When creating a Certificate Authority (CA), you should choose a server that is highly available and highly reliable, then follow this procedure:
Determine that a CA does not already exist by calling NPKIFindOrganizationalCA, which returns an error if the CA does not exist.
Call NPKIGetServerUTCTime to get the current time on the server that will host the CA.
Call NPKIGetServerInfo and NPKIGetAlgorithmInfo to determine the key sizes, algorithms, and validity dates that are supported on the server.
Determine the certificate attributes and extensions, then create the certificate by calling NPKICreateOrganizationalCA.
For an example implementation of this task, see CreateCA.