Installing Certificate Server

To install Certificate Server

1. Run the Microsoft® Windows NT 4.0 Option Pack Setup program and install Internet Information Server (IIS) if it is not already installed.
   
   
2. Select Custom setup.

1. Select Certificate Server in the Components list box. Internet Information Server (IIS) is selected by default; this is a requirement.
   
   
2. Select any other optional components desired and click Next to continue with Windows NT 4.0 Option Pack Setup.

   

   Note Installation of individual sub-components of Certificate Server for a partial installation (such as a remote Certificate Server Web Client) is not supported in this release.

At the appropriate point in Windows NT 4.0 Option Pack Setup, the Certificate Server Configuration Wizard will walk you through the process of configuring Certificate Server. Just follow the instructions at each step and click Next to advance to the next step. To go back to a previous step, click Back. To exit the Wizard at any time, click Cancel.

Complete these Configuration Wizard steps to configure Certificate Server

1. Introduction. Read the introductory text in this screen and click Next when ready to continue.

   

1. Choose Storage Location. Provide the location used by Certificate Server to store Certificate Authority certificates and the Certificate Server configuration file. This location will be referenced by applications or users when they request or use certificates issued by the server. In this release, Shared Folder is the only choice for the type of storage location, and it must be located on the machine on which Certificate Server is being installed.
   
   When Shared Folder is selected, enter the universal naming convention (UNC) path of a public network share in the text box, for example: \\yourserver\public.
   
   The Shared Folder should be located on a public network share so that any user can access and install the Certificate Authority (CA) certificate. If this location is on the server machine you can also specify a path name such as c:\public. The text you enter for the shared folder name must begin with \\ or a drive letter such as c:\. Relative paths are not allowed. The directory must already exist; the Configuration Wizard will not create the directory for you.
   
   Click Next when ready to continue.

   Note Support for a Microsoft Windows NT® Domain Controller as a storage location is not available in this release.

   

2. Enter Identifying Information. Provide the information for each of the requested identifying items.

   Item	Information	Example
   Name	Certificate Authority name	Test Site Certificate Authority
   Organization	Your company	Microsoft Corporation
   Organizational Unit	Your organizational unit	Beta Support Group
   Locality	Your locality	Redmond
   State	Your state	Washington
   Country	Your country	US

   
   

   Click Next when ready to continue.

   

3. Choose Key Storage Location. Certificate Server private keys are stored in a Microsoft Cryptographic API key container using one of the Cryptographic Service Providers installed on your system. Type the name you want for the System Store and Key Container in the Key Container Name box.
   
   Clear the Erase all previous configuration information check box in the unusual event that existing configuration information should be preserved.
   
   Clear the Make this Certificate Server the default check box if another server will be the default.
   
   Select Create Certificate Request File only if you want to install a non-root Certificate Authority (CA) that will participate in an established CA hierarchy.

   Click Next when ready to continue.

   

4. Choose Database Location. To modify the default location for the certificate store database, click Browse and select the desired location.

   Click Next when ready to continue.

   

5. Choose CSP and Hashing. If multiple Cryptographic Service Providers are installed on your system, select the desired Cryptographic Service Provider (CSP) from the list. Microsoft Base Cryptographic Provider is the default. Then select the desired hashing algorithm from the list of algorithms supplied by the selected CSP.

   Note In this version, a single provider, Microsoft Base Cryptographic Provider is the only choice and MD5 hashing is selected by default. Future releases will allow selection of other CSPs and their hashing algorithms.

   Click Next when ready to continue.

   

6. Choose Certificate Output File Names. The Configuration Wizard automatically generates self-signed signature (root) and key exchange certificates for the Certificate Authority (CA) being created. Enter the name you want for these files, or accept the default which is based on the server machine name. The files will be named with the .crt extension and stored in the Shared Folder created in the Choose Storage Location step.
   
   When you provide the name for the self-signed root certificate file, the name for the key exchange certificate file will be generated automatically by the Configuration Wizard. Enter only the file names, without any directory path specifications. Click Next when ready to continue.

   Note If Create Certificate Request File was selected in the Choose Key Storage Location step, only the key exchange certificate just described will be generated because this CA will be a non-root CA. The signature certificate for a non-root CA must be generated and stored later in the process described in Installing a Certificate Authority Hierarchy.

   

7. Enter Comment. Enter an identifying comment that will be included in the certificate. Click Next when done.

   

Now Configuration Wizard stores all the configuration information you have specified, and performs the following steps:

• Generates a public/private key pair and self-signed root (site) certificate for this Certificate Server, and installs them in the local machine's key repository and certificate store, respectively.
  
  
• Writes the Certificate Server's signature and key exchange certificates out to the Shared Folder, and adds the Certificate Server to the list in the Certificate Authority Certificate List Web page. This page allows Web browsers to install the Certificate Authority (CA) certificates.
  
  
• Generates a certificate request file to submit to another CA if the Create Certificate Request File option was selected by the user. In this case, a self-signed root certificate is not generated and stored in the Shared Folder as previously described.
  
  
• Writes the Certificate Server's configuration file, CertSrv.txt out to the Shared Folder.
  
  
• Adds the Certificate Authority service to the system services.
  
  
• Performs necessary additions to the system registry.

Unless Create Certificate Request File was selected in the Choose Key Storage Location step, the following message is displayed when setup is complete:

If Create Certificate Request File was selected in the Choose Key Storage Location step so that a Certificate Authority hierarchy can be installed, then the following message is displayed instead:

See Installing a Certificate Authority Hierarchy for the steps required to complete installation of Certificate Server into a Certificate Authority hierarchy.

Note The Configuration Wizard configures the Certificate Authority service to start automatically when the operating system loads. To configure the service to start manually, see Configuring the Certificate Authority Service.

© 1997 by Microsoft Corporation. All rights reserved.