This checklist is focused on the configuration and setup of stand-alone certification authorities (CAs) which are useful for public key infrastructure (PKI) architectures where Active Directory is not used, such as the Internet.
For deploying certification authorities that use Active Directory, please refer to Checklist: Deploying certification authorities and PKI for an intranet.
If you are going to have an offline root certification authority in your certification hierarchy, see Checklist: Creating a Certification Hierarchy with an Offline Root Certification Authority.
Step | Reference | |
---|---|---|
|
||
Review public key infrastructure concepts | Public key infrastructure | |
Review certificates concepts | Certificates concepts | |
Review concepts about certification authorities | Concepts | |
|
||
Plan a certification hierarchy | Certification authority hierarchies | |
Set up a Windows 2000 Server for each certification authority | Set up for Windows 2000 Server | |
Plan the renewal strategy you are going to use for the root certification authority | Renewing certification authorities | |
Install a root certification authority | Install a stand-alone root certification authority | |
(Optional) Enable Netscape-compatible revocation checking URL extensions to be written in every certificate issued. | ||
Install subordinate certification authorities (as required by your planned certification hierarchy) | Install a stand-alone subordinate certification authority | |
Install Web enrollment services on non-certification authority servers, as required. (Used to submit certificate requests via servers that are not certification authorities.) | Set up certification authority Web enrollment support | |
|
||
Specify whether to make each incoming certificate request pending (the recommended default for most cases) or automatically approved | Set the default action upon receipt of a certificate request | |
Schedule the publication of the certificate revocation list | Schedule the publication of the certificate revocation list | |
(Optional) Enable Netscape-compatible compatible checking URL extensions to be written in every certificate issued. | Refer to Revoking certificates and publishing CRLs | |
|
||
Set up a Web server to use certificates for secure access | Certificates and Internet Information Services (http://localhost/iishelp/iis/htm/core/iicerts.htm)
(You need to have IIS installed to use this shortcut.) | |
Set up Internet Protocol security (IPSec) | Internet Protocol security (IPSec) | |
Set up a Microsoft Exchange server to use certificates for secure e-mail | Refer to Microsoft Exchange documentation | |
|
||
Review pending certificate requests | Review pending certificate requests | |
Revoke certificates | Revoke an issued certificate | |
Back up each certification authority | Backing up and restoring a certification authority | |
Renew each certification authority | Renewing certification authorities |