As noted in the Microsoft Windows NT Option Pack release notes,
Microsoft Certificate Server 1.0 does not officially support certification
authority hierarchies. However, several of the key capabilities of a
"certification authority hierarchies" feature do work and can be used in
an implementation with Exchange Server to achieve most of the desirable
characteristics of certification authority hierarchies.
Installing a Certificate Server Subordinate Certificate Authority
A Certificate Server subordinate Certificate Authority (CA) is a
certifying authority that issues certificates and CRLs, but does not sign
certificates. The subordinate CA must submit certificates to a root CA to
be signed.
Before you install the Certificate Server subordinate CA, you must install
Internet Explorer version 4.01 or later on the server computer. You must
also create a shared directory where Certificate Server will store
certificates. The Windows NT Everyone account should have read permissions
on the shared directory.
After you install the Certificate Server, you need to install the Exchange
Server policy module and Certificate Server hotfix before the Certificate
Server can use Key Management Server.
To install a subordinate CA, perform the following steps:
1. | Run the Windows NT Option Pack 4.0 Setup program and choose
Custom. |
2. | On the Components page, select Certificate Server, and then
choose Show Subcomponents. |
3. | Select Certificate Server Certifying Authority, and then choose
Next. |
4. | On the Microsoft Certificate Server page, in the Shared Folder
box, enter the path to the shared certificate directory on the CA
computer, and then choose Next. |
5. | Select Show Advanced Configuration, and then choose Next. |
6. | In the Hash Algorithm box, choose SHA-1. |
7. | Select Non-Root CA, and then choose Next. |
8. | Type the information describing your CA, and then choose
Next. |
9. | After you restart the computer, install the Microsoft Exchange
Server policy module and the Certificate Server fix found in Service Pack
4 for Windows NT. |
Creating Trust Between a Subordinate CA and a Root CA
The Certificate Authority service will not start automatically until you
obtain a certificate from another CA using the request file in the Certs
directory. Copy the certificate from the CA directory to the Certs
directory, and then run the Certificate Server Hierarchy Configuration
tool (Certhier.exe) to establish a trust relationship between the root CA
and the subordinate CA.
To create a trust relationship between a subordinate CA and a root CA, do
the following:
1. | From the Certs directory on the subordinate CA computer, copy the
.req file to a disk. |
2. | At the root CA computer, log on as an Administrator. |
3. | From the command prompt, type the following command:
certreq a:\filename.req a:\ filename.crt
|
4. | From the shared certificate directory, copy the signature file of
the root CA to the disk. The following files are now on the disk:
� SubMachineName_SubCAName.crt
� SubMachineName_SubCAName.req
� RootMachineName_RootCAName.crt
|
5. | From the subordinate CA computer, copy the root CA signature file
to the Winnt\System32 directory, and name it RootCa.crt.
Note: This file must be copied as RootCa.crt not
RootMachineName_RootCAName.crt, where RootMachineName
is the name of your computer, and RootCAName is the name of your
CA.
|
6. | Copy the new signed .crt file and the original .req file from the
disk to the shared directory.
Note: The subordinate CA certificate is
SubMachineName_SubCAName.crt where SubMachineName is
the name of the computer where the subordinate CA is installed, and
SubCAName is the name of the subordinate CA.
|
7. | Verify that the following registry key value exists (if not, add
a new string value):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
\<I>SubCAName</I>\HierFileName
where SubCAName is the name of the subordinate CA. Set the value of
the registry key to path SubCAName, where path is
the complete path to the shared certificate and SubCAName is the
name of the .req file without the .req extension. For example:
c:\certs\SubMachineName_SubCAName
|
8. | From the command prompt, run Certhier.exe. |
9. | In Control Panel, double-click Services, and then start the
Certificate Authority service. |