This step-by-step article describes how to install and uninstall a Public Key Certificate Authority in Windows 2000.
In Windows 2000, the Certificate Authority (CA) service issues certificates needed to run a public key infrastructure. The CA can be an external commercial CA or it can be a CA run by a company. These certificates enable a user to use smart card logon, send encrypted mail, sign documents, and more.
Typically, you should install an enterprise CA if you are issuing certificates to users or computers inside a corporation or a Windows 2000 domain. You should install a stand-alone CA if you are issuing certificates to users or computers outside of an organization or company. An enterprise CA requires that all users requesting certificates have an entry in Active Directory; a stand-alone CA does not. An enterprise CA can issue certificates that can be used to log on to a Windows 2000 domain; a stand-alone CA cannot. You can use both types of CAs to suit your enterprise needs.
Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to select the Certificate Services check box, and then click Next.
Click the appropriate CA type. A description of each authority is displayed to the right of the possible choices.
If you want to change the default cryptography settings, click to select the Advanced options check box. Select this check box only if you know you need to.
If the Advanced options check box is selected, you are prompted to change your Public and Private Key Pair selection. If you did not select the Advanced options check box, proceed to the next step.
A Certificate Authority Identifying Information window appears. Complete the information as appropriate for your site and organization. Note that the CA information is critical because it is used to identify the CA object created. When you are finished, click Next.
You are prompted to define the location of the certificate database, configuration information, and the Certificate Revocation List (CRL). An enterprise CA always stores its information, including the CRL, in Active Directory. Microsoft recommends that you select the Shared Folder check box. This specifies the location of a folder in which configuration information for the CA is stored. You should store all CA configuration information in one folder.
If IIS is running, shut it down. Click OK to stop IIS. You must stop IIS to install the Web components. If you do not have IIS installed, proceed to the next step.
Installing a subordinate CA requires that you either click Browse to locate an online CA, or click Save the request to a file if your request is destined for a commercial CA or a CA that is not accessible from the network.
To verify the installation, you can use any of the following methods:
Type net start at a command prompt to verify that the Certificate service is running.
Request a certificate by clicking Start, pointing to Run, typing mmc, clicking OK, clicking Add/Remove Snap-in on the Console menu, adding the Certificates snap-in, clicking My User Account to manage, right-clicking the Personal folder, clicking All Tasks, and clicking Request a New Certificate. The Certificate Request Wizard should start.
For a stand-alone CA, you can request a new certificate using Internet Explorer 5 by connecting to "http://ServName/CertSrv" (where ServName is the name of the server).