Standalone CA configuration

North Carolina State University has deployed a couple of self-signed root certificate authority certs in the past. However, as time passed, the need for a more robust environment became apparent. A new Public Key Infrastructure root certificate authority was created in early 2011.

A really thorough book on Microsoft Windows Public Key Infrastructure is “Windows Server 2008 PKI and Certificate Security“, by Brian Komer.

A Windows 2008 R2 service Pack 1 standalone machine was deployed. Not joined to a domain, and not on the network.

Windows certificate services, when installed, looks at a CAPolicy.inf file located in the C:\Windows directory. The one for the NCSU standalone CA looks like:

—————

[Version] Signature=”Windows NT$”

[CRLDistributionPoint] [AuthorityInformationAccess] [BasicConstraintsExtension] PathLength=4
Critical=Yes

[certsrv_server] RenewalKeyLength=2048

—————

The CRLDistributionPoint and AuthorityInformationAccess are purposely left blank to avoid circular revocation checking.

The CRL for the standalone root is published to http://www.ncsu.edu/crl/NCSURootCA.crl. This CRL is included in all certs issued by the standalone root CA.