Preparing a Computer to be a Certificate Authority (CA) | Delinea (2024)

Table of Contents
What's Required to Install Certificate Services Adding the Required Server Roles to Make the Computer a Certificate Authority Configuring the Certificate Authority

The first step in configuring the environment is to identify a computer to be the Certificate Authority server for the Active Directory forest. This computer must be connected to a network with a server that has Windows Server 2008 (or later) Domain Name Service installed, and it must be joined to the Active Directory domain. In most cases, the computer designated to be the CA should not be a domain controller in a live production environment. To configure the computer as a Certificate Authority, you must install Microsoft Internet Information Services (IIS) and Certificate Services.

Microsoft Internet Information Services (IIS) are required to handle Certificate Revocation List (CRL) requests made by the authentication service and to provide the virtual directories required to issue and manage certificates.

Certificate Services are required to enable the computer to act as a Certificate Authority (CA) and issue certificates to other computers that join the domain. The Application server role, which installs IIS, and the Certificate Services server role must be on the same computer. Therefore it is recommended that you install IIS at the same time you install Certificate Services.

What's Required to Install Certificate Services

Before installing Certificate Services, check that you have the following:

  • Account credentials for an account that is an Enterprise Administrator and a Domain Administrator of the forest root domain of the Active Directory forest.

  • A computer with Windows Server 2008 Enterprise Edition or later. Previous versions of Windows Server do not support auto-enrollment within the certificate templates. In addition, the computer must be running Enterprise Edition because Standard Edition does not support the V2 or V3 certificate templates that are required for auto-enrollment.

  • Active Directory services must be installed on the Certificate Services server. If you install the Certificate Services server role on a domain controller, no further action is required. When you promote a computer to be a domain controller, the Active Directory services are installed automatically.

    This guide details how to configure auto-enrollment on a computer running Windows Server 2012 R2. For information on configuring auto-enrollment for computers running other versions of Windows Server, please visit the Microsoft website.

    See Also
    What is Active Directory? How does it work? | QuestUnderstanding ADCS: Types of Certificate AuthoritiesWhat is Active Directory Certificate Services?What Is Active Directory and How Does It Work?

Adding the Required Server Roles to Make the Computer a Certificate Authority

After you have verified that you have an appropriate account and computer configuration, you can use Server Manager to add the appropriate server roles.

To install IIS and Certificate Services on a Windows Server

  1. Open the Server Manager Dashboard and click Add Roles and Features.

    Click Next.

  2. For Installation Type, select Role-based or feature-based installation, then click Next.

  3. Ensure that Select a server from the server pool is selected and highlight the server on which you would like to install roles and features. Click Next.

  4. Select Active Directory Certificate Services, then click Add Required Features in the pop-up window.

    Click Next.

  5. Click Next to accept the default selections for Select Features.

    See Also
    Active Directory Domain Services (AD DS): Overview and Functions

  6. Click Next on the notification that you will be unable to change the domain settings after installing Certificate Services.

  7. Select Certification Authority and click Next.

  8. Click Install.

After Windows restarts, you will see a new Role in Server Manager called AD CS. In the following procedure, you will configure this role to allow your server to act as a Certification Authority.

Configuring the Certificate Authority

  1. Click the notification icon in the Server Manager command bar to open the Add Roles and Features Wizard.

  2. Click the link, Configure Active Directory Certificate Services on the destination server.

  3. In the AD CS configuration screen, verify that you are logged on as an administrator and click Next.

  4. Select Certification Authority and click Next.

  5. Select Enterprise CA and click Next.

    You must be a member of both the Enterprise Admins group and the Domain Admins group to configure an Enterprise Certificate Authority.

  6. Select Root CA and click Next.

  7. Select Create a new private key and click Next.

  8. Accept the defaults for the cryptographic provider, key length, and hash algorithm. Click Next.

  9. Enter a name for the Certificate Authority or accept the defaults, and click Next..

    After the Certificate Authority is configured, you will not be able to change the name.

  10. Specify the validity period of the certificate, click Next.

  11. Accept the default location for the certificate database and click Next.

  12. Review your CA configuration and click Configure.

  13. Click Close when the confirmation message appears, and restart the server to retrieve a certificate from the CA.

Preparing a Computer to be a Certificate Authority (CA) | Delinea (2024)
Top Articles
Accounting Ratio Definition and Types
Black Women & the Pay Gap
Automated refuse, recycling for most residences; schedule announced | Lehigh Valley Press
Time in Baltimore, Maryland, United States now
Napa Autocare Locator
Don Wallence Auto Sales Vehicles
Retro Ride Teardrop
Bluegabe Girlfriend
Gameplay Clarkston
Xrarse
United Dual Complete Providers
Roblox Character Added
12 Best Craigslist Apps for Android and iOS (2024)
Jscc Jweb
Mens Standard 7 Inch Printed Chappy Swim Trunks, Sardines Peachy
Beau John Maloney Houston Tx
U/Apprenhensive_You8924
Jc Post News
Shannon Dacombe
Average Salary in Philippines in 2024 - Timeular
Craigslist Red Wing Mn
V-Pay: Sicherheit, Kosten und Alternativen - BankingGeek
bode - Bode frequency response of dynamic system
Rufus Benton "Bent" Moulds Jr. Obituary 2024 - Webb & Stephens Funeral Homes
Plaza Bonita Sycuan Bus Schedule
All Obituaries | Verkuilen-Van Deurzen Family Funeral Home | Little Chute WI funeral home and cremation
Prot Pally Wrath Pre Patch
480-467-2273
EVO Entertainment | Cinema. Bowling. Games.
Rural King Credit Card Minimum Credit Score
Tu Housing Portal
Our Leadership
Otis Inmate Locator
Experity Installer
Siskiyou Co Craigslist
Martin Village Stm 16 & Imax
404-459-1280
Umiami Sorority Rankings
Edict Of Force Poe
Tds Wifi Outage
Hindilinks4U Bollywood Action Movies
Letter of Credit: What It Is, Examples, and How One Is Used
Miami Vice turns 40: A look back at the iconic series
Isabella Duan Ahn Stanford
'The Night Agent' Star Luciane Buchanan's Dating Life Is a Mystery
Congruent Triangles Coloring Activity Dinosaur Answer Key
Bellelement.com Review: Real Store or A Scam? Read This
French Linen krijtverf van Annie Sloan
Strange World Showtimes Near Atlas Cinemas Great Lakes Stadium 16
Coldestuknow
Obituary Roger Schaefer Update 2020
Latest Posts
The Red Carpet Essentials Awards: The Best Foundations and Face Powders, According to Hollywood Insiders
How to Acknowledge an Email: 6 Simple Templates
Article information

Author: Annamae Dooley

Last Updated:

Views: 6104

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.