You can use a Windows Server 2003 public key infrastructure to provide a wide range of strong, scalable, cryptography-based solutions for network and information security. When you choose the level of security for your organization, consider both the value of the information that you want to protect and the costs involved with implementing a strong security system.

In the reference architecture for Microsoft Solution for Hosted Messaging and Collaboration version 4.5, you create a simple public key infrastructure (PKI) deployment with a single Enterprise Root Certificate Authority on a domain member server.

In a full production environment, we recommend that you deploy a rooted trust model with an offline Root Certificate Authority. In a rooted trust model, the root certificate authority (CA) is the trust anchor and has a self-signed certificate. If needed, the root CA issues a certificate to all direct subordinate CAs, which in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent.


  1. Prepare the Root CA
  2. Join the Fabrikam Domain
  3. Install Internet Information Services (IIS)
  4. Install Windows Server 2003 Certificate Services

Prepare the Root CA

In this section you prepare your Root CA, PKIRoot.

First, perform a default install of Windows Server 2003 R2, Enterprise Edition. This requires that you first install Windows Server 2003 with SP2, and then install Windows 2003 R2.

Procedure W03-DWCM.10: To install Windows Server 2003 R2 on PKIRoot

  1. Perform a default installation of Windows Server 2003, Enterprise Edition (with Service Pack 2 integrated), by using the CD boot method. Install the Support Tools from the Windows Server 2003 CD. Use appropriate naming conventions for your environment.

  2. After Setup for Windows Server 2003 with SP2 is complete, log on to the computer as an administrator. Insert Disc 2 into your CD-ROM drive. Setup for Disc 2 should start automatically. If it does not start automatically, browse to Disk 2 (or the shared folder that contains the Setup files) and, in the \Cmpnents\R2 folder, run Setup2.exe. Follow the instructions to upgrade to R2.

Prepare this server by enabling Remote Desktop, installing Microsoft .NET Framework 2.0 with SP1, installing the Windows Server 2003 Support Tools, and installing the latest updates from Microsoft.

Procedure W03-DWCM.11: To prepare PKIRoot

  1. Enable Remote Desktop by using Control Panel.

  2. Install the Microsoft .NET Framework 2.0 with SP1.

  3. Install Support Tools from the Support Tools directory on the Windows Server 2003 CD.

  4. Apply any released updates to Windows Server 2003 by using Windows Update.

Join the Fabrikam Domain

After you have finished building and preparing PKIRoot, add the server to the Fabrikam domain, and then log on as

Procedure W03-DWCM.12: To add PKIRoot to the Fabrikam domain and log on as the domain administrator

  1. Configure the local network interface to use the IP Addresses of AD01 and AD02 as Preferred and Alternative DNS server.

  2. Join the server to the fabrikam domain.

    Joining a new domain will require you to restart the server.
  3. Log on to the domain as

Install IIS

Before you install the Microsoft Certification Authority, you must install Internet Information Services (IIS) 6.0. IIS 6.0 runs the certificate server Web site that enables the administrator to issue certificates to intermediate Certificate Authorities. The certificate revocation list (CRL) is also published through this Web site.

Install IIS on the PKIRoot server using Control Panel Add/Remove Programs utility. You should only install the following components:

  • Common Files
  • Internet Information Services Manager
  • World Wide Web Service

For more information about how to install IIS, see Installing IIS (IIS6.0).

Install Windows Server 2003 Certificate Services

Install the Microsoft Certificate Authority on the PKIRoot server using the values in the following table.



Common Name for this CA


Distinguished name suffix

DC=fabrikam, DC=COM

Validity period

(default value = 5 years)

Procedure W03-DWCM.13: To install Certificate Services

  1. Use the Add or Remove Programs utility to open the Certificate Authority Type console.

  2. Follow the instructions to install Certificate Services by using the values in the preceding table. Ensure Enterprise root CA is selected during the process.

    If you are prompted, provide the path to the Windows Server 2003, Standard Edition files.