Windows Server

How to Install and configure Active Directory Certificate Services

Active Directory Certificate Services (AD DS) is used to create certification authority and related role services that allow you to issue and manage certificates. A certificate authority is also referred to as certification authority and it helps to issue digital certificates and authenticate the digital identities of computer systems. By this we mean, it helps certifies the ownership of a public key by the named subject of the certificate. One of the objectives is to make communication on the internet secure by playing a vital role in digital security. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.

Certificate authorities (CA) are a critical part of the internet communication and without it, transactions wouldn’t be secure and you will never be able to safely shop, or perform online banking. 

Install the Active Directory Certificate Services

I will be walking you through the steps to set up a CA in your environment. We will need to add the Certificate Authority Role to the server.
– Launch the Server Manager as shown below and
– Click on Add Roles and Features as shown below.

This is just an information page. Usually, you should skip the "before you begin" page so it does not come up with anything you wish to install a role or a feature. When you are done and click on Next

This installation is a role based instation, therefore, we will be selecting role-based or feature-based installation
– Click on Next to continue

Configure Server and Server Roles

On the Select destination server, if you have multiple servers, please select your desired server or local server you wish to install the CA unto. In my case, I have just one server in the pool and it is selected automatically by default.

In Select Server Roles, in Roles, select Active Directory Certificate Services.
– Note: When you are prompted to add required features and click on “Add Features” as shown below.

You should be able to proceed now by clicking on Next.

Check AD CS and click on next

Configure Features

On the select features page, we do not have to do anything here except you environments demands a feature installation.
– Please click on Next to proceed.

Click on Next to proceed

Configure Active Directory Certificate Services (AD CS)

In Active Directory Certificate Services, read the provided information, and then click Next.

on AD CS click on next

Select Certification Services in the Role Services and click Next.
– In the future, I will be installing other roles as displayed on this screen below. Kindly search through the blog for these articles.

Check Certificate authority and click on Next

Start Installation

Please select “Restart” the destination server automatically if required and click Yes in the popup.
– Lastly on this page, click Install.

Select restart destination server automatically if required. click Yes on the Pop-up and click on install

As you can see below, the installation has started and you can view the progress from this window.
– Note: You can also click on the close button to have this window closed while the installed is still in progress.

Configure Active Directory Certificate Services (AD CS)

Usually, a new AD CS window will open up automatically for the post configuration of Active Directory Certificate Services (AD CS). If this is not the case, please click on the Server Manager
– Click on the flag as shown below and
– Click on “Configure Active Directory Certificate Services”

Click on "Configure Active Directory Certificate Services"

Select Destination Server

This will also open the AD CS window as shown below.
– Click on Next as I do not want to change the destination server

Click on Next

Select Certificate authority (CA)

– As you can see, because other roles were not previously selected as roles services to install, they are automatically grayed out.

On the “Setup Type” page, select “Enterprise CA” , and then click “Next” to proceed.

Select Enterprise CA and click on next

On the Specify the type of the CA page, select Root CA, and then click Next.

Select Root CA and click on Next

Create New Private Key

While on the Specify the type of the private key page, select Create a new private key and then click Next.

Select create a new private key and click on next

Configure Cryptography for CA

On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and the hash algorithm (SHA256), and determine the best key character length for your deployment.
Note: Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048.
– Click Next.

Keep the default Cryptography setting and click on next
On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. 
- Click on Next to continue the configuration.

Specify Validity Period

On the Validity Period page, in Specify the validity period, type your desired number and select a time value (Years, Months, Weeks, or Days). The default setting of five years
– Click on Next to continue the configuration.

Select CA Database Location

On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files.
– Click Next to continue the configuration.

Finally Configure Active Directory Certificate Services (AD CS)

Click Configure on the confirmation page as shown below.

That is all that needs to be done. Also if you would like to create AD DS via PowerShell, kindly see this link. To access the certification authority, click on the Server Manager

Now, you can perform the following operation. Click on the see this guide on how to create certificate templates.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x