Appendix B: Parameters for a Three-Tier CA Topology
Applies To: Windows Server 2003 with SP1
This section describes all of the parameters that are required to set up a three-tier CA topology. It is recommended that the values are agreed between the departments in the organization (IT department, legal department, and so on).
The parameters in this section are in the sequence in which they are used during the setup. The heading describes the parameter's name and the table contains detailed information about the parameter.
Important
Make sure that you have predefined all of the parameters in this section, because every value is mandatory.
RootCA Configuration Parameters
This section provides a list of parameters that must be defined during the setup procedure for a stand-alone offline root CA. The sample values are related to the sample configuration that is explained in the previous section.
Registry references follow the syntax that is used by the certutil command. To get more information about the registry values, at a command prompt, type certutil –getreg -? and press ENTER.
Renewal Key Length (CA Certificate)
Description |
It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length with most programs and PKI providers. The renewal key length must not be shorter than the key length that you chose during the CA installation procedure. |
Sample value |
4096 |
Defined at |
CAPolicy.inf |
Stored at |
Renewed CA certificate |
Impacts |
The root CA key material |
Renewal Validity Period (CA Certificate)
Description |
Describes the lifetime of a CA certificate that is a renewal of a previous CA certificate. It is recommended that root CAs be configured with a longer lifetime than any other CA in the hierarchy because this configuration reduces the administrative burden that is caused by renewing all certificates that are singed by the CA's certificate. |
Sample value |
1020 |
Defined at |
CAPolicy.inf |
Stored at |
CA certificate that is related to the date and time when the certificate was enrolled |
Impacts |
The CA root certificate and all certificates that will be signed by the root |
Renewal Validity Period Units (CA Certificate)
Description |
Defines the measurement related to the validity time. Valid values are years, months, or days. For a CA certificate lifetime the usual unit is years. |
Sample value |
Years |
Defined at |
CAPolicy.inf |
Stored at |
CA certificate related to the date and time when the certificate has been enrolled |
Impacts |
The CA root certificate and all certificates that will be signed by the root |
Certificate Revocation List (CRL) Distribution Point (CA certificate)
Description |
A CRL distribution point must not be configured to be contained in the self-signed root CA certificate. Most applications do not check revocation on root CA certificates; therefore, CRL distribution point extensions are not necessary or recommended. It is also senseless to set a CRL distribution point for a root certificate because there is no higher instance that could revoke the root certificate. |
Sample value |
None |
Defined at |
CAPolicy.inf |
Stored at |
CA certificate |
Impacts |
The attribute setting in the CA root certificate and all applications that verify the root CA's validity |
Authority Information Access (AIA) (CA certificate)
Description |
An AIA must not be specified for a root CA certificate. This is because the AIA points to the location of the certificate that was used for signing this certificate. Since a root CA is self-signed, you do not need to specify an AIA. |
Sample value |
None |
Defined at |
CAPolicy.inf |
Stored at |
CA certificate |
Impacts |
All applications that verify the root CA's validity |
CSP (CA Certificate)
Description |
The CSP is responsible for generating the certificates key material and the certificate generation. |
Sample value |
Microsoft Strong Cryptographic Provider |
Defined at |
CA Installation Wizard |
Stored at |
For the Windows 2000 Server family and the Windows Server 2003 family: CA Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider |
Impacts |
CA certificate |
Hash Algorithm
Description |
Defines the hash algorithm that is used for hashing and signing certificate contents. |
Sample value |
SHA-1 |
Defined at |
CA installation wizard |
Stored at |
CA registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\\CAName \CSP\HashAlgorithm |
Impacts |
CA certificate |
Key Length (CA Certificate)
Description |
Defines the complexity of the key material assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length today with most applications and PKI providers. |
Sample value |
4096 |
Defined at |
CA Installation Wizard |
Stored at |
Certificate request and is only used temporarily |
Impacts |
The Root CA key material that could be stored within a HSM or encrypted on the CAs hard drive |
Common Name
Description |
The common name must not exceed 64 characters in length. It is important to remember that each space in the name will actually use three characters in the total length because of how escape characters are written (%20). |
Sample value |
CorporateRootCA |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName |
Impacts |
The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA. |
Distinguished Name Suffix
Description |
The name maps to the namespace that is used by the domain where the CA belongs to. Since the Root-CA is configured as a stand-alone CA, the distinguished name should be mapped to the same namespace that will be used for the enterprise CA. |
Sample value |
DC=concorp,DC=contoso,DC=com |
Defined at |
CA configuration that takes place after the installation |
Stored at |
Windows 2000 and Windows 2003 Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\DSConfigDN |
Impacts |
The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA. |
Validity Period (CA Certificate)
Description |
The parameter defines how long from now the CA certificate will be valid, depending on the validity period units |
Sample value |
2 |
Defined at |
CA Installation Wizard |
Stored at |
CA certificate related to the date and time when the certificate has been enrolled |
Impacts |
The CA certificate and the validity time of all certificates that are signed by the Root CA certificate. |
CA Database Path
Description |
Defines where the CA's database is located in the root CA's file system. |
Sample value |
C:\Certlog |
Defined at |
CA installation wizard |
Stored at |
Windows 2000 and Windows 2003 Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\DBDirectory |
Impacts |
The CA must be able to get the appropriate path name from the registry when the CA starts up. |
CA Log File Path
Description |
Defines where the CA's transaction log-files are located in the CA's file system. |
Sample value |
C:\Certlog |
Defined at |
CA Installation Wizard |
Stored at |
Windows 2000 and Windows 2003 Server families: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\DBLogDirectory |
Impacts |
The CA must be able to get the appropriate path name from the registry when the CA starts up. |
Shared Folder
Description |
Defines where the CA's transaction log-files are located in the root CA's file system. |
Sample value |
\\[{localhost]}\CertConfig |
Defined at |
CA installation wizard |
Stored at |
Windows 2000 and the Windows 2003 Server family Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\ConfigurationDirectory |
Impacts |
Clients, those are not able to receive the CA certificate through group policies and need to import the certificate manually. |
Certificate Revocation List (CRL) Distribution Point
Description |
Defines the URLs where the client will find the certificate revocation list that is related to the certificate. The CRL distribution point of a root CA should be empty. |
Sample value |
[empty] |
Defined at |
Certification Authority MMC |
Stored at |
Windows 2000 Server family: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \Policy\LDAPRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \Policy\RevocationCRLURL Windows Server 2003: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\CRLPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
Authority Information Access (AIA)
Description |
Defines the URLs where the client can locate the certificate's issuer certificate. Because a root CA issues the CA certificate to itself, you do not need to specify an issuer. The AIA of a root CA should be empty. |
Sample value |
[empty] |
Defined at |
Certification Authority MMC |
Stored at |
Windows2000 Server family: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy \FileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy \LDAPFileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\IssuerCertURL Windows Server 2003: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration \CAName\CACertPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
CRL Publication Interval
Description |
The value controls the CRL validity time and the CRL publication cycle. According to the value, the CRL is published on a regular basis. Its validity time is set to the publication time and date and the defined value. |
Sample value |
180 days |
Defined at |
Certification Authority MMC |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CRLperiod Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CRLperiodUnits |
Impacts |
CA CRL publication algorithm and any user, computer, service, or program that verifies the CRL. |
Delta CRL Publication Interval
Description |
Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication. |
Sample value |
0 (which is equal to disabled delta CRL publication) |
Defined at |
Certification Authority MMC |
Stored at |
Windows 2000: Not available Windows Server 2003 Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits |
Impacts |
Any client that can verify the certificate validity through delta CRLs |
Validity period
Description |
Defines the period of time that a certificate that was issued by the CA is valid. The validity period cannot extend the certificate validity beyond the certificate of the issuing CA. |
Sample value |
5 years |
Defined at |
Certification Authority MMC |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\CA Name\ValidityPeriodUnits Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\CA Name\ValidityPeriod |
Impacts |
The validity time of any certificate that will be issued from that stand-alone CA. |
Intermediate CA Configuration Parameters
This section provides a list of parameters that must be defined during the setup procedure for a stand-alone offline root CA. The sample values are related to the sample configuration that is explained in the previous section.
CA Policy
Description |
Defines the URL or the text that applies to the CA's policy. The policy describes different types of rules, such as how the CA is operated, which legal policies are valid, and so on. |
Sample value |
OID = 1.1.1.1.1.1.1.1.1 URL = https://www.contoso.com/pki/Policy/USLegalPolicy.asp URL = "ftp://ftp.contoso.com/pki/Policy/USLegalPolicy.txt" |
Defined at |
CAPolicy.inf |
Stored at |
CA certificate |
Impacts |
All certificates that are directly or indirectly signed by this CA certificate |
CSP (CA Certificate)
Description |
Generates the certificate's key material and the certificate generation. |
Sample value |
Microsoft Strong Cryptographic Provider |
Defined at |
CA installation wizard |
Stored at |
CA Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider |
Impacts |
CA certificate |
Hash Algorithm
Description |
Defines the hash algorithm that is used for hashing and signing certificate contents. |
Sample value |
SHA-1 |
Defined at |
CA Installation Wizard |
Stored at |
CA registry: CAName\CSP\HashAlgorithm |
Impacts |
CA certificate |
Key Length (CA Certificate)
Description |
Defines the complexity of the key material that is assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits, because this is the maximum interoperable key length with most applications and PKI providers. The key length of a subordinate CA is typically shorter than the key length of its parent CA. |
Sample value |
2048 |
Defined at |
CA Installation Wizard |
Stored at |
Certificate request and is only temporarily used |
Impacts |
The root CA key material that could be stored in an HSM or encrypted on the CAs hard disk |
Common Name
Description |
The common name must not exceed 64 characters in length. It is important to remember that each space in the name uses three characters in the total of the overall length because of the escape character sequence (%20). |
Sample value |
IntermediateCA |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName |
Impacts |
The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA. |
CA Database Path
Description |
Defines where the CA's database is located in the CA's file system. |
Sample value |
C:\Certlog |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBDirectory |
Impacts |
The CA must be able to obtain the appropriate path name from the registry when the CA starts. |
CA Log File Path
Description |
Defines where the CA's transaction log files are located in the CA's file system. |
Sample value |
D:\Certlog |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBLogDirectory |
Impacts |
The CA must be able to obtain the appropriate path name from the registry when the CA starts. |
Shared Folder
Description |
Defines where the CA's transaction log files are located in the root CA's file system. |
Sample value |
\\{Localhost}\CertConfig |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \ConfigurationDirectory |
Impacts |
Clients that cannot receive the CA certificate through group policies and need to manually import the certificate. |
Distinguished Name Suffix
Description |
The name maps to the name space that is used by the domain to which the CA belongs. Because the intermediate CA is configured as a stand-alone CA, the distinguished name should be mapped to the same name space that will be used for the enterprise CA. |
Sample value |
Domain ControllerDC=concorp,DC=contoso,DC=com |
Defined at |
CA configuration that occurs after the installation procedure |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\DSConfigDN |
Impacts |
The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA. |
CRL Distribution Point
Description |
Defines the URLs where the client can locate the certificate revocation list (CRL) that is related to the certificate. |
Sample value |
https://www.contoso.com/pki/%3%8%9.crl ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 |
Defined at |
CA MMC |
Stored at |
In Windows 2000: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \RevocationCRLURL In Windows Server 2003: Registry: CAName\CRLPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
Authority Information Access (AIA)
Description |
Defines the URLs where the client can locate the certificate's issuer certificate. Because a root CA issues the CA certificate to itself, no issuer needs to be specified. |
Sample value |
https://www.contoso.com/pki/%1_%3%4.crt ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 |
Defined at |
Certification Authority MMC |
Stored at |
In Windows 2000: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPFileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \IssuerCertURL In Windows Server 2003: Registry: CAName\CACertPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
CRL Publication Interval
Description |
Also controls also the CRL validity time |
Sample value |
180 days |
Defined at |
Certification Authority MMC |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLperiod Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLperiodUnits |
Impacts |
CA CRL publication algorithm and any user, computer, service, or program that verifies the CRL. |
Delta CRL Publication Interval
Description |
Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication. |
Sample value |
0 (which is equal to disabled delta CRL publication) |
Defined at |
Certification Authority MMC |
Stored at |
In Windows 2000: Not available. Windows Server 2003 Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits |
Impacts |
Any client that can verify the certificate validity through delta CRLs |
Validity Period
Description |
Defines the period of time that a certificate that was issued by the CA is valid. The validity period cannot extend the certificate validity beyond the certificate of the issuing CA. |
Sample value |
2 years |
Defined at |
Certification Authority MMC |
Stored at |
Windows 2000 and Windows Server 2003 Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\ValidityPeriodUnits Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\ValidityPeriod |
Impacts |
The validity time of any certificate that will be issued from that stand-alone CA. |
Issuing CA Configuration Parameters
CSP (CA Certificate)
Description |
The CSP is responsible for generating the certificate's key material and certificate generation. |
Sample value |
Microsoft Strong Cryptographic Provider |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\Provider |
Impacts |
CA certificate |
Hash Algorithm
Description |
Defines the hash algorithm that is used for hashing and signing certificate contents. |
Sample value |
SHA-1 |
Defined at |
CA Installation Wizard |
Stored at |
CA registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CSP\HashAlgorithm |
Impacts |
CA certificate |
Key Length (CA Certificate)
Description |
Defines the complexity of the key material that is assigned to the CA certificate. It is recommended that the key length does not exceed 4096 bits because this is the maximum interoperable key length with most applications and PKI providers. The key length of a subordinate CA is typically shorter than the key length of its parent CA. |
Sample value |
2048 |
Defined at |
CA Installation Wizard |
Stored at |
Certificate request and is only used temporarily |
Impacts |
CA key material |
Common Name
Description |
The common name must not exceed 64 characters in length. It is important to remember that each space in the name uses three characters in the total of the overall length because of the escape character sequence (%20). |
Sample value |
CorporateEntCA |
Defined at |
CA Installation Wizard |
Stored at |
Windows 2000 and Windows Server 2003: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CommonName |
Impacts |
The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name is used by several variables that are used to set the CRL and AIA. |
CA Database Path
Description |
Defines where the CA's database is located in the CA's file system. |
Sample value |
D:\Certlog |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBDirectory |
Impacts |
The CA must be able to obtain the appropriate path name from the registry when the CA starts. |
CA Log File Path
Description |
Defines where the CA's transaction log files are located in the root CA's file system. |
Sample value |
D:\Certlog |
Defined at |
CA Installation Wizard |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \DBLogDirectory |
Impacts |
The CA must be able to obtain the appropriate path name from the registry when the CA starts. |
Shared folder
Description |
Defines where the CA's transaction log files are located in the root CA's file system. The shared folder is not required for an enterprise CA. |
Sample value |
\\Localhost\CertConfig |
Defined at |
CA Installation Wizard |
Stored at |
User-defined location during installation |
Impacts |
Clients that cannot receive the CA certificate through group policies and need to manually import the certificate. |
Distinguished Name Suffix
Description |
The name space is automatically mapped to the Active Directory namespace. The value is predefined because of the domain membership of the CA. |
Sample value |
CN=Configuration,DC=concorp,DC=contoso,DC=com |
Defined at |
Automatically defined |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\DSConfigDN |
Impacts |
The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA. |
CRL Distribution Point
Description |
Defines the URLs where the client can locate the certificate revocation list that is related to the certificate. |
Sample value |
https://www.contoso.com/pki/%3%8%9.crl ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 |
Defined at |
Certification Authority MMC |
Stored at |
Windows 2000: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \FileRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \LDAPRevocationCRLURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Policy \RevocationCRLURL Windows Server 2003: Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
Authority Information Access (AIA)
Description |
Defines the URLs where the client can find the certificate's issuer certificate. |
Sample value |
https://www.contoso.com/pki/%1_%3%4.crt ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 |
Defined at |
Certification Authority MMC |
Stored at |
In Windows 2000: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\FileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\LDAPFileIssuerCertURL Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\Policy\IssuerCertURL In Windows Server 2003: Registry: HKLM\System\CurrentControlSet\Services\CertSvc \Configuration\CAName\CACertPublicationURLs |
Impacts |
Any user, computer, service, or program that verifies the root certificate |
CRL Publication Interval
Description |
Also controls the CRL validity time |
Sample value |
7 days |
Defined at |
Certification Authority MMC |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPeriod Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLPeriodUnits |
Impacts |
CA CRL publication algorithm and any user, computer, service, or computer that verifies the CRL. |
Delta CRL publication interval
Description |
Defines similar to the CRL publication interval and the publication interval of the delta CRL. For an offline CA, it is recommended that you disable delta CRL publication. |
Sample value |
1 day |
Defined at |
Certification Authority MMC |
Stored at |
Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriod Registry: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \CAName\CRLDeltaPeriodUnits |
Impacts |
Any client that can verify the certificate validity through delta CRLs |