Standalone CA configuration
North Carolina State University has deployed a couple of self-signed root certificate authority certs in the past. However, as time passed, the need for a more robust environment became apparent. A new Public Key Infrastructure root certificate authority was created in early 2011.
A really thorough book on Microsoft Windows Public Key Infrastructure is “Windows Server 2008 PKI and Certificate Security“, by Brian Komer.
A Windows 2008 R2 service Pack 1 standalone machine was deployed. Not joined to a domain, and not on the network.
Windows certificate services, when installed, looks at a CAPolicy.inf file located in the C:\Windows directory. The one for the NCSU standalone CA looks like:
—————[Version] Signature=”Windows NT$” [CRLDistributionPoint] [AuthorityInformationAccess] [BasicConstraintsExtension] PathLength=4
Critical=Yes [certsrv_server] RenewalKeyLength=2048
The CRLDistributionPoint and AuthorityInformationAccess are purposely left blank to avoid circular revocation checking.
The CRL for the standalone root is published to http://www.ncsu.edu/crl/NCSURootCA.crl. This CRL is included in all certs issued by the standalone root CA.