News Stay informed about the latest enterprise technology news and product updates.

Step 3: Create an enterprise certificate authority

Step-by-Step Guide: How to set up a VPN, part 3

Before I show you how to create an enterprise certificate authority, I want to give you a few words of caution. Installing a certificate authority is not a process to be taken lightly. If someone gains unauthorized access to your certificate authority, that person pretty much owns your network. Likewise, if a certificate authority server crashes, it can be devastating to your network.

Therefore, protect your certificate authority server the way you would protect a nuclear bomb. Make sure that it is as secure as possible and that you perform full system backups frequently. You also want to protect those backups so they are not accidentally compromised.

  1. With that said, select Add/Remove Programs from the Control Panel and click the Add/Remove Windows Components button.
  2. Choose Certificate Services from the list of Windows components.
  3. You will see a warning message indicating that you won't be able to rename the machine or change its group membership after the certificate services are installed. Click Yes to acknowledge the warning and then click Next to begin installing the certificate authority.
  4. Choose Enterprise Root CA as the type of certificate authority you want to install and click Next. You will now be prompted to enter a common name for the certificate authority. You must also select a certificate validity period. The default setting allows certificates to be valid for five years, but you can increase or decrease this time frame according to your own corporate security policy.
  5. Fill out these two items, then click Next. Windows will begin generating cryptographic keys.
  6. You will be prompted to enter a location for the certificate database. Select the default location (unless you want to place the databases onto a volume with better performance or fault tolerance) and click Next.
  7. You will now see a message indicating that Windows must restart the IIS services. Click 'Yes' and Windows will install the necessary components.


 Home: Introduction
 Step 1: Setup requirements
 Step 2: Implement DHCP services
 Step 3: Create an enterprise certificate authority
 Step 4: Install IAS
 Step 5: Configure IAS
 Step 6: Create a remote access policy
 Step 7: Configure the VPN server
 Step 8: Associate the VPN server with the DHCP server
 Step 9: Configure your remote clients
 Step 10: Test the client connection
 Step 11: Alternate VPN configuration options

Brien M. Posey, MCSE, is a Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.