In this article, we shall discuss “How to Install and configure Active Directory Certificate Services”. Active Directory Certificate Services (AD DS) is used to create certification authority and related role services that allow you to issue and manage certificates. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.
A certificate authority is also referred to as certification authority and it helps to issue digital certificates and authenticate the digital identities of computer systems. By this we mean, it helps certifies the ownership of a public key by the named subject of the certificate. One of the objectives is to make communication on the internet secure by playing a vital role in digital security.
Certificate authorities (CA) are a critical part of the internet communication and without it, transactions wouldn’t be secure and you will never be able to safely shop, or perform online banking.
Install the Active Directory Certificate Services
I will be walking you through the steps to set up a CA in your environment. We will need to add the Certificate Authority Role to the server.
- Launch the Server Manager as shown below and
- Click on Add Roles and Features as shown below.
This is just an information page. Usually, you should skip the “before you begin” page so it does not come up with anything you wish to install a role or a feature. When you are done and click on Next
This installation is a role based installation, therefore, we will be selecting role-based or feature-based installation. Click on Next to continue
Please see Fix an error occurred while attempting to start selected VM on Hyper-V, how to fix Failed to Upgrade VIHR Component: Failed to open deployer Service Management Port, and How to Repair a Corrupt SQL Server Database Without Data Loss.
Configure Server and Server Roles
On the Select destination server, if you have multiple servers, please select your desired server or local server you wish to install the CA unto. In my case, I have just one server in the pool and it is selected automatically by default.
In Select Server Roles, in Roles, select Active Directory Certificate Services.
Note: When you are prompted to add required features and click on “Add Features” as shown below.
You should be able to proceed now by clicking on Next.
Configure Features
On the select features page, we do not have to do anything here except you environments demands a feature installation. Please click on Next to proceed.
Configure Active Directory Certificate Services (AD CS)
In Active Directory Certificate Services, read the provided information, and then click Next.
Select Certification Services in the Role Services and click Next.
In the future, I will be installing other roles as displayed on this screen below. Kindly search through the blog for these articles.
Start Installation
Please select “Restart” the destination server automatically if required and click Yes in the popup. Lastly on this page, click Install.
As you can see below, the installation has started and you can view the progress from this window.
Note: You can also click on the close button to have this window closed while the installed is still in progress.
Please see Azure Application Gateway: Practical Configuration Guide, Azure Managing Subscriptions with PowerShell: From Login-AzAccount to Resource Control and Private Endpoint Verification for Azure File Share”, and how to Assign a Public IP to Azure Virtual Machine (VM).
Configure Active Directory Certificate Services (AD CS)
Usually, a new AD CS window will open up automatically for the post configuration of Active Directory Certificate Services (AD CS). If this is not the case, please click on the Server Manager
- Click on the flag as shown below and
- Click on “Configure Active Directory Certificate Services”
Select Destination Server
This will also open the AD CS window as shown below. Click on Next as I do not want to change the destination server
Select Certificate authority (CA)
As you can see, because other roles were not previously selected as roles services to install, they are automatically grayed out.
On the “Setup Type” page, select “Enterprise CA” , and then click “Next” to proceed.
On the Specify the type of the CA page, select Root CA, and then click Next.
Create New Private Key
While on the Specify the type of the private key page, select Create a new private key and then click Next.
Please see Azure Arc for SQL Server PAYG: Installation, Connectivity Requirements and Operational Best Practices, and how to Fix Vulnerable Veeam Backup and Replication 13.0.1.2067 and Earlier.
Configure Cryptography for CA
On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and the hash algorithm (SHA256), and determine the best key character length for your deployment.
Note: Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.
On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements.
Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. Click on Next to continue the configuration.
Specify Validity Period
On the Validity Period page, in Specify the validity period, type your desired number and select a time value (Years, Months, Weeks, or Days). The default setting of five years. Click on Next to continue the configuration.
Select CA Database Location
On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log.
If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next to continue the configuration.
Finally Configure Active Directory Certificate Services (AD CS)
Click Configure on the confirmation page as shown below.
That is all that needs to be done. Also if you would like to create AD DS via PowerShell. To access the certification authority, click on the Server Manager
Now, you can perform the following operation. Click on the see this guide on how to create certificate templates.
I hope you found this blog post on How to Install and configure Active Directory Certificate Services helpful. If you have any questions, please let me know in the comment session.
What about Microsoft’s recommendation for mitigating NTLM relay attacks on Active Directory Certificate Services (AD CS) – KB5005413?
Thank you for your feedback. We will create an article on this soon!