Building a CA Hierarchy: Part 1. Building the Root CA

Tags: CA, Security, PKI, Windows Server

This is part 1 of the Building a CA Hierarchy series. If you're just starting, you might want to read the other parts:

Part 1. Building the Root CA
Part 2. Configuring the Root CA
Part 3. Building the Enterprise CA
Part 4. Configuring the Enterprise CA
Part Oops. How I Screwed Up

In theory a root Certificate Authority in the Windows world should be a simple thing:

  • Click some buttons and install the Certificate Authority components;
  • Run a wizard and enter the name of the CA and possibly other details.

Maybe there'd be a third step sometimes, such as:

  • Copy some vaguely named file to an improbably named directory.

In practice, however, building a reasonably secure CA that doesn't require significant maintenance is a royal pain in the rear.

Let's start with the basics. I'm going to document how I build a production-quality root CA.

First, create a new virtual machine (if you're not using VMWare Server, Virtual Server or similar for this, you can use a physical server; but that's definitely overkill). Virtual machines have other advantages too; you can keep the software required to boot the VM with the VM itself so hardware failure isn't a massive problem; no floppy drive to fail unexpectedly ...

I created a 4GB VM on Virtual Server 2005 R2. This allows me to back the entire machine up to a single DVD, and it's more than enough space given we won't be applying patches, service packs etc.

Next remove all the network cards. This machine will not be on the network, now or in the future. The machine should have only the hard disk, a CD or DVD drive, and a floppy drive.

Now you can build the machine using the Windows Server CD. I used Windows Server 2003 R2 Standard Edition with SP2, but no service pack is required - the original "Gold" release of Windows Server will be just fine.

You'll want to get yourself a floppy while you're waiting for the build to complete. In my case, I have a virtual floppy disk so I was spared the indignity of testing 23587 disks to find the single working disk.

Once the server is built, we'll create a file called CAPolicy.INF. This text file contains instructions to the CA components that will be used to configure the root CA certificate. It's the only chance we get to provide some of the information needed to configure a proper offline root CA.

The file is very simple. This example sets a 4096 bit key for the certificate, and makes the cert valid for 25 years:

Signature="$Windows NT$"




Now install the Certificate Authority components. Don't worry about the IIS warning; we won't be needing IIS for the few certificates we will issue from this CA.

You'll need to set your own values as you run the wizard. The following gives you some idea of what to expect:

  • CA Type: Standalone Root CA (the third option); I suggest using custom settings for the key pair and CA certificate;
  • CSP: Microsoft Strong Cryptographic Provider;
  • Hash algorithm: SHA-1;
  • Key length: 4096 bits (you want this as long as possible for a root certificate, especially if you plan a 25 year life!). Note that while you can specify a longer key (e.g. 8192 bits) ... calculating the key might take a surprisingly long time (5-10 seconds for a 4096 bit key and 10 minutes for 8192 bits on this 1.83GHz Core 2);
  • Common Name: Whatever you want to publicly call this CA (probably not the computer name, possibly "Goo Corp Root CA" or similar);
  • Distinguished Name Suffix: A partial LDAP path for your organisation and department. For example, the Corporate department at Goo Corp would be: OU=Corporate,O=Goo Corp. This is optional;
  • Validity Period: The same number of years as you specified in CAPolicy.INF (you want the certificate lifetimes to be consistent).

Having completed the wizard, your root CA is built, and the certificate is valid for 25 years (if you used the example configuration above exactly as is).

On to part 2 ...