This checklist is provided for the cases where the root certification authority (CA) is not connected to your organization's network. You might choose to have an isolated, offline root CA for security reasons in order to protect it from possible attacks by hackers or malicious individuals via the network.
A major issue with an offline root certification authority is providing certificate verifiers with online certificate revocation checking. This checklist assists public key infrastructure (PKI) administrators with setting up functional certificate revocation checking for certificates issued by an offline root CA.
See Checklist: Deploying certification authorities and PKI for an intranet for further information about configuring enterprise CAs.
See Checklist: Deploying certification authorities and PKI for the Internet for further information about configuring stand-alone CAs.
Step | Reference | |
---|---|---|
|
||
Review public key infrastructure concepts. | Public key infrastructure | |
Review certificates concepts. | Certificates concepts | |
Review concepts about certification authorities. | Certificate Services concepts | |
|
||
Plan the certification hierarchy. | Certification authority hierarchies | |
Set up a Windows 2000 server that you will use for the root certification authority. The server needs to have Internet Information Services (IIS) installed as part of setup. The server needs to be a member server in an Active Directory domain. | Set up for Windows 2000 Server | |
Plan the renewal strategy you are going to use for the root certification authority | Renewing certification authorities | |
Log on to the network as a domain administrator and install the root certification authority on the server that will be offline (disconnected from the network). You need to install the root CA while the server is attached to the network so that it can update Active Directory and its root certificate will automatically be trusted by any computer or user in the domain. | Install a stand-alone root certification authority | |
On the new root CA, change the URL location of the certificate revocation list (CRL) distribution point to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail. | Specify CRL distribution points in issued certificates | |
Schedule the publication of the certificate revocation list. | Schedule the publication of the certificate revocation list | |
|
||
Set up a Windows 2000 server for each subordinate certification authority | Set up for Windows 2000 Server | |
Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. During setup for each subordinate CA, choose to save the CA certificate request to a file, which will be a PKCS #10 request. | Install a stand-alone subordinate certification authority; Install an enterprise subordinate certification authority | |
Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority. | ||
Using the root certification authority's Web pages, submit the PKCS #10 request from the file to get the CA certificate for the subordinate certification authority. | Request a certificate using a PKCS #10 file | |
On the root certification authority, accept the pending certificate request and issue the CA certificate using the Certification Authority snap-in. | Review pending certificate requests | |
Using the root certification authority's Web pages, check on on the pending certificate request which you just approved. Download the new certificate and, if provided, the certification path to files on the portable storage media you are using. | Check on a pending certificate request | |
Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, right-click on each file and choose to Install Certificate. Have the Certificate Import wizard automatically place the certificates in stores based on the type of certificate. | Import a certificate | |
|
||
On the root certification authority, publish a certificate revocation list. (Do this only if it has not already been published using its CRL publishing schedule). | Manually publish the certificate revocation list | |
In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is: |
||
Copy the certificate revocation list file to every URL location that you specified as a CRL distribution point in the root CA's Policy settings. Your systems can now do certificate revocation checking on certificates issued by the offline root CA. |