Windows Root CA Installation

As opposed to other roles installation, a Windows Root CA installation is not a simple question of clicking next and finish buttons.
Since the root CA will be offline most of the time, you can use a virtual machine. HOwever, please note that your hypervisor administrators must be considered as PKI administrators if you don not take additional security measures (encryption, audit, …)

Preparing the machine

Machine Specifications are not demanding :

  • 2 GB RAM.
  • 40 GB C drive or more if you want to take care of patching the system regularly.
  • Network Card, which can be disabled after the crl and crt are transferred

It is so important to secure the Root CA server. Here is a blue print to be tailored to your needs.

Installing the role: don’t do click, click, next

The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever the CA certificate is renewed. Some settings are only available for configuration in this file and not using any UI.
You can use a simple notepad c:\windows\capolicy.inf and enter the following text:


  • Renewalkeylength, RenewalValidityPeriodUnits and <RenewalValidityPeriod : Only used when you renew your CA certificate. and specify the length of the key and the validity of the CA certificate.
  • CRLPeriod and CRLPeriodUnit> : Specify the frequency of the CA Revocation publication, the period you’re selecting must balance between how often you want to power up the CA to recreate the files and freshness of information you want to insure
  • CRLDistributionPoint : Leave blank for Root CA, as you don’t have a CRL for such CA.
  • AuthorityInformationAccess: Leave blank for Root CA for the same reason
  • LoadDefaultTemplates = 0  prevents CA for publishing and start using default template and cause undesired enrollment. For a stand alone root CA, it is not that important to use it, but for creating suboordinate enterprise CA this is very useful not to automatically advertise every certificate is available on every CA; therefore this line should be your first thought when creating CAPolicy.inf
  • AlternateSignatureAlgorithm = 0 configures the CA to support the PKCS#1 V2.1 signature format for both the CA certificate and certificate requests. Because it is not widely supported, it is often set to 0.

Verify that CA is then up and running by issuing:

Please note that after the WIndows Root CA installation, you must still enter a few commands to properly configure it.

Setting up the characteristics of the issued certificates

If your root CA is going to be for creating issuing CA in a single forest, the following commands set the validity period for the second tier issued certificates. AS you can see the chosen period must be a sub unit of what we choose for the validity of the root CA certificate.

AS you can see many registry entries only take effect after a restart of the service. If you follow all this guide, you can choose to restart the service at the end of this tutorial.

Setting the CRL

The following code will set up the CRL so in total it is valid for 6 month.

We are now entering the locations where it will be published:

And publishing our own set. PLease note that if you enter this in Powershell, you may want to replace double quotes by simple quotes tmo avoid powershell escaping interpretation

pkiweb.mydomain.local is a web site you’ll make available to your customers. It is optional if the LDAP location is present; however the LDAP Locatoin must not be included if you are going to use the root CA for multiple  independent forests, then the web location is mandatory

Don’t forget to  run certutil.exe -crl command to generate the new CRL. This also checks you syntax about locations.

Set the AIA

WE now set up the AIA in the same way we set up the CRL


Issue the following command so the CA related events are recorder:

Publish to Active Directory

copy the 2 files in C:\Windows\System32\CertSrv\CertEnroll to your target forest(s).
Then log on in each of the target forest(s) with an account that is member of both Domain Admins and Enterprise Admins.

The names of the files match the CACommonName display name parameter you used when installing the CA.
Once you have finished the Windows Root CA installation, you are ready to proceed to the installation to the policy CA or issuing CAs.

Leave a comment

Your email address will not be published. Required fields are marked *