Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

To install an enterprise subordinate certification authority

  1. Log on to the system as a Domain Administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Add/Remove Programs and then click Add/Remove Windows Components.
  4. In the Windows Components wizard, select the Certificate Services check box. A dialog box will appear to inform you that the computer cannot be renamed, and the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes and then click Next.
  5. Click Enterprise subordinate CA.
  6. (Optional) Select the Advanced options check box to specify the following.
    Advanced option Comment
    Cryptographic service provider (CSP) The default is the Microsoft Base Cryptographic Provider. Certificate Services does support CSPs from other vendors, but you must refer to the CSP vendor's documentation for information about using their CSP with Certificate Services.
    Hash algorithm The default is SHA-1.
    Existing keys You can use an existing public key and private key pair instead of generating new ones if you select this option. This is helpful if you are relocating or restoring a previously installed certification authority (CA).
    Key length The default key length using the Microsoft Base Cryptographic Provider is 512 bits. Default key lengths for other CSPs vary. In general, the longer the key length, the more secure the key is. For a subordinate CA, you should use a key length of at least 1024 bits. This option is not available if you are using existing keys.
    When you are done, click Next.
  7. Type in the name of the CA and other necessary identifying information. None of this information can be changed after the CA setup is complete. Click Next.
  8. Specify the storage locations of the certificate database, the certificate database log, and the shared folder. Click Next.
  9. Obtain the certificate for the subordinate CA. For instructions on how to do this, see Notes.
  10. If the World Wide Web Publishing Service is running, the system will request that you stop the service before proceeding with the installation. Click OK.
  11. If prompted, type the path to the Certificate Services installation files.


  • To obtain the certificate for a subordinate CA, you must submit a certificate request to a parent CA. The procedure for doing so differs depending on whether the parent CA is available online.
    • If a parent CA is available online:
      1. Click Send the request directly to a CA already on the network.
      2. In Computer Name, type the name of the computer on which the parent CA is installed.
      3. In Parent CA, click the name of the parent CA.
    • If a parent CA is not available online:
      1. Click Save the request to a file.
      2. In Request file, type the path and file name of the file that will store the request.
      3. Obtain this subordinate CA's certificate from the parent CA.

        The procedure for doing this will be unique to the parent CA. At a minimum, the parent CA should provide a file containing the subordinate CA's newly issued certificate and, preferably, its full certification path. For the procedure to submit a certificate request using a file to a Windows 2000 CA, see Related Topics.

        If you get a subordinate CA certificate that does not include the full certification path, the new subordinate CA you are installing must be able to build a valid CA chain when it starts. Thus you must install the parent CA's certificate in the Intermediate Certification Authorities certificate store of the computer (if the parent CA is not a root CA), as well as the certificates of any other intermediate CA in the chain, and you must install the certificate of the root CA in the chain into the Trusted Root Certification Authorities store. These certificates should be installed in the certificate store before you install the CA certificate on the subordinate CA you have just set up.

      4. Open Certification Authority.
      5. In the console tree, click the name of the CA.

        • Certification Authority (computer)
        • CA name
      6. On the Action menu, point to All Tasks, and then click Install CA Certificate.
      7. Locate the certificate file received from the parent certification authority, click this file, and then click Open.
    • The enterprise subordinate CA selection requires that the host computer be a member of a domain and that it use Active Directory. The administrator who is installing an enterprise CA must have Write permission to Active Directory.
  • If you have Write permission to Active Directory, then specifying the shared folder is optional, and is not typically done for enterprise CAs.
  • To open Certification Authority, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
  • Certain Windows components require configuration before thay can be used. If you installed one or more of these components, but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components wizard, click Components.

Share this article: