How to Install/Uninstall a Public Key Certificate Authority for Windows 2000

ID: Q231881

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

In Windows 2000, the Certificate Authority (CA) service issues certificates needed to run a public key infrastructure. The CA can be an external commercial CA or it can be a CA run by a company. These certificates enable a user to use smart card logon, send encrypted mail, sign documents, and more.

Typically, you should install an enterprise CA if you are issuing certificates to users or computers inside a corporation or a Windows 2000 domain. You should install a stand-alone CA if you are issuing certificates to users or computers outside of an organization or company. An enterprise CA requires that all users requesting certificates have an entry in Active Directory; a stand-alone CA does not. An enterprise CA can issue certificates that can be used to log on to a Windows 2000 domain; a stand-alone CA cannot. You can use both types of CAs to suit your enterprise needs. This article describes how to install or uninstall CAs in Windows 2000.


MORE INFORMATION

Setup and Installation of the Certificate Authority

Before You Begin

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Groups.


  2. Make sure you can see and manage Active Directory. If you do not have a directory, please follow the steps in the Active Directory and DNS guide.


  3. Make sure your account is in the Domain Admins group. You must be an administrator to install the Certificate Authority.


  4. Microsoft Internet Information Server (IIS) must be installed in order to install the Certificates Services web enrollment pages.


Setting Up the CA

  1. Click Start, point to Settings, and then click Control Panel.


  2. Double-click Add/Remove Programs.


  3. Click Add/Remove Windows Components.


  4. Click Next.


  5. Click to select the Certificate Services check box, and then click Next.


  6. Click the appropriate CA type. A description of each authority is displayed to the right of the possible choices.


  7. If you want to change the default cryptography settings, click to select the Advanced options check box. Select this check box only if you know you need to.


  8. Click Next.


  9. If the Advanced options check box is selected, you are prompted to change your Public and Private Key Pair selection. If you did not select the Advanced options check box, proceed to the next step.


  10. A Certificate Authority Identifying Information window appears. Complete the information as appropriate for your site and organization. Note that the CA information is critical because it is used to identify the CA object created. When you are finished, click Next.


  11. You are prompted to define the location of the certificate database, configuration information, and the Certificate Revocation List (CRL). An enterprise CA always stores its information, including the CRL, in Active Directory. Microsoft recommends that you select the Shared Folder check box. This specifies the location of a folder in which configuration information for the CA is stored. You should store all CA configuration information in one folder.


  12. Click Next.


  13. If IIS is running, shut it down. Click OK to stop IIS. You must stop IIS to install the Web components. If you do not have IIS installed, proceed to the next step.


  14. Installing a subordinate CA requires that you either click Browse to locate an online CA, or click Save the request to a file if your request is destined for a commercial CA or a CA that is not accessible from the network.


  15. Wait for the installation to finish.


  16. Click Finish.


Verifying the Certificate Server Installation

To verify the installation, you can use any of the following methods:
  • Type net start at a command prompt to verify that the Certificate service is running.


  • Request a certificate by clicking Start, pointing to Run, typing mmc, clicking OK, clicking Add/Remove Snap-in on the Console menu, adding the Certificates snap-in, clicking My User Account to manage, right-clicking the Personal folder, clicking All Tasks, and clicking Request a New Certificate. The Certificate Request Wizard should start.


  • For a stand-alone CA, you can request a new certificate using Internet Explorer 5 by connecting to "http://ServName/CertSrv" (where ServName is the name of the server).


Uninstalling Certificate Server

  1. Click Start, point to Settings, and then click Control Panel.


  2. Double-click Add/Remove Programs.


  3. Click Add/Remove Windows Components.


  4. Click Next.


  5. Click to clear the Certificate Services check box, and then click Next.


  6. Click Finish.


Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.