Standalone CA configuration

North Carolina State University has deployed a couple of self-signed root certificate authority certs in the past.  However, as time passed, the need for a more robust environment became apparent.  A new Public Key Infrastructure root certificate authority was created in early 2011.

A really thorough book on Microsoft Windows Public Key Infrastructure is “Windows Server 2008 PKI and Certificate Security“, by Brian Komer.

A Windows 2008 R2 service Pack 1 standalone machine was deployed.  Not joined to a domain, and not on the network.

Windows certificate services, when installed, looks at a CAPolicy.inf file located in the C:\Windows directory.  The one for the NCSU standalone CA looks like:


[Version] Signature=”Windows NT$”

[CRLDistributionPoint] [AuthorityInformationAccess] [BasicConstraintsExtension] PathLength=4

[certsrv_server] RenewalKeyLength=2048


The CRLDistributionPoint and AuthorityInformationAccess are purposely left blank to avoid circular revocation checking.

The CRL for the standalone root is published to  This CRL is included in all certs issued by the standalone root CA.