Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

To install an enterprise root certification authority

  1. Log on to the system as a Domain Administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Add/Remove Programs and then click Add/Remove Windows Components.
  4. In the Windows Components wizard, select the Certificate Services check box. A dialog box will appear to inform you that the computer cannot be renamed, and the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes and then click Next.
  5. Click Enterprise root CA.
  6. (Optional) Select the Advanced options check box to specify the following.
    Advanced option Comment
    Cryptographic service provider (CSP) The default is the Microsoft Base Cryptographic Provider. Certificate Services does support third party CSPs but you must refer to the CSP vendor's documentation for information about using their CSP with Certificate Services.
    Hash algorithm The default is SHA-1.
    Existing keys If you select this option, you can use an existing public key and private key pair instead of generating new ones. This is helpful if you are relocating or restoring a previously installed certification authority (CA).
    Key length The default key length using the Microsoft Base Cryptographic Provider is 512 bits. Default key lengths for other CSPs vary. In general, the longer the key length, the more secure the key is. For a root CA, you should use a key length of at least 2048 bits. This option is not available if you are using existing keys.
    When you are done, click Next.
  7. Type the name of the certification authority and other necessary information. None of this information can be changed after the CA setup is complete.
  8. In Validity duration, specify the validity duration for the root CA. See the note below about things to consider when setting this value. Click Next.
  9. Specify the storage locations of the certificate database, the certificate database log, and the shared folder. Click Next.
  10. If the World Wide Web Publishing service is running, you will see a request to stop the service before proceeding with the installation. Click OK.
  11. If prompted, type the path to the Certificate Services installation files.


  • The enterprise root CA selection requires that the host computer be a member of a domain and that it use Active Directory. The administrator who is installing an enterprise CA must have Write permission to Active Directory.
  • If you have Write permission to Active Directory, then specifying the shared folder is optional, and is not typically done for enterprise certification authorities.
  • The validity duration you choose for the CA will determine when the CA "expires." For information about renewing CAs, see Related Topics.
  • Certain Windows components require configuration before thay can be used. If you installed one or more of these components, but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components wizard, click Components.

Share this article: