Standalone CA configuration

North Carolina State University has deployed a couple of self-signed root certificate authority certs in the past.  However, as time passed, the need for a more robust environment became apparent.  A new Public Key Infrastructure root certificate authority was created in early 2011.

A really thorough book on Microsoft Windows Public Key Infrastructure is “Windows Server 2008 PKI and Certificate Security“, by Brian Komer.

A Windows 2008 R2 service Pack 1 standalone machine was deployed.  Not joined to a domain, and not on the network.

Windows certificate services, when installed, looks at a CAPolicy.inf file located in the C:\Windows directory.  The one for the NCSU standalone CA looks like:

—————

[Version] Signature=”Windows NT$”

[CRLDistributionPoint] [AuthorityInformationAccess] [BasicConstraintsExtension] PathLength=4
Critical=Yes

[certsrv_server] RenewalKeyLength=2048

—————

The CRLDistributionPoint and AuthorityInformationAccess are purposely left blank to avoid circular revocation checking.

The CRL for the standalone root is published to http://www.ncsu.edu/crl/NCSURootCA.crl.  This CRL is included in all certs issued by the standalone root CA.