Deploy PKI Certificate Services – Offline Root CA

We are deploying an offline Root CA to Contoso Network.


The Contoso stand-alone root CA (named RootCA), is never connected to a network and remains offline and physically secured. It is installed on Microsoft Virtual Machine. The root CA issues and revokes certificates for Issuing/Policy CAs in the hierarchy. Offline Root Keys are generated by Microsoft Software CSP. The CA certificate and the CRL are regularly and manually published and made available through an HTTP and an LDAP distribution point.

Settings for Offline Root CA:

  • Computer name (should be unique in the network) :
  •  Common Name for this CA: CONTOSO Corporate Root CA
  •  (Optional)  Distinguished name suffix : DC=CONTOSO,DC=com

CAPolicy.inf File

The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever the CA certificate is renewed. The CAPolicy.inf file defines settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy.

By default, the CAPolicy.inf file does not exist when Microsoft Windows Server is installed. It should be manually created in the Windows operating system folder (%windir% folder). When Certificate Services are installed, the operating system applies any settings defined in the CAPolicy.inf file.

Look at AIA and CDP Variable Definitions table on Appendix A in order to learn how to code the CAPolicy File.

This CAPolicy.inf file for RootCA makes the following assumptions:

  • The root CA will renew its key with one with length of 4,096 bits.
  • Hash algorithm: SHA-1
  •  The validity period of the root CA certificate is 20 years.
  •  Base CRLs are published every 26 weeks.
  •  Delta CRLs are disabled.
  •  The root CA does not contain a CDP or an AIA extension to prevent revocation checking of the root CA certificate.
  • Cryptographic service provider (CSP) : Microsoft Strong Cryptographic Service Provider.
  • Database and log settings:   Database files on D:\CA_DB\ .Log files on D:\CA_LOG\
  • Empty CDP and AIA locations in the CAPolicy File. 

Based on these assumptions, the following CAPolicy.inf file can be installed in the %windir% of the ROOTCA computer:



Signature=”$Windows NT$”


















  • The [Version] section defines that the .inf file uses the Windows NT format. This section must exist for both root and subordinate CA installations.
  • CRLDeltaPeriodUnits=0  means that Delta CRLs are disabled which is a recommendation in an offline root CA.
  • [CRLDistributionPoint] and [AuthorityInformationAccess] are assigned value empty as a best practice for the root CA certificate. Later after installation, those values should be redefined to locate the correct location for CDP and AIA for the Issuing/online CA Certificates.
    • renewalkeylength=4096 specifies the key length for the CA Root certificate when its key are renewed. In the other hand, the current key length is specified in the installation wizard.


Installing Certificate Services

Once the CAPolicy.inf file is installed, Certificate Services on the root CA computer can be installed. The installation must be performed by a member of the local Administrators account on the CA computer, and the computer must not be a member of a domain. This will allow the computer to be removed from the network for long periods of time. The machine should have two partitions—drive C for the operating system and drive D for the CA database and log files.

Note: IIS is not required for the installation of an offline root CA. The only certificate requests submitted to the root CA are for subordinate CA certificates, and these can be submitted by using the Certification Authority console.

You can use the following procedure to install the root CA:

<The screen shots are from Windows 2003 CA installation, but not that match changed in newer O.S versions>

1. Ensure that the date and time on the root CA computer is correct.

This is to ensure the correct time for publishing and stamping CLRs.

2. From the Start menu, click Control Panel and click Add or Remove Programs.

3. In the Add or Remove Programs window, click Add/Remove Windows Components.

4. In the Windows Components Wizard, in the Windows Components list, click the Certificate Services check box.

5. In the Microsoft Certificate Services dialog box, click Yes.

6. On the Windows Components page, click Next.

7. On the CA Type page, click Standalone Root CA, enable the Use Custom Settings to Generate the Key Pair and CA Certificate check box, and click Next.

Installing offline root CA_34343

8. On the Public and Private Key Pair page, set the following options:

  • CSP: Microsoft Strong Cryptographic Service Provider
  •  Allow the CSP to interact with the desktop: Disabled
  •  Hash algorithm: SHA-1
  •  Key length: 4,096

Note:The Use existing keys option allows you to use keys that were generated previously or to reuse keys from a previously installed CA. When installing a CA, you should almost never reuse keys. The exception to this is when you are restoring a CA after a catastrophic failure. You will then import a set of existing keys and install a new CA that uses those keys. In addition, if you are restoring a CA after a failure, you must select the Use the associated certificate check box. This ensures that the new CA has a certificate that is identical to the old CA. If you do not check this box, a new certificate will be generated that makes the new CA different from the old CA.

Installing offline root CA_2_34343


9. On the CA Identifying Information page, enter the following information:

    • Common Name for this CA: CONTOSO Corporate Root CA
    • (Optional) In Distinguished name suffix : DC=CONTOSO,DC=com
    • Validity Period: 20 Years

<Validity time can only be set for a root CA>


If you type a name in the (Distinguished name suffix), confirm that you have typed it correctly so that it works in the context of the Active Directory domain name. If you install a CA on a computer that is a domain member with Enterprise Administrator privileges, the distinguished name suffix is automatically configured. You can also set the distinguished name suffix at a later time by using the Certutil.exe command.

10. On the Certificate Database Settings page, provide the following settings and click Next:

    • Certificate database: D:\CA_DB
    • Certificate database log: D:\CA_Log
    • CA configuration: D:\CAConfig


    • In the Microsoft Certificate Services dialog box, click Yes to create the necessary folders.
    • The CA setup procedure cannot detect if the computer is supposed to run as either an online or offline CA. For an offline CA, the shared folder is not necessary, but must still be specified. If the CA is connected to the network, clients can gain access to the CA certificate through the shared folder
    • (Optional) To install a CA in the same location as a previously installed CA, select the Preserve existing certificate database check box .If you select this option, the new CA will use the existing database and preserve the certificates in the database. If you do not select this option, the existing database will be deleted. You should use this option only when you are trying to restore a CA from a backup or for CA migration.

11. If prompted, insert the Windows Server 2003, Standard Edition, and CD in the CDROM drive and choose the \i386 folder.

15. In the Microsoft Certificate Services dialog box, click OK to identify that IIS is not installed.

16. On the Completing the Windows Components Wizard page, click Finish.

17. Close the Add or Remove Programs dialog box.

Post Installation Tasks

After the stand-alone offline root CA is installed, you must configure the properties of the offline root CA for certificates that are subsequently issued from the CA. These extensions are necessary to ensure correct revocation and chain building.

Map the Namespace of Active Directory to an Offline CA’s Registry Configuration

Because the offline root CA is not connected to the domain and does not automatically publish the CRL to Active Directory, you must set a key in the registry. To do this, at a command prompt, type the following command and then stop and start the CA service:

certutil.exe –setreg ca\DSConfigDN CN=Configuration, DC=Contoso,DC=com

Where DC=concorp,DC=Contoso,DC=com is the namespace of the forest root domain. This setting is primarily required for CRLs and CA certificates (AIA) that are published in Active Directory.

This registry value sets the %6 replacement token that is required for the CRL location attribute.

Configure Distribution Points for CRL and AIA by using GUI

The CRL and AIA distribution points must be set before any certificates are issued from the new CA. This configuration step ensures that the correct information is embedded in each of the issued certificates so that the certificate’s signature and revocation status can be verified. CRL distribution point and AIA extension changes take effect only after the CA is restarted.

  • Before changing the CRL configuration, verify the default settings.
  • Log on to the computer with an account that has Certification Authority Administrator permissions.
  • Type the following at a command prompt:

certutil -getreg ca\CRLPublicationURLs

We must configure the CRL and AIA distribution point for certificates issued by this CA. To configure these extensions in a Windows Server 2003 CA, perform the following steps:

  1. Log on to the computer running certificate services with an account that has Certification Authority Management permissions.
  2. Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority
  3. In the console tree, right-click the name of the CA that you want to work with, and then click Properties. Click the Extensions tab
  4. To configure the Distribution Points for the CRL :
  • First, remove all of the CRL distribution point locations, except for the local CRL distribution point.

Warning: Do not remove the local CRL distribution point location. The local distribution point will look similar to the following path: C:\Windows\System32\CertSrv\CertEnroll\CorporateRootCA.crl The CA must publish the CRL to the file system because all of the other distribution points are not accessible for this offline CA. The CA uses the local CRL to validate all certificates that are generated before the certificates are issued to users. The local path is not included in the CRL distribution point extension of issued certificates.

  • On the Extensions tab, in Select extension, select CRL Distribution Point (CDP).
  • In Specify location from which users can obtain a certificate revocation list (CRL), click the default LDAP location, click Remove, and then click Yes.
  • Repeat this for all CRL distribution point locations except for the local CRL distribution point
  • After you remove all of the appropriate locations, the remaining list of CRL distribution points will be similar to the following figure.

Note: Don’t ever add CDP locations from the GUI interface and always use the CA variable instead of typing the explicit name of the server or certificate name. This is the best recommendation from Microsoft PKI Team.

Installing offline root CA_3_3434343

  • Select a network server to act as online CDP source. The server must have IIS.
  • Create a folder on the server and share it ,give users read access on it.
  • Add the folder to the IIS by creating a virtual directory. Give only read access to Everyone and clear all other checkboxes.

Make sure that the file names that are published with HTTP exactly match the CA certificate and CRL distribution point as defined as part of the CA configuration. If the file names do not match, clients will fail to retrieve the CRL with the URL that was specified as the CRL distribution point.

  • On the offline root, copy the contents of the %Systemroot%\System32\Certsrv\CertEnroll folder to a floppy disk.
  • Take the floppy disk to the online server and move the contents into the folder previously created.
  • Record the URL for the virtual directory ( Root CA.crl)
  • Run the below script:

certutil -setreg CA\CRLPublicationURLs  “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n14:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10″\n2:

  • Make sure to configure the properties for each URL as shown in the table below:



In Publish CRLs to this location, since the CorporateRootCA computer is not attached to the network, the CA cannot automatically publish the CRL to the LDAP CRL distribution point. By default, this option is chosen on an enterprise CA to automate the CRL publishing to the LDAP CRL distribution point.

In Publish CRLs to this location, a UNC file path can be specified to publish to clustered Web servers using IIS for CRL fault tolerance.

If the Publish Delta CRLs to this location check box is selected, make sure that the delta CRL is also published

  • In the Extensions tab ,In the select Extension ,Choose (Authority Information Access (AIA)
  • Remove Any existing places, and run the below script:

certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:LDAP:///CN=

%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:;


Republish new CRLs

It is important to republish the CRL because adapted configuration parameters such as DSConfigDN are included as attributes in the CRL. Also, CRL properties affect the publication of the CRL.

  • Log onto the CA server with CA Manager permissions
  • Open the Certification Authority MMC. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority
  • Right-click Revoked Certificates, point to All Tasks, and then click Publish.
  • A new base CRL is published. A delta CRL is published only if you have also set the CRL delta publication schedule.
  • When you are prompted to confirm the type of CRL that should be published with this request, click New CRL
  • Because only base CRLs are published by the offline root CA, only the New CRL option is available.
  • To publish the CRL, at a command prompt, type certutil -CRL, and then press ENTER. When you do this, the CRL is published to the location that you configured.

Set the Validity Period for Issued Certificates at the Offline Root CA

Note that during the installation, we specified the validity period for the CA certificate (20 years).This is because there is no parent CA from which the validity period can be specified. Because this CA will issue future certificate  ,there must be a way to specify the validity period for issues certificates.To do this ,apply the following Batch file on the root CA.

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod “Years”

net stop certsvc & net start certsvc

Object Access Auditing

The post-installation script enables all auditing events for Certificate Services. These events depend on enabling success and failure auditing for Object Access. Because the offline policy CA is not a member of a domain, auditing must be enabled in the Local Security Policy using the following procedure:

1. From Administrative Tools, open Local Security Policy.

2. In Security Settings\Local Policies\Audit Policy, enable the following auditing settings:

    • Account Logon: Success, Failure
    • Account Management: Success, Failure
    • Directory Service Access: Failure
    • Logon Events: Success, Failure
    • Object Access: Success, Failure
    • Policy Change: Success, Failure
    • Privilege Use: Failure
    • Process Tracking: No auditing
    • System Events: Success, Failure 

3.Close the Local Security Policy console.

4. Close all windows.

5. Run this command (certutil -setreg CA\AuditFilter 127)

Configure CRL Publication Interval by using the user interface

After the CRL distribution point is set, you must configure the CRL publication interval. To configure the publication schedule, use the following procedure.

  1. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. This opens the Certification Authority MMC Snap-in.
  2. In the console tree, right-click Revoked Certificates, and then click Properties.
  3. In CRL publication interval, type a number for the CRL publication interval according to your CPS ( 26 weeks).
  4. Verify that the Publish Delta CRLs check box is not selected.

Export Root Certificates and CRL to a floppy

Make sure to insert a floppy disk on the root CA and run the below script


certutil –crl                       

::Copy the Root CA certificates and CRLs to the Floppy Drive

Echo Insert a Floppy disk in Drive A:

sleep 5

copy /y %windir%\system32\certsrv\certenroll\*.cr? a:\


Note:  (Certutil –crl ) is used to publish new CRLs , and the Sleep command requires that Windows Server 2003 Resource Kit is installed on the root CA computer. After installing the resource kit tool ,search for sleep.exe and copy it to %windowsroot%\system32\

All in one post installation batch file



REM FileName Config-Root

REM Contoso International

REMCA configuration script for Windows Server 2003 CA


REM Map name spcae for Active Directory

certutil.exe –setreg ca\DSConfigDN “CN=Configuration,DC=CONTOSO,DC=com”


REM Configure CRL and AIA CDP


certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n14:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10″\n2:”


certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:LDAP:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:;


REM Configure CRL Publication


certutil -setreg CA\CRLPeriod “Weeks”

certutil -setreg CACRLPeriodUnits 26


REM Set the CRL Overlap


certutil -setreg CA\CRLOverlapUnits 10

certutil -setreg CA\CRLOverlapPeriod “Days”


REM Disable Delta CRL Publication


certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg CA\CRLDeltaPeriod “days”


REM Set the validity period for issued certificates


Certutil -setreg ca\ValidityPeriodUnits 10

Certutil -setreg ca\ValidityPeriod “Years”


REM Enable all auditing events for the CONTOSO Corporate Issuing CA

certutil -setreg CA\AuditFilter 127


REM Restart the CA Server Services


net stop certsvc & net start certsvc


REM Publish CRL

REM The CRL Publishing may immediately not work

REM after you restart the CA server service. if this behavior

REM occurs, try certutil CRL command at a command

REM prompt again



Certutil -CRL


REM Test if CAPolicy.inf file exists



ECHO Warning, no capolicy.inf file used




Appendix : AIA and CDP Variable Definitions


Installing offline root CA_Appendix_$3242


When variables are used in the CAPolicy.inf file, the installation of Certificate Services parses the file and replaces the variables with the actual names implemented by the CA. For example, if you do not define a [CRLDistributionPoint] section,a root CA implements the following default paths for CRL publication:

  •  %windir%\System32\CertSrv\CertEnroll\%3%8%9.crl
  • ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
  •  http://%1/CertEnroll/%3%8%9.crl
  •  file://\\%1\CertEnroll\%3%8%9.crl

Likewise, if you do not define an [AuthorityInformationAccess] section within a CAPolicy.inf file, a root CA implements the following default paths for CA certificate publication:

  •  %windir%\system32\CertSrv\CertEnroll\%1_%3%4.crt
  •   ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
  •   http://%1/CertEnroll/%1_%3%4.crt
  •   file://\\%1\CertEnroll\%1_%3%4.crt

3 comments on “Deploy PKI Certificate Services – Offline Root CA

  1. looks like you use Unicode character 8221 (the right-double quotes character) in the cmdlets specifying the AIA paths. probably should just be simply a double-quote.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s