You can begin configuring a CA from its properties window. Within the Certificate Authority console, right click the CA and select Properties.
By default, the General tab should already be the active tab in the window. This tab just provides some basic information about the CA such as the common name and Cryptographic setting. If you recall, these settings were configured during the installation of Certificate Services.
Policy Modules determine whether certificate requests are issued, denied, or marked as pending. The Policy Module tab can be used by an Administrator to specify what the CA should do when a certificate request is received.
Conversely, you can use the Exit Module tab to specify what the CA should do after a certificate has been issued. A CA can be configured to publish issued certificates to Active Directory and/or a file system.
The Extensions tab is used to configure CRL settings. By clicking the Add button, you can specify a CRL distribution point. The Storage tab displays information about where the Certificate database and the Request log are stored. Configuration data can be stored in Active Directory or in a shared folder. On an Enterprise CA, configuration data is automatically stored within Active Directory.
The Security tab enables you to configure access privileges and implement role based administration. The roles include:
- CA administrator – Assigned the Manage CA permission
- Certificate Manager – Assigned the Issue and Manage Certificates permission
- Backup Operator – Assigned the Back up file and directories and the Restore file and directories permissions
- Auditor – Assigned the Manage auditing and security log permission
- Enrollees – Assigned the Read and Enroll permissions
The options available on the Recovery Agents tab are used to configure whether private keys are archived. In Windows Server 2008, private keys for specific certificates can be archived so they can be recovered in the event that they are lost. The CA will store the private key within its database. The process of recovering a private key includes two different phases: key archival and key recovery. Once a key has been archived, it can be recovered by a key recovery agent.
Certificate Services can be configured to log events to the Security log. From the Auditing tab you can pick which types of events you want to audit. When an event occurs it will be written to the Windows Server Security log and you can use the Windows Event Viewer to examine the contents of the log file.
Finally, the Certificate Managers Restrictions tab can be used to apply further restrictions to certificate managers. A certificate manager is any user that has been assigned the Issue and Manage certificates permission (you can use the Security tab to assign this permission). You can use the Certificate Managers Restrictions tab to then define which users, groups, or computers a certificate manager is allowed to manage.
That’s all there is to it.
Installing and configuring a Certificate Authority is not a difficult task, as long as you have some basic understanding of CAs. Setting up a CA without doing some pre-planning will more than likely result in a few problems. Having an idea of the steps involved in the setup process and how to configure the CA afterwards can help to ensure that you only have to complete the procedure once. In other words, do it properly the first time.