Once you have met the system requirements, you are ready to install the Enterprise Root CA for your network. The Enterprise Root CA is at the top of the certificate authority hierarchy. This server is automatically registered in Active Directory and therefore trusted by all computers within the domain. The Enterprise Root CA for your organization is responsible for issuing certificates to Enterprise Subordinate CAs. These servers in turn issue certificates to users and computers within the domain. Every certificate issued within your domain can be traced back to the Enterprise Root CA.

Installing an Enterprise Root Certificate Authority

In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group.

To set up an enterprise root CA in Windows Server 2008:

  1. Click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Roles Summary section, click Add roles.
  3. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
  4. On the Select Role Services page, select the Certification Authority check box, and then click Next.
  5. On the Specify Setup Type page, click Enterprise, and then click Next.
  6. On the Specify CA Type page, click Root CA, and then click Next.
  7. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. Click Next twice.
  8. In the Common name for this CA box, type the common name of the CA. The common name for a CA is usually the same as its host name or computer name. Keep in mind as well, that you will not be able to change any of the identifying information after the service is installed.
  9. Click Next.
  10. On the Set the Certificate Validity Period page, configure the default validity duration for the root CA. The Validity period defines how long issued certificates remain valid. The default value for this field is 5 years. You can increase or decrease the number as necessary. Click Next after you have filled in the information.
  11. On the Configure Certificate Database page, configure the location of the Certificate database, the Certificate database log, and the shared folder. The default location for the database and database log is C:WINDOWSsystem32CertLog. You use the default value or use the Browse button to select a different location. Click Next.
  12. After verifying the information on the Confirm Installation Options page, click Install.

Setup will configure the necessary components. If setup cannot locate the necessary files, you will be prompted for the Windows Server 2008 CD-ROM to continue. If IIS is not installed, a warning will appear. IIS is required in order to use Certificate Services Web Enrollment Support. Click OK to acknowledge the message.

Review the information on the confirmation screen to verify that the installation was successful.