Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Checklist: Creating a certification hierarchy with an offline root certification authority

This checklist is provided for the cases where the root certification authority (CA) is not connected to your organization's network. You might choose to have an isolated, offline root CA for security reasons in order to protect it from possible attacks by hackers or malicious individuals via the network.

A major issue with an offline root certification authority is providing certificate verifiers with online certificate revocation checking. This checklist assists public key infrastructure (PKI) administrators with setting up functional certificate revocation checking for certificates issued by an offline root CA.

See Checklist: Deploying certification authorities and PKI for an intranet for further information about configuring enterprise CAs.

See Checklist: Deploying certification authorities and PKI for the Internet for further information about configuring stand-alone CAs.

Step Reference
Review Concepts
Review public key infrastructure concepts. Public key infrastructure
Review certificates concepts. Certificates concepts
Review concepts about certification authorities. Certificate Services concepts
Set up the offline root certification authority
Plan the certification hierarchy. Certification authority hierarchies
Set up a Windows 2000 server that you will use for the root certification authority. The server needs to have Internet Information Services (IIS) installed as part of setup. The server needs to be a member server in an Active Directory domain. Set up for Windows 2000 Server
Plan the renewal strategy you are going to use for the root certification authority Renewing certification authorities
Log on to the network as a domain administrator and install the root certification authority on the server that will be offline (disconnected from the network). You need to install the root CA while the server is attached to the network so that it can update Active Directory and its root certificate will automatically be trusted by any computer or user in the domain. Install a stand-alone root certification authority
On the new root CA, change the URL location of the certificate revocation list (CRL) distribution point to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail. Specify CRL distribution points in issued certificates
Schedule the publication of the certificate revocation list. Schedule the publication of the certificate revocation list
For each subordinate certification authority
Set up a Windows 2000 server for each subordinate certification authority Set up for Windows 2000 Server
Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. During setup for each subordinate CA, choose to save the CA certificate request to a file, which will be a PKCS #10 request. Install a stand-alone subordinate certification authority;
Install an enterprise subordinate certification authority
Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority.
Using the root certification authority's Web pages, submit the PKCS #10 request from the file to get the CA certificate for the subordinate certification authority. Request a certificate using a PKCS #10 file
On the root certification authority, accept the pending certificate request and issue the CA certificate using the Certification Authority snap-in. Review pending certificate requests
Using the root certification authority's Web pages, check on on the pending certificate request which you just approved. Download the new certificate and, if provided, the certification path to files on the portable storage media you are using. Check on a pending certificate request
Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, right-click on each file and choose to Install Certificate. Have the Certificate Import wizard automatically place the certificates in stores based on the type of certificate. Import a certificate
Before issuing any certificates from the subordinate certification authorities and, afterwards, every time a new CRL is published by the offline root CA
On the root certification authority, publish a certificate revocation list. (Do this only if it has not already been published using its CRL publishing schedule). Manually publish the certificate revocation list
In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is:

\Systemroot\system32\CertEnroll\CAname.crl

Right-click on the CRL file and send it to a drive that has portable storage media.
Copy the certificate revocation list file to every URL location that you specified as a CRL distribution point in the root CA's Policy settings. Your systems can now do certificate revocation checking on certificates issued by the offline root CA.

Share this article: