Installing a Certificate Server Subordinate CA

A Certificate Server subordinate CA is a certifying authority that issues certificates and CRLs, but does not sign certificates. The subordinate CA must submit certificates to a root CA to be signed.

Before installing the Certificate Server subordinate CA, you must install Internet Explorer 4.01 or later on the server computer. You must also create a shared directory where Certificate Server will store certificates. The Windows NT Everyone account should have Read permission on the shared directory.

After installing the Certificate Server, you must install the Exchange policy module and Certificate Server hot fix before the Certificate Server can use KM server.

To install a subordinate CA
  1. Run the Windows NT Option Pack 4 Setup program and choose Custom.
  2. On the Components page, select Certificate Server, and then choose Show Subcomponents.
  3. Select Certificate Server Certifying Authority, and then choose Next.
  4. On the Microsoft Certificate Server page, in the Shared Folder box, enter the path to the shared certificate directory on the CA computer, and then choose Next.
  5. Select Show Advanced Configuration, and then choose Next.
  6. In the Hash Algorithm box, choose SHA-1.
  7. Select Non-Root CA, and then choose Next.
  8. Type the information describing your CA, and then choose Next.
  9. After the computer reboots, install the Microsoft Exchange Server policy module and the Certificate Server hot fix.
To install the Microsoft Exchange Server policy module and the Certificate Server hot fix
  1. In Control Panel, double-click Services, and then stop the Certificate Authority service.
  2. Download the Certificate Server hot fix from FTP://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/certserv and install it. This fix is also included in Microsoft Windows NT Server version 4.0 Service Pack 4.
  3. Copy the Expolicy.dll file from the Eng\Support\KMS\Expolicy\<operating system> directory on the Microsoft Exchange Server 5.5 Service Pack 1 compact disc to the Winnt\system32 directory on your Certificate Server computer.
  4. At the command prompt, type regsvr32 c:\winnt\system32\expolicy.dll to register the policy module.

© 1998 Microsoft Corporation. All rights reserved.