Windows Server

Certification Authority: How to install and configure Active Directory Certificate Services

Active Directory Certificate Services (AD DS) is used to create certification authority and related role services that allow you to issue and manage certificates. A certificate authority is also referred to as certification authority and it helps to issue digital certificates and authenticate the digital identities of computer systems. By this we mean, it helps certifies the ownership of a public key by the named subject of the certificate. One of the objectives is to make communication on the internet secure by playing a vital role in digital security. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.

Certificate authorities (CA) are a critical part of the internet communication and without it, transactions wouldn’t be secure and you will never be able to safely shop, or perform online banking. 

Install the Active Directory Certificate Services: I will be walking you through the steps to set up a CA in your environment. We will need to add the Certificate Authority Role to the server.
– Launch the Server Manager as shown below and
– Click on Add Roles and Features as shown below.

This is just an information page. Usually, you should skip the "before you begin" page so it does not come up with anything you wish to install a role or a feature. When you are done and click on Next

This installation is a role based instation, therefore, we will be selecting role-based or feature-based installation
– Click on Next to continue

On the Select destination server, if you have multiple servers, please select your desired server or local server you wish to install the CA unto. In my case, I have just one server in the pool and it is selected automatically by default.

In Select Server Roles, in Roles, select Active Directory Certificate Services.
– Note: When you are prompted to add required features and click on “Add Features” as shown below.

You should be able to proceed now by clicking on Next.

On the select features page, we do not have to do anything here except you environments demands a feature installation.
– Please click on Next to proceed.

In Active Directory Certificate Services, read the provided information, and then click Next.

Select Certification Services in the Role Services and click Next.
– In the future, I will be installing other roles as displayed on this screen below. Kindly search through the blog for these articles.

Please select “Restart” the destination server automatically if required and click Yes in the popup.
– Lastly on this page, click Install.

As you can see below, the installation has started and you can view the progress from this window.
– Note: You can also click on the close button to have this window closed while the installed is still in progress.

Usually, a new AD CS window will open up automatically for the post configuration of Active Directory Certificate Services (AD CS). If this is not the case, please click on the Server Manager
– Click on the flag as shown below and
– Click on “Configure Active Directory Certificate Services”

This will also open the AD CS window as shown below.
_ Click on Next as i do not want to change the

Select Certificate Authority
– As you can see , all other roles are grayed out, this is because they were not previously selected as roles services to install.

On the Setup Type page, verify that Enterprise CA is selected, and then click Next to continue

On the Specify the type of the CA page, verify that Root CA is selected, and then click Next.

On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next.

On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and the hash algorithm (SHA256), and determine the best key character length for your deployment.
Note: Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048.
– Click Next.

On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. 
- Click on Next to continue the configuration.

On the Validity Period page, in Specify the validity period, type your desired number and select a time value (Years, Months, Weeks, or Days). The default setting of five years
– Click on Next to continue the configuration.

On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files.
– Click Next to continue the configuration.

Click Configure on the confirmation page as shown below.

That is all that needs to be done. Also if you would like to create AD DS via PowerShell, kindly see this link. To access the certification authority, click on the Server Manager

Now, you can perform the following operation. Click on the see this guide on how to create certificate templates.

I welcome you to subscribe to my YouTube Channel. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x