This checklist is focused on the configuration and setup of enterprise certification authorities (CAs) which are useful for public key infrastructure (PKI) architectures where Active Directory is present.
Please refer to Checklist: Deploying certification authorities and PKI for the Internet for information about configuring stand-alone CAs.
If you are going to have an offline root certification authority in your certification hierarchy, see Checklist: Creating a certification hierarchy with an offline root certification authority
Step | Reference | |
---|---|---|
|
||
Review public key infrastructure concepts | Public key infrastructure | |
Review certificates concepts | Certificates concepts | |
Review concepts about certification authorities | Certificate Services concepts | |
Review concepts about using public key policy in Group Policy | Public key policy concepts | |
|
||
Plan a certification hierarchy | Certification authority hierarchies | |
Set up a Windows 2000 server for each certification authority | Set up for Windows 2000 Server | |
Ensure that Active Directory and DNS are installed on your network | Active Directory overview | |
Plan the renewal strategy you are going to use for the root certification authority | Renewing certification authorities | |
Install a root certification authority | Install an enterprise root certification authority | |
(Optional) Enable Netscape-compatible revocation checking URL extensions to be written in every certificate issued. | ||
Install subordinate certification authorities (as required by your planned certification hierarchy) | Install an enterprise subordinate certification authority | |
|
||
Set security permissions and delegate control of certificate templates | Set security permissions and delegate control of certificate templates | |
Set security permissions and delegate control of certification authorities | Set security permissions and delegate control of a certification authority | |
|
||
Specify which certificate types to issue | Establish the certificate types that an enterprise certification authority can issue | |
Schedule the publication of the certificate revocation list | Schedule the publication of the certificate revocation list | |
(Optional) Enable Netscape-compatible revocation checking URL extensions to be written in every certificate issued. | Refer to Revoking certificates and publishing CRLs | |
Confirm that the certification authority will properly authenticate certificate requesters from the CA Web pages | Set security for access to certification authority Web pages | |
|
||
Set up smart cards for Windows 2000 logon | Checklist: Deploying smart cards for logging on to Windows | |
Set up a web server to use certificates for secure access | Certificates and Internet Information Services (http://localhost/iishelp/iis/htm/core/iicerts.htm)
(You need to have IIS installed to use this shortcut.) | |
Set up Internet Protocol security (IPSec) | Internet Protocol security (IPSec) | |
Set up Encrypting File System EFS Recovery agents | Encrypting File System and data recovery | |
Set up a Microsoft Exchange server to use certificates for secure e-mail | Refer to Microsoft Exchange documentation | |
|
||
(Optional) Establish certificate autoenrollment for machines | Create an automatic certificate request for computers in a Group Policy object | |
|
||
Revoke certificates | Revoke an issued certificate | |
Back up each certification authority | Backing up and restoring a certification authority | |
Renew each certification authority | Renewing certification authorities |