DOCUMENT:Q242854 06-AUG-2002 [winnt] TITLE :Certificate Server 1.0 Readme.htm File PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 SP6a OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 SP6a - Microsoft Windows NT Server, Enterprise Edition version 4.0 SP6a ------------------------------------------------------------------------------- SUMMARY ======= This article contains a copy of the Microsoft Certificate Server 1.0 Readme.htm file included with Microsoft Windows NT 4.0 Service Pack 6a (SP6a). MORE INFORMATION ================ Certificate Server is a standards-based, highly customizable server program for managing the creation, issuance, and renewal of digital certificates. Certificate Server generates certificates in standard X.509 format. These certificates are used for a number of public-key security and authentication applications including, but not limited to, server and client authentication under the Secure Sockets Layer (SSL) protocol and Secure/Multipurpose Internet Mail (S/MIME). This update to Certificate Server includes: - Teletex Encoding - Data encoded as teletex in a certificate request is encoded as teletex data in the certificate issued. Previously, this data was encoded as Unicode in the certificate issued. - Serial Number - Serial numbers are generated according to X.509 standards. These serial numbers are automatically generated, unique, and always positive. This accommodates restrictive mail clients. - Backup/Restore - Specific backup requests are supported, including backing up keys and certificates. - An update to the default policy module so that mail certificates issued are usable by Microsoft Outlook 98. - An update to fix a problem with certificates issued on February 29th of a leap year. Previously, the validity period had the NotBefore and NotAfter dates set to the same date. With this update, NotBefore and NotAfter are now set correctly in the context of the CA validity for certificates issued on February 29th of a leap year. - An update to the Certificate Server policy module to correctly process subordinate Certificate Authority (CA) requests. - An update to the Certificate Server core engine to correctly process the Certificate Server CA chain stored in the local machine certificate store. - An update to the certificate hierarchy installation tool (Certhier.exe) used during subordinate CA Setup to support both base64 and DER encoded certificates as import file formats. - An update to the certificate hierarchy installation tool (Certhier.exe) used during subordinate CA Setup to support a broader range of CA certificates encoding types that are generated by other CA when issuing subordinate CA certificates. - An addition to the Advanced Configuration Options to support the selection of the CA's key size of 512, 1024, 2048, or 4096 bits in length during installation. Basic Installation of Certificate Server ---------------------------------------- The following section describes how to install a Certificate Server as a root CA with the standard configuration options. To install Certificate Server as a root CA, use the following steps: NOTE: Microsoft Internet Information Server 4.0 and Microsoft Internet Explorer 4.01 or later must be installed on the computer. Windows NT 4.0 Service Pack 6a must have been previously applied to the computer. 1. Click Start, point to Programs, and then click Windows NT 4.0 Option Pack. 2. Click Next. 3. Click Add/Remove. 4. In the Components box, click Certificate Server. 5. Click Next. 6. In the Microsoft Certificate Server Setup dialog box, type the fully qualified path name of a folder into which configuration information is placed (for example, "c:\public" (without the quotation marks)). If the folder does not exist, it is created. If it is an existing folder, you can click Browse to find the folder name. 7. Click Next. A dialog box is displayed and you are prompted to input identifying information for the CA. Provide the information for each of the requested identifying items. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Item | Information | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CA Name | This information is used to create the Distinguished Name (DN) that is included in the Subject Name and Issuer Name fields of the X.509v3 certificate being created to represent this certificate authority. NOTE: Check the release notes for the valid characters to use for this field. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Organization | Your company | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Organization Unit | Your organization unit | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Locality | Your locality | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | State | Your state | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Country | Your country | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CA Description | An identifying comment | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 8. Click Next. A dialog box is displayed and you are prompted for the location of the Certsrv.cab file. The Certsrv.cab file you need is located on the SP6a CD-ROM, which is located in the Valueadd\Certsrv\Processer folder. Either browse or type the location of the folder containing the .cab file (for example, if the CD-ROM drive is drive E and you have an Intel processor, the location is E:\Valueadd\Certsrv\I386). 9. Click OK. 10. Click Finish. Known Problems and Limitations ------------------------------ - Be sure to consult the QFE update release at the following Microsoft Web site: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/certserv/ - If you install Certificate Server from the SP6a CD-ROM without first applying SP6a, you may receive a "Msrevoke.dll is missing from the installation directory" error message because Windows NT 4.0 Option Pack is using a Setup file that is incompatible with the new Certificate Server. If you receive the error message, click Cancel, stop the installation process, and apply SP6a before reattempting the installation. SP6a updates the Setup files needed to perform the new installation. - If you are unable to gain access to the Certificate Server log and queue from the administration Web pages because of an "E78 database access" error message after you install Certificate Server, there may be a problem with the IIS virtual directory settings. To resolve this problem, reapply SP6a after you install Certificate Server or make sure that the application attribute for the Certificate Administration (CertAdm) folder in the default Web site is applied. For additional information about how to apply the application attribute for the CertAdm folder in IIS, click the article number below to view the article in the Microsoft Knowledge Base: Q241061 Cannot Gain Access to Certificate Server Log and Queue - If the CA service does not start after you install Certificate Server, check to see if the following error message is displayed in the application log in Event Viewer: Event ID: 17 Source: CertSvc Description: The Certificate Server did not start: Unable to initialize the database connection for . The error code is 0xffffffff. If this error message is displayed, you may not have the proper SystemDSN available for Open Database Connectivity (ODBC). For additional information about how to create the proper SystemDSN, click the article number below to view the article in the Microsoft Knowledge Base: Q241060 Err Msg: The Certificate Server Did Not Start: Unable To... Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTS400sp6 kbWinNTS400search kbWinNTSEnt400SP6a Version : winnt:4.0 SP6a Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.