- add role using domain admin account
– click “next”
– click “next”
because it is root(Enterprise) CA we will keep only 1 options, certificates we will sign via subordinate CAs.
– click “next”
choose Enterprise
– click “next”
– click “next”
choose “create a new private key”
– click “next”
set RSA#Microsoft Software Key Storage Provider, key lenght 4096 bits, has sha1 and select “Use stron private key protection feature….”
– click “next”
– click “next”
configure validity period, I think 10 years for ROOT CA is the minimum, bigger 3rd party standalone CAs are 20 years valid.
– click “next”
I will leave default database path as it is
– click “next”
summary
– click “Install” to start installation
– click “Close” to finish installation.
- import CA certificate to “Trusted Root Certification Authorities” in domain GPO.
If we do not do this we will not be able to obtain certificates on computers in domain(see warning below)
“You cannot request a certificate this time because no certificate types are available. If you need a certificate contact your administrator.”
dzbanek 2013-01-04