Select the Restart the destination server automatically if required check box. A confirmation message displays, select Yes.

15. Select Install on the Confirmation page and wait to finish the installation.

Configure ADCS and CA role

After installing ADCS and the CA role, you must configure them.

To configure ADCS and CA role

1. If continuing from the last procedure, select Configure Active Directory Certificate Server on the destination server.

2. Alternatively, you can open the ADCS configuration wizard by clicking the Notification Flag and configuring the server role. The ADCS Configuration Wizard will be displayed.

3. On the Credentials page, select Next.

4. On the Role services page select the Certificate Authority and Certification Authority Web Enrollment check boxes. Select Next.

5. On the Setup Type page, select Enterprise CA . Select Next.

6. On the CA Type page, select the Root CA radio button and select Next. Select Next.

7. On the Private Key page, select the Create a new private key check box. Select Next.

8. In the Cryptography for CA window, select and set up the provider you wish to use for the CA.

9. The following Cryptographic Providers should be available for use:

   • RSA#SafeNet Key Storage Provider

   • DSA#SafeNet Key Storage Provider

   • ECDSA_P256#SafeNet Key Storage Provider

   • ECDSA_P384#SafeNet Key Storage Provider

   • ECDSA_P521#SafeNet Key Storage Provider

   Note

   • Verify your KSP registration if the Cryptographic providers listed above are not available for use.

   • Ensure that sha’ hashing algorithm is used.

10. After selecting and setting up the Cryptographic Provider, select Next.

11. On the Configure CA Name page enter the CA Name or accept the default CA name. Select Next.

12. On the Validity Period page specify the certificate validity period. Select Next.

13. Specify the database location or accept the default location on the Certificate Database page and select Next.

14. Verify that the CA you are about to configure is appropriate. Select Configure and wait for the confirmation message. If everything is correct, the Configuration succeeded message will display when the configuration completes.

15. Select Close to exit the ADCS Configuration wizard.