Preparing a Computer to be a Certificate Authority (CA)

The first step in configuring the environment is to identify a computer to be the Certificate Authority server for the Active Directory forest. This computer must be connected to a network with a server that has Windows Server 2008 (or later) Domain Name Service installed, and it must be joined to the Active Directory domain. In most cases, the computer designated to be the CA should not be a domain controller in a live production environment. To configure the computer as a Certificate Authority, you must install Microsoft Internet Information Services (IIS) and Certificate Services.

Microsoft Internet Information Services (IIS) are required to handle Certificate Revocation List (CRL) requests made by the authentication service and to provide the virtual directories required to issue and manage certificates.

Certificate Services are required to enable the computer to act as a Certificate Authority (CA) and issue certificates to other computers that join the domain. The Application server role, which installs IIS, and the Certificate Services server role must be on the same computer. Therefore it is recommended that you install IIS at the same time you install Certificate Services.

What's Required to Install Certificate Services

Before installing Certificate Services, check that you have the following:

  • Account credentials for an account that is an Enterprise Administrator and a Domain Administrator of the forest root domain of the Active Directory forest.

  • A computer with Windows Server 2008 Enterprise Edition or later. Previous versions of Windows Server do not support auto-enrollment within the certificate templates. In addition, the computer must be running Enterprise Edition because Standard Edition does not support the V2 or V3 certificate templates that are required for auto-enrollment.

  • Active Directory services must be installed on the Certificate Services server. If you install the Certificate Services server role on a domain controller, no further action is required. When you promote a computer to be a domain controller, the Active Directory services are installed automatically.

    This guide details how to configure auto-enrollment on a computer running Windows Server 2012 R2. For information on configuring auto-enrollment for computers running other versions of Windows Server, please visit the Microsoft website.

Adding the Required Server Roles to Make the Computer a Certificate Authority

After you have verified that you have an appropriate account and computer configuration, you can use Server Manager to add the appropriate server roles.

To install IIS and Certificate Services on a Windows Server

  1. Open the Server Manager Dashboard and click Add Roles and Features.

    Click Next.

  2. For Installation Type, select Role-based or feature-based installation, then click Next.

  3. Ensure that Select a server from the server pool is selected and highlight the server on which you would like to install roles and features. Click Next.

  4. Select Active Directory Certificate Services, then click Add Required Features in the pop-up window.

    Click Next.

  5. Click Next to accept the default selections for Select Features.

  6. Click Next on the notification that you will be unable to change the domain settings after installing Certificate Services.

  7. Select Certification Authority and click Next.

  8. Click Install.

After Windows restarts, you will see a new Role in Server Manager called AD CS. In the following procedure, you will configure this role to allow your server to act as a Certification Authority.

Configuring the Certificate Authority

  1. Click the notification icon in the Server Manager command bar to open the Add Roles and Features Wizard.

  2. Click the link, Configure Active Directory Certificate Services on the destination server.

  3. In the AD CS configuration screen, verify that you are logged on as an administrator and click Next.

  4. Select Certification Authority and click Next.

  5. Select Enterprise CA and click Next.

    You must be a member of both the Enterprise Admins group and the Domain Admins group to configure an Enterprise Certificate Authority.

  6. Select Root CA and click Next.

  7. Select Create a new private key and click Next.

  8. Accept the defaults for the cryptographic provider, key length, and hash algorithm. Click Next.

  9. Enter a name for the Certificate Authority or accept the defaults, and click Next..

    After the Certificate Authority is configured, you will not be able to change the name.

  10. Specify the validity period of the certificate, click Next.

  11. Accept the default location for the certificate database and click Next.

  12. Review your CA configuration and click Configure.

  13. Click Close when the confirmation message appears, and restart the server to retrieve a certificate from the CA.