Share via


Appendix B: Parameters for a Three-Tier CA Topology

Applies To: Windows Server 2003 with SP1

This section describes all of the parameters that are required to set up a three-tier CA topology. It is recommended that the values are agreed between the departments in the organization (IT department, legal department, and so on).

The parameters in this section are in the sequence in which they are used during the setup. The heading describes the parameter's name and the table contains detailed information about the parameter.

Important

Make sure that you have predefined all of the parameters in this section, because every value is mandatory.

RootCA Configuration Parameters

This section provides a list of parameters that must be defined during the setup procedure for a stand-alone offline root CA. The sample values are related to the sample configuration that is explained in the previous section.

Registry references follow the syntax that is used by the certutil command. To get more information about the registry values, at a command prompt, type certutil –getreg -? and press ENTER.

Renewal Key Length (CA Certificate)

Description

It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length with most programs and PKI providers. The renewal key length must not be shorter than the key length that you chose during the CA installation procedure.

Sample value

4096

Defined at

CAPolicy.inf

Stored at

Renewed CA certificate

Impacts

The root CA key material

Renewal Validity Period (CA Certificate)

Description

Describes the lifetime of a CA certificate that is a renewal of a previous CA certificate. It is recommended that root CAs be configured with a longer lifetime than any other CA in the hierarchy because this configuration reduces the administrative burden that is caused by renewing all certificates that are singed by the CA's certificate.

Sample value

1020

Defined at

CAPolicy.inf

Stored at

CA certificate that is related to the date and time when the certificate was enrolled

Impacts

The CA root certificate and all certificates that will be signed by the root

Renewal Validity Period Units (CA Certificate)

Description

Defines the measurement related to the validity time. Valid values are years, months, or days. For a CA certificate lifetime the usual unit is years.

Sample value

Years

Defined at

CAPolicy.inf

Stored at

CA certificate related to the date and time when the certificate has been enrolled

Impacts

The CA root certificate and all certificates that will be signed by the root

Certificate Revocation List (CRL) Distribution Point (CA certificate)

Description

A CRL distribution point must not be configured to be contained in the self-signed root CA certificate. Most applications do not check revocation on root CA certificates; therefore, CRL distribution point extensions are not necessary or recommended. It is also senseless to set a CRL distribution point for a root certificate because there is no higher instance that could revoke the root certificate.

Sample value

None

Defined at

CAPolicy.inf

Stored at

CA certificate

Impacts

The attribute setting in the CA root certificate and all applications that verify the root CA's validity

Authority Information Access (AIA) (CA certificate)

Description

An AIA must not be specified for a root CA certificate. This is because the AIA points to the location of the certificate that was used for signing this certificate. Since a root CA is self-signed, you do not need to specify an AIA.

Sample value

None

Defined at

CAPolicy.inf

Stored at

CA certificate

Impacts

All applications that verify the root CA's validity

CSP (CA Certificate)

Description

The CSP is responsible for generating the certificates key material and the certificate generation.

Sample value

Microsoft Strong Cryptographic Provider

Defined at

CA Installation Wizard

Stored at

For the Windows 2000 Server family and the Windows Server 2003 family:

CA Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider

Impacts

CA certificate

Hash Algorithm

Description

Defines the hash algorithm that is used for hashing and signing certificate contents.

Sample value

SHA-1

Defined at

CA installation wizard

Stored at

CA registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\\CAName \CSP\HashAlgorithm

Impacts

CA certificate

Key Length (CA Certificate)

Description

Defines the complexity of the key material assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length today with most applications and PKI providers.

Sample value

4096

Defined at

CA Installation Wizard

Stored at

Certificate request and is only used temporarily

Impacts

The Root CA key material that could be stored within a HSM or encrypted on the CAs hard drive

Common Name

Description

The common name must not exceed 64 characters in length. It is important to remember that each space in the name will actually use three characters in the total length because of how escape characters are written (%20).

Sample value

CorporateRootCA

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName

Impacts

The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA.

Distinguished Name Suffix

Description

The name maps to the namespace that is used by the domain where the CA belongs to. Since the Root-CA is configured as a stand-alone CA, the distinguished name should be mapped to the same namespace that will be used for the enterprise CA.

Sample value

DC=concorp,DC=contoso,DC=com

Defined at

CA configuration that takes place after the installation

Stored at

Windows 2000 and Windows 2003

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\DSConfigDN

Impacts

The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA.

Validity Period (CA Certificate)

Description

The parameter defines how long from now the CA certificate will be valid, depending on the validity period units

Sample value

2

Defined at

CA Installation Wizard

Stored at

CA certificate related to the date and time when the certificate has been enrolled

Impacts

The CA certificate and the validity time of all certificates that are signed by the Root CA certificate.

CA Database Path

Description

Defines where the CA's database is located in the root CA's file system.

Sample value

C:\Certlog

Defined at

CA installation wizard

Stored at

Windows 2000 and Windows 2003

Registry: HKLM\System\CurrentControlSet\Services\CertSvc

\Configuration \CAName\DBDirectory

Impacts

The CA must be able to get the appropriate path name from the registry when the CA starts up.

CA Log File Path

Description

Defines where the CA's transaction log-files are located in the CA's file system.

Sample value

C:\Certlog

Defined at

CA Installation Wizard

Stored at

Windows 2000 and Windows 2003 Server families:

Registry: HKLM\System\CurrentControlSet\Services\CertSvc

\Configuration \CAName\DBLogDirectory

Impacts

The CA must be able to get the appropriate path name from the registry when the CA starts up.

Shared Folder

Description

Defines where the CA's transaction log-files are located in the root CA's file system.

Sample value

\\[{localhost]}\CertConfig

Defined at

CA installation wizard

Stored at

Windows 2000 and the Windows 2003 Server family

Registry: HKLM\System\CurrentControlSet\Services\CertSvc

\Configuration \CAName\ConfigurationDirectory

Impacts

Clients, those are not able to receive the CA certificate through group policies and need to import the certificate manually.

Certificate Revocation List (CRL) Distribution Point

Description

Defines the URLs where the client will find the certificate revocation list that is related to the certificate. The CRL distribution point of a root CA should be empty.

Sample value

[empty]

Defined at

Certification Authority MMC

Stored at

Windows 2000 Server family:

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \Policy\LDAPRevocationCRLURL

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \Policy\RevocationCRLURL

Windows Server 2003:

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\CRLPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

Authority Information Access (AIA)

Description

Defines the URLs where the client can locate the certificate's issuer certificate. Because a root CA issues the CA certificate to itself, you do not need to specify an issuer. The AIA of a root CA should be empty.

Sample value

[empty]

Defined at

Certification Authority MMC

Stored at

Windows2000 Server family:

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy \FileIssuerCertURL

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy \LDAPFileIssuerCertURL

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\IssuerCertURL

Windows Server 2003:

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\CACertPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

CRL Publication Interval

Description

The value controls the CRL validity time and the CRL publication cycle. According to the value, the CRL is published on a regular basis. Its validity time is set to the publication time and date and the defined value.

Sample value

180 days

Defined at

Certification Authority MMC

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CRLperiod

Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CRLperiodUnits

Impacts

CA CRL publication algorithm and any user, computer, service, or program that verifies the CRL.

Delta CRL Publication Interval

Description

Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication.

Sample value

0 (which is equal to disabled delta CRL publication)

Defined at

Certification Authority MMC

Stored at

Windows 2000:

Not available

Windows Server 2003

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits

Impacts

Any client that can verify the certificate validity through delta CRLs

Validity period

Description

Defines the period of time that a certificate that was issued by the CA is valid. The validity period cannot extend the certificate validity beyond the certificate of the issuing CA.

Sample value

5 years

Defined at

Certification Authority MMC

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\CA Name\ValidityPeriodUnits

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\CA Name\ValidityPeriod

Impacts

The validity time of any certificate that will be issued from that stand-alone CA.

Intermediate CA Configuration Parameters

This section provides a list of parameters that must be defined during the setup procedure for a stand-alone offline root CA. The sample values are related to the sample configuration that is explained in the previous section.

CA Policy

Description

Defines the URL or the text that applies to the CA's policy. The policy describes different types of rules, such as how the CA is operated, which legal policies are valid, and so on.

Sample value

OID = 1.1.1.1.1.1.1.1.1

URL = https://www.contoso.com/pki/Policy/USLegalPolicy.asp

URL = "ftp://ftp.contoso.com/pki/Policy/USLegalPolicy.txt"

Defined at

CAPolicy.inf

Stored at

CA certificate

Impacts

All certificates that are directly or indirectly signed by this CA certificate

CSP (CA Certificate)

Description

Generates the certificate's key material and the certificate generation.

Sample value

Microsoft Strong Cryptographic Provider

Defined at

CA installation wizard

Stored at

CA Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider

Impacts

CA certificate

Hash Algorithm

Description

Defines the hash algorithm that is used for hashing and signing certificate contents.

Sample value

SHA-1

Defined at

CA Installation Wizard

Stored at

CA registry: CAName\CSP\HashAlgorithm

Impacts

CA certificate

Key Length (CA Certificate)

Description

Defines the complexity of the key material that is assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits, because this is the maximum interoperable key length with most applications and PKI providers. The key length of a subordinate CA is typically shorter than the key length of its parent CA.

Sample value

2048

Defined at

CA Installation Wizard

Stored at

Certificate request and is only temporarily used

Impacts

The root CA key material that could be stored in an HSM or encrypted on the CAs hard disk

Common Name

Description

The common name must not exceed 64 characters in length. It is important to remember that each space in the name uses three characters in the total of the overall length because of the escape character sequence (%20).

Sample value

IntermediateCA

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName

Impacts

The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA.

CA Database Path

Description

Defines where the CA's database is located in the CA's file system.

Sample value

C:\Certlog

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBDirectory

Impacts

The CA must be able to obtain the appropriate path name from the registry when the CA starts.

CA Log File Path

Description

Defines where the CA's transaction log files are located in the CA's file system.

Sample value

D:\Certlog

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBLogDirectory

Impacts

The CA must be able to obtain the appropriate path name from the registry when the CA starts.

Shared Folder

Description

Defines where the CA's transaction log files are located in the root CA's file system.

Sample value

\\{Localhost}\CertConfig

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \ConfigurationDirectory

Impacts

Clients that cannot receive the CA certificate through group policies and need to manually import the certificate.

Distinguished Name Suffix

Description

The name maps to the name space that is used by the domain to which the CA belongs. Because the intermediate CA is configured as a stand-alone CA, the distinguished name should be mapped to the same name space that will be used for the enterprise CA.

Sample value

Domain ControllerDC=concorp,DC=contoso,DC=com

Defined at

CA configuration that occurs after the installation procedure

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\DSConfigDN

Impacts

The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA.

CRL Distribution Point

Description

Defines the URLs where the client can locate the certificate revocation list (CRL) that is related to the certificate.

Sample value

https://www.contoso.com/pki/%3%8%9.crl

ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

Defined at

CA MMC

Stored at

In Windows 2000:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPRevocationCRLURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \RevocationCRLURL

In Windows Server 2003:

Registry: CAName\CRLPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

Authority Information Access (AIA)

Description

Defines the URLs where the client can locate the certificate's issuer certificate. Because a root CA issues the CA certificate to itself, no issuer needs to be specified.

Sample value

https://www.contoso.com/pki/%1_%3%4.crt

ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11

Defined at

Certification Authority MMC

Stored at

In Windows 2000:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileIssuerCertURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPFileIssuerCertURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \IssuerCertURL

In Windows Server 2003:

Registry: CAName\CACertPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

CRL Publication Interval

Description

Also controls also the CRL validity time

Sample value

180 days

Defined at

Certification Authority MMC

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLperiod

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLperiodUnits

Impacts

CA CRL publication algorithm and any user, computer, service, or program that verifies the CRL.

Delta CRL Publication Interval

Description

Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication.

Sample value

0 (which is equal to disabled delta CRL publication)

Defined at

Certification Authority MMC

Stored at

In Windows 2000:

Not available.

Windows Server 2003

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits

Impacts

Any client that can verify the certificate validity through delta CRLs

Validity Period

Description

Defines the period of time that a certificate that was issued by the CA is valid. The validity period cannot extend the certificate validity beyond the certificate of the issuing CA.

Sample value

2 years

Defined at

Certification Authority MMC

Stored at

Windows 2000 and Windows Server 2003

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\ValidityPeriodUnits

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\ValidityPeriod

Impacts

The validity time of any certificate that will be issued from that stand-alone CA.

Issuing CA Configuration Parameters

CSP (CA Certificate)

Description

The CSP is responsible for generating the certificate's key material and certificate generation.

Sample value

Microsoft Strong Cryptographic Provider

Defined at

CA Installation Wizard

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider

Impacts

CA certificate

Hash Algorithm

Description

Defines the hash algorithm that is used for hashing and signing certificate contents.

Sample value

SHA-1

Defined at

CA Installation Wizard

Stored at

CA registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\HashAlgorithm

Impacts

CA certificate

Key Length (CA Certificate)

Description

Defines the complexity of the key material that is assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length with most applications and PKI providers. The key length of a subordinate CA is typically shorter than the key length of its parent CA.

Sample value

2048

Defined at

CA Installation Wizard

Stored at

Certificate request and is only used temporarily

Impacts

CA key material

Common Name

Description

The common name must not exceed 64 characters in length. It is important to remember that each space in the name uses three characters in the total of the overall length because of the escape character sequence (%20).

Sample value

CorporateEntCA

Defined at

CA Installation Wizard

Stored at

Windows 2000 and Windows Server 2003:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName

Impacts

The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA.

CA Database Path

Description

Defines where the CA's database is located in the CA's file system.

Sample value

D:\Certlog

Defined at

CA Installation Wizard

Stored at

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBDirectory

Impacts

The CA must be able to obtain the appropriate path name from the registry when the CA starts.

CA Log File Path

Description

Defines where the CA's transaction log files are located in the root CA's file system.

Sample value

D:\Certlog

Defined at

CA Installation Wizard

Stored at

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBLogDirectory

Impacts

The CA must be able to obtain the appropriate path name from the registry when the CA starts.

Shared folder

Description

Defines where the CA's transaction log files are located in the root CA's file system. The shared folder is not required for an enterprise CA.

Sample value

\\Localhost\CertConfig

Defined at

CA Installation Wizard

Stored at

User-defined location during installation

Impacts

Clients that cannot receive the CA certificate through group policies and need to manually import the certificate.

Distinguished Name Suffix

Description

The name space is automatically mapped to the Active Directory namespace. The value is predefined because of the domain membership of the CA.

Sample value

CN=Configuration,DC=concorp,DC=contoso,DC=com

Defined at

Automatically defined

Stored at

Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\DSConfigDN

Impacts

The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA.

CRL Distribution Point

Description

Defines the URLs where the client can locate the certificate revocation list that is related to the certificate.

Sample value

https://www.contoso.com/pki/%3%8%9.crl

ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

Defined at

Certification Authority MMC

Stored at

Windows 2000:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPRevocationCRLURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Policy \RevocationCRLURL

Windows Server 2003:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

Authority Information Access (AIA)

Description

Defines the URLs where the client can find the certificate's issuer certificate.

Sample value

https://www.contoso.com/pki/%1_%3%4.crt

ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11

Defined at

Certification Authority MMC

Stored at

In Windows 2000:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\FileIssuerCertURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\LDAPFileIssuerCertURL

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\IssuerCertURL

In Windows Server 2003:

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CACertPublicationURLs

Impacts

Any user, computer, service, or program that verifies the root certificate

CRL Publication Interval

Description

Also controls the CRL validity time

Sample value

7 days

Defined at

Certification Authority MMC

Stored at

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPeriod

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPeriodUnits

Impacts

CA CRL publication algorithm and any user, computer, service, or computer that verifies the CRL.

Delta CRL publication interval

Description

Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication.

Sample value

1 day

Defined at

Certification Authority MMC

Stored at

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod

Registry:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits

Impacts

Any client that can verify the certificate validity through delta CRLs