You can use a Windows Server 2008 public key infrastructure to provide a wide range of strong, scalable, cryptography-based solutions for network and information security. When you choose the level of security for your organization, consider both the value of the information that you want to protect and the costs involved with implementing a strong security system.

In the reference architecture for the Microsoft Solution for Hosted Messaging and Collaboration version 4.5, you create a simple public key infrastructure (PKI) deployment with a single Enterprise Root Certificate Authority on a domain member server.

In a full production environment, we recommend that you deploy a rooted trust model with an offline Root Certificate Authority. In a rooted trust model, the root certificate authority (CA) is the trust anchor and has a self-signed certificate. If needed, the root CA issues a certificate to all direct subordinate CAs, which in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent.

Tasks

  1. Install Prerequisites for the Root Certificate Authority Server
  2. Modify Windows Firewall Settings for the Root Certificate Authority Server
  3. Install IIS on the Root Certificate Authority Server
  4. Install Windows Server 2008 Certificate Services

Install Prerequisites for the Root Certificate Authority Server

Procedure W08-DWCM.7: To install prerequisites for the root certificate authority server (PKIROOT)

  1. Install Windows Server 2008 Enterprise Edition on PKIROOT

  2. Install the Windows Server 2008 Support Tools.

  3. Enable Remote Desktop

  4. Join the Fabrikam domain

Modify Windows Firewall Settings for the Root Certificate Authority Server

Procedure W08-DWCM.8: To modify Windows firewall settings for the root certificate authority server

  1. Log on to PKIROOT as Fabrikam\Administrator and open the Server Manager console.

  2. Configure properties for Windows firewall with advanced security by setting the firewall state to Off.

Install IIS on the Root Certificate Authority Server

Install Internet Information Services (IIS) on PKIROOT.

Procedure W08-DWCM.9: To install IIS the root certificate authority server

  1. Log on to PKIROOT as Fabrikam\Administrator and open the Server Manager console.

  2. Add the Web Server (IIS) role. Add the features required for Web Server (Windows Process Activation Service) when prompted.

  3. Accept the default web server role services.

  4. Confirm your selections and start the installation.

Install Windows Server 2008 Certificate Services

Install the Microsoft Certificate Authority on the PKIRoot server.

Install Certificate Services

Install Active Directory certificate services on the PKIROOT server.

Procedure W08-DWCM.10: To install certificate services

  1. Log on to PKIRoot as Fabrikam\Administrator and open the Server Manager console.

  2. Add the Active Directory Certificate Services role.

  3. Select the following role services:

    • Certification Authority
    • Certification Authority Web Enrollment
  4. Add role services required for Certification Web Enrollment when prompted.

  5. Follow the on-screen instructions and ensure the following information:

    • Setup Type: Enterprise
    • CA Type: Root CA
    • Private Key: Create a new private key
    • Common Name for this CA: Fabrikam-PKIROOT-CA
    • Distinguished name suffix for the CA: DC=fabrikam, DC=COM
  6. Confirm your selections and start the installation.

Request a Certificate for the Default Web Site

Before remote users or computers can request certificates via the Certificate Authority Web site, an internal SSL certificate must be requested and assigned to the CA Web site.

Procedure W08-DWCM.11: To request a certificate for the default Web site

  1. On PKIROOT, open Internet Information Services (IIS) Manager and expand PKIROOT.

  2. Create a domain certificate with following information:

    • Common name: pkiroot.fabrikam.com
    • Organization: fabrikam
    • Organizational Unit: Hosting
    • Online Certificate Authority: fabrikam-PKIROOT-CA
    • Friendly name: pkiroot.fabrikam.com

Bind the Certificate to the Default Web site

Procedure W08-DWCM.12: To bind the certificate to the default Web site

  1. On PKIROOT, open Internet Information Services (IIS) Manager

  2. In the left-hand pane, expand PKIROOT, expand Sites, and then select Default Web Site.

  3. Add a site binding with the following information:

    • Type: https
    • SSL certificate: pkiroot.fabrikam.com