This post describes how to install Active Directory Certificate Services (ADCS) onto a domain controller. It’s for labbing purposes which means I’m going to run this all on a single server instead of a more realistic setup with offline root, issuing CA, and possibly intermediate CA. Don’t use this post for anything designed to go into production!
To add the ADCS role. Go to Server Manager, click Add roles and features. Click Next until you get to Server Roles. Select Active Directory Certificate Series:
Click Add Features. Click Next. Click Next. Then a warning is displayed that it’s not possible to change the computer name or domain settings:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Selecting Certification Authority Web Enrollment will install IIS and a small web site will be built to provide certificate services.
Click Add Features. Click Next. Click Next. Select Restart the destination server automatically if required:
Click Install. The installation starts:
When the installation has finished, click Close. Click AD CS in Server Manager. Click More… where it says Configuration required for Active Directory Certificate Services:
Click Configure Active Directory Certificate Services on the destination server:
Select an account with permissions to configure the role services:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Click Next. Select Enterprise CA:
Select Root CA:
Click Next and then Select Create a new private key:
Click Next. This is a lab so we’ll use the default cryptographic provider (RSA) with a 2048-bit key length and SHA256:
Click Next. Then it’s time to name the CA. Note that the server name can be different from the common name used for the CA. The name used here is what you will see in the certificates issued by the CA:
Click Next. I’ll go with the default validity period of five years:
Click Next. I’m using the default location to store certs and cert logs:
Click Next. A summary is shown on the Confirmation page:
Click Configure. The services are configured:
Click Close. Now open the CA app:
It should look similar to the one below:
Look for the green check mark symbol.
That’s all that’s needed to setup a basic CA! In another post we’ll look at setting up certification templates. Once again, this setup is for labbing only. Don’t use it for production! You shouldn’t run a CA on your domain controller. See you in the next one!