Certificate Server 1.0 Readme.htm File (242854)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Server, Enterprise Edition 4.0 SP6a
This article was previously published under Q242854

SUMMARY

This article contains a copy of the Microsoft Certificate Server 1.0 Readme.htm file included with Microsoft Windows NT 4.0 Service Pack 6a (SP6a).

MORE INFORMATION

Certificate Server is a standards-based, highly customizable server program for managing the creation, issuance, and renewal of digital certificates. Certificate Server generates certificates in standard X.509 format. These certificates are used for a number of public-key security and authentication applications including, but not limited to, server and client authentication under the Secure Sockets Layer (SSL) protocol and Secure/Multipurpose Internet Mail (S/MIME).

This update to Certificate Server includes:
  • Teletex Encoding - Data encoded as teletex in a certificate request is encoded as teletex data in the certificate issued. Previously, this data was encoded as Unicode in the certificate issued.
  • Serial Number - Serial numbers are generated according to X.509 standards. These serial numbers are automatically generated, unique, and always positive. This accommodates restrictive mail clients.
  • Backup/Restore - Specific backup requests are supported, including backing up keys and certificates.
  • An update to the default policy module so that mail certificates issued are usable by Microsoft Outlook 98.
  • An update to fix a problem with certificates issued on February 29th of a leap year. Previously, the validity period had the NotBefore and NotAfter dates set to the same date. With this update, NotBefore and NotAfter are now set correctly in the context of the CA validity for certificates issued on February 29th of a leap year.
  • An update to the Certificate Server policy module to correctly process subordinate Certificate Authority (CA) requests.
  • An update to the Certificate Server core engine to correctly process the Certificate Server CA chain stored in the local machine certificate store.
  • An update to the certificate hierarchy installation tool (Certhier.exe) used during subordinate CA Setup to support both base64 and DER encoded certificates as import file formats.
  • An update to the certificate hierarchy installation tool (Certhier.exe) used during subordinate CA Setup to support a broader range of CA certificates encoding types that are generated by other CA when issuing subordinate CA certificates.
  • An addition to the Advanced Configuration Options to support the selection of the CA's key size of 512, 1024, 2048, or 4096 bits in length during installation.

Basic Installation of Certificate Server

The following section describes how to install a Certificate Server as a root CA with the standard configuration options. To install Certificate Server as a root CA, use the following steps:

NOTE: Microsoft Internet Information Server 4.0 and Microsoft Internet Explorer 4.01 or later must be installed on the computer. Windows NT 4.0 Service Pack 6a must have been previously applied to the computer.
  1. Click Start, point to Programs, and then click Windows NT 4.0 Option Pack.
  2. Click Next.
  3. Click Add/Remove.
  4. In the Components box, click Certificate Server.
  5. Click Next.
  6. In the Microsoft Certificate Server Setup dialog box, type the fully qualified path name of a folder into which configuration information is placed (for example, c:\public). If the folder does not exist, it is created. If it is an existing folder, you can click Browse to find the folder name.
  7. Click Next. A dialog box is displayed and you are prompted to input identifying information for the CA. Provide the information for each of the requested identifying items.
    ItemInformation
    CA NameThis information is used to create the Distinguished Name (DN) that is included in the Subject Name and Issuer Name fields of the X.509v3 certificate being created to represent this certificate authority. NOTE: Check the release notes for the valid characters to use for this field.
    OrganizationYour company
    Organization UnitYour organization unit
    LocalityYour locality
    StateYour state
    CountryYour country
    CA DescriptionAn identifying comment

  8. Click Next. A dialog box is displayed and you are prompted for the location of the Certsrv.cab file. The Certsrv.cab file you need is located on the SP6a CD-ROM, which is located in the Valueadd\Certsrv\Processer folder. Either browse or type the location of the folder containing the .cab file (for example, if the CD-ROM drive is drive E and you have an Intel processor, the location is E:\Valueadd\Certsrv\I386).
  9. Click OK.
  10. Click Finish.

Known Problems and Limitations

  • Be sure to consult the QFE update release at the following Microsoft Web site:

    ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/certserv/

  • If you install Certificate Server from the SP6a CD-ROM without first applying SP6a, you may receive a "Msrevoke.dll is missing from the installation directory" error message because Windows NT 4.0 Option Pack is using a Setup file that is incompatible with the new Certificate Server. If you receive the error message, click Cancel, stop the installation process, and apply SP6a before reattempting the installation. SP6a updates the Setup files needed to perform the new installation.
  • If you are unable to gain access to the Certificate Server log and queue from the administration Web pages because of an "E78 database access" error message after you install Certificate Server, there may be a problem with the IIS virtual directory settings. To resolve this problem, reapply SP6a after you install Certificate Server or make sure that the application attribute for the Certificate Administration (CertAdm) folder in the default Web site is applied. For additional information about how to apply the application attribute for the CertAdm folder in IIS, click the article number below to view the article in the Microsoft Knowledge Base:

    241061 Cannot Gain Access to Certificate Server Log and Queue

  • If the CA service does not start after you install Certificate Server, check to see if the following error message is displayed in the application log in Event Viewer:
    Event ID: 17
    Source: CertSvc
    Description: The Certificate Server did not start: Unable to initialize the database connection for Your CA Name. The error code is 0xffffffff.
    If this error message is displayed, you may not have the proper SystemDSN available for Open Database Connectivity (ODBC). For additional information about how to create the proper SystemDSN, click the article number below to view the article in the Microsoft Knowledge Base:

    241060 Err Msg: The Certificate Server Did Not Start: Unable To...

Modification Type:MajorLast Reviewed:8/6/2002
Keywords:kbinfo KB242854
©2002 Microsoft Corporation. All rights reserved.