KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q242854: Certificate Server 1.0 Readme.htm File

Article: Q242854
Product(s): Microsoft Windows NT
Version(s): winnt:4.0 SP6a
Operating System(s): 
Keyword(s): 
Last Modified: 06-AUG-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Server version 4.0 SP6a 
- Microsoft Windows NT Server, Enterprise Edition version 4.0 SP6a 
-------------------------------------------------------------------------------

SUMMARY
=======

This article contains a copy of the Microsoft Certificate Server 1.0 Readme.htm
file included with Microsoft Windows NT 4.0 Service Pack 6a (SP6a).

MORE INFORMATION
================

Certificate Server is a standards-based, highly customizable server program for
managing the creation, issuance, and renewal of digital certificates.
Certificate Server generates certificates in standard X.509 format. These
certificates are used for a number of public-key security and authentication
applications including, but not limited to, server and client authentication
under the Secure Sockets Layer (SSL) protocol and Secure/Multipurpose Internet
Mail (S/MIME).

This update to Certificate Server includes:

- Teletex Encoding - Data encoded as teletex in a certificate request is
  encoded as teletex data in the certificate issued. Previously, this data was
  encoded as Unicode in the certificate issued.

- Serial Number - Serial numbers are generated according to X.509 standards.
  These serial numbers are automatically generated, unique, and always
  positive. This accommodates restrictive mail clients.

- Backup/Restore - Specific backup requests are supported, including backing up
  keys and certificates.

- An update to the default policy module so that mail certificates issued are
  usable by Microsoft Outlook 98.

- An update to fix a problem with certificates issued on February 29th of a
  leap year. Previously, the validity period had the NotBefore and NotAfter
  dates set to the same date. With this update, NotBefore and NotAfter are now
  set correctly in the context of the CA validity for certificates issued on
  February 29th of a leap year.

- An update to the Certificate Server policy module to correctly process
  subordinate Certificate Authority (CA) requests.

- An update to the Certificate Server core engine to correctly process the
  Certificate Server CA chain stored in the local machine certificate store.

- An update to the certificate hierarchy installation tool (Certhier.exe) used
  during subordinate CA Setup to support both base64 and DER encoded
  certificates as import file formats.

- An update to the certificate hierarchy installation tool (Certhier.exe) used
  during subordinate CA Setup to support a broader range of CA certificates
  encoding types that are generated by other CA when issuing subordinate CA
  certificates.

- An addition to the Advanced Configuration Options to support the selection of
  the CA's key size of 512, 1024, 2048, or 4096 bits in length during
  installation.

Basic Installation of Certificate Server
----------------------------------------

The following section describes how to install a Certificate Server as a root CA
with the standard configuration options.


To install Certificate Server as a root CA, use the following steps:

NOTE: Microsoft Internet Information Server 4.0 and Microsoft Internet Explorer
4.01 or later must be installed on the computer. Windows NT 4.0 Service Pack 6a
must have been previously applied to the computer.

1. Click Start, point to Programs, and then click Windows NT 4.0 Option Pack.

2. Click Next.

3. Click Add/Remove.

4. In the Components box, click Certificate Server.

5. Click Next.

6. In the Microsoft Certificate Server Setup dialog box, type the fully
  qualified path name of a folder into which configuration information is
  placed (for example, "c:\public" (without the quotation marks)). If the
  folder does not exist, it is created. If it is an existing folder, you can
  click Browse to find the folder name.

7. Click Next. A dialog box is displayed and you are prompted to input
  identifying information for the CA. Provide the information for each of the
  requested identifying items.

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Item              | Information                                                                                                                                                                                                                                                                                | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CA Name           | This information is used to create the Distinguished Name (DN) that is included in the Subject Name and Issuer Name fields of the X.509v3 certificate being created to represent this certificate authority. NOTE: Check the release notes for the valid characters to use for this field. | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Organization      | Your company                                                                                                                                                                                                                                                                               | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Organization Unit | Your organization unit                                                                                                                                                                                                                                                                     | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Locality          | Your locality                                                                                                                                                                                                                                                                              | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| State             | Your state                                                                                                                                                                                                                                                                                 | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Country           | Your country                                                                                                                                                                                                                                                                               | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CA Description    | An identifying comment                                                                                                                                                                                                                                                                     | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

8. Click Next. A dialog box is displayed and you are prompted for the location
  of the Certsrv.cab file. The Certsrv.cab file you need is located on the SP6a
  CD-ROM, which is located in the Valueadd\Certsrv\Processer folder. Either
  browse or type the location of the folder containing the .cab file (for
  example, if the CD-ROM drive is drive E and you have an Intel processor, the
  location is E:\Valueadd\Certsrv\I386).

9. Click OK.

10. Click Finish.

Known Problems and Limitations
------------------------------

- Be sure to consult the QFE update release at the following Microsoft Web
  site:

  ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/certserv/

- If you install Certificate Server from the SP6a CD-ROM without first applying
  SP6a, you may receive a "Msrevoke.dll is missing from the installation
  directory" error message because Windows NT 4.0 Option Pack is using a Setup
  file that is incompatible with the new Certificate Server. If you receive the
  error message, click Cancel, stop the installation process, and apply SP6a
  before reattempting the installation. SP6a updates the Setup files needed to
  perform the new installation.

- If you are unable to gain access to the Certificate Server log and queue from
  the administration Web pages because of an "E78 database access" error
  message after you install Certificate Server, there may be a problem with the
  IIS virtual directory settings. To resolve this problem, reapply SP6a after
  you install Certificate Server or make sure that the application attribute
  for the Certificate Administration (CertAdm) folder in the default Web site
  is applied. For additional information about how to apply the application
  attribute for the CertAdm folder in IIS, click the article number below to
  view the article in the Microsoft Knowledge Base:

  Q241061 Cannot Gain Access to Certificate Server Log and Queue

- If the CA service does not start after you install Certificate Server, check
  to see if the following error message is displayed in the application log in
  Event Viewer:

  Event ID: 17
  Source: CertSvc
  Description: The Certificate Server did not start: Unable to initialize the
  database connection for <Your CA Name>. The error code is 0xffffffff.

If this error message is displayed, you may not have the proper SystemDSN
available for Open Database Connectivity (ODBC). For additional information
about how to create the proper SystemDSN, click the article number below to view
the article in the Microsoft Knowledge Base:

  Q241060 Err Msg: The Certificate Server Did Not Start: Unable To...

Additional query words:

======================================================================
Keywords          :  
Technology        : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTS400sp6 kbWinNTS400search kbWinNTSEnt400SP6a
Version           : winnt:4.0 SP6a
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.