• add role using domain admin account

w2k8-pki-install-1.png

– click “next”

w2k8-pki-install-2.png

– click “next”

w2k8-pki-install-3.png

because it is root(Enterprise) CA we will keep only 1 options, certificates we will sign via subordinate CAs.

– click “next”

w2k8-pki-install-4.png

choose Enterprise

– click “next”

w2k8-pki-install-6.png

– click “next”

w2k8-pki-install-7.png

choose “create a new private key”

– click “next”

w2k8-pki-install-8.png

set RSA#Microsoft Software Key Storage Provider, key lenght 4096 bits, has sha1 and select “Use stron private key protection feature….”

– click “next”

w2k8-pki-install-9.png

– click “next”

w2k8-pki-install-10.png

configure validity period, I think 10 years for ROOT CA is the minimum, bigger 3rd party standalone CAs  are 20 years valid.

– click “next”

w2k8-pki-install-11.pngI will leave default database path as it is

– click “next”

w2k8-pki-install-12.png

summary

– click “Install” to start installation

w2k8-pki-install-13.png

 

w2k8-pki-install-14.png

 

– click “Close” to finish installation.

  •  import CA certificate to “Trusted Root Certification Authorities” in domain GPO.

w2k8-pki-install-29.png

 

If we do not do this we will not be able to  obtain certificates on computers in domain(see warning below)

“You cannot request a certificate this time because no certificate types are available. If you need a certificate contact your administrator.”

 

dzbanek 2013-01-04