How to deploy a Windows Certificate Authority

Digital Certificate

In the IT world a Certificate Authority is an entity that issues digital certificates that are used for a broad range of scopes that go from certify identity of a server or service to encrypt communication among two entities, in the last couple of years certificates have become increasingly important for applications and services like email, device management and websites.

Starting with Exchange 2007, for example, digital certificates have become a required component to enable services like TLS Enabled Send Connectors or ActiveSync.

In the post I will go through the process of deploying a Windows Certificate Authority that will be used to issue digital certificates to the services that will be configured in the lab.

Deploy Windows Certificate Authority – Requirements and Architecture

When Windows 2008 was released Certificate Services to Active Directory Certificate Services to highlight the strict integration between Active Directory and the Certificate Authority role so you will require a an Active Directory instance to follow along.

When you deploy a Windows Certificate Authority you have the option to deploy a good number of different architectures and CA type that will have a pros/cons and typical deployment scenarios to keep things as simple as possible in the lab environment I will be installing an Online Enterprise Root CA on a Domain Controller the reference architecture is belowWindows Certificate Authority - Architecture

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If you are interested in a more detailed discussion about possible deployment scenarios and Windows Certificate Authority deployment types you can refer to this Technet Article which contains a lot of useful information and links [/su_note]

Deploy Windows Certificate Authority – Installation

Login to the Domain Controller where you will be installing the Windows Certificate Authority and go to Server Manager → Manage → Add Roles and Features

Windows Certificate Authority - Server Manager

When you choose to install Active Directory Certificate Services you will be proposed to install Management Tools together with the role

Windows Certificate Authority - Role Selection

In the Active Directory Certificate Services Role Services page you will be able to install additional components for the Certificate Authority just select Certification Authority Web Enrollment which will allow the request and creation of certificates via Web Interface Server Manager will take care of installing all necessary extra components like IIS and the Web Server Role

Windows Certificate Authority - Role Services

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In the IIS Role Services page just accept the defaults proposed components selected by Server Manager [/su_note]

Review the installation summary that will list all components that will be installed and configure auto restart as appropriate

Windows Certificate Authority - SummaryWindows Certificate Authority - Summary

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: You can also install AD CS roles via PowerShell with the  Install-AdcsCertificationAuthority cmdlet as documented in this Technet Article [/su_note]

Deploy Windows Certificate Authority – Post-Installation steps

Once the Windows Certificate Authority Role installation is over you will need to configure the role so that the server will be able to start issuing Certificates

Windows Certificate Authority - Post Installation

In the first screen specify credentials for the account that will be used to carry on installation and configuration steps be sure that the account being used has appropriate permissions

Windows Certificate Authority - Credential Configuration

In role services page select to configure all required components and in the CA type Setup be sure to select Enterprise CA → Root

Windows Certificate Authority - Role Configuration

Windows Certificate Authority - Configuration CA Type

Windows Certificate Authority - Root CA Configuration

In the Private Key page choose to create a private key, you would use Use existing private key in case of Certificate Authority reinstallation or restore

Windows Certificate Authority - Private Key Configuration

In the Cryptography for CA and CA Name simply accept default values proposed by the installation wizard

Windows Certificate Authority - CA Cryptography

Windows Certificate Authority - CA Name

In the Validity Period page specify for how long certificates issued by the CA will be valid I have used the default value of 5 years

Windows Certificate Authority - CA Validity Period

Finally specify paths that will be used for the Certificate Authority database and log files again I’ve accepted the default ones

Windows Certificate Authority - CA Path

In the Confirmation page review configuration parameters click the Configure button and wait till the configuration process is over

Windows Certificate Authority - CA Summary

Windows Certificate Authority - CA Configuration Results

Deploy Windows Certificate Authority – Verify Installation

While installation wizard will alert you in case of any issue or failure in the installation you can manually very Certificate Authority role installation, open IIS Manager expand  → Sites → Default Web site you will notice the CertSrv virtual directory has been created

Windows Certificate Authority - CertSrv

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: By default connection will be in clear via HTTP as you need to manually configure HTTPS for the Default Web Site [/su_note]

To verify Web Enrollment component functionality just open a browser window and navigate to http:///CertSrv if everything is working as expected you will see the a page similar the following

Windows Certificate Authority - Web EnrollmentThe Web Enrollment interface can be used to download Certificate CA Chain, Request certificates or view the enrollment status of requested certificates.



13 thoughts on “How to deploy a Windows Certificate Authority

  1. We have a single standalone root and issuing CA setup on domain member server. Can add enterprise subordinate ca to it?


    1. Hello Herry,

      as per best practice the root CA should be installed and put offline, so no domain join, as its main purpose is to is publishing CRL and issue certificates for the subordinate CAs, just be aware when the root CA is domain joined and installed by a Domain Admin (I assume this was the case) there are some caveats.

      Anwwering your question yes you can still create a subordinate CA here’s an article from technet with the procedure but I can gladly give you further assistance if you need it, just drop me a message ora comment.


  2. Someone installed and setup a single standalone root and issuing ca on a domain member which so far issued a couple of certificates. Now we need more… I have been asked to either upgrade it to a single enterprise ca and reissue the certs or add enterprise ca to an existing standalone ca. what do you think I should do?


    1. Hi Herry,

      from a best design best practice and security point of view you should go for the setup I’ve mentioned in my previous comment (Root CA + subordinate) given the fact you already have the various pieces in place I would just go with this setup as independently of the chosen setup you will need to revoke issued certificates and re-issue them from the new CA.


      1. Thank you.
        If i have to set up new ca, it has to be simultaneously and can not remove the certificate service role from the source server as it will remove the configuration data that will be needed by the destination server.
        Disabling just the service on source server will be enough? Or do i have clean up AD?


      2. Herry you’re most welcome, more or less the high level process would be:

        – Install the Enterprise Root CA side by side with the standalone one
        – Configure parameters as necessary
        – Request certificates for servers/applications
        – Make sure everything is working and then phase out old issued certificates (basically remove the certificate from the application/server)
        – Phase out the CA

        As the CA is a root standalone there is not much AD cleanup involved, unless you’re using those certificates for user authentication etc.

        Of course you should test everything and go through steps but I’ve recently migrated a PKI environment for one of my customers in a similar scenario and it was a painless process even if they are making heavy use of certificates.

        If you have doubts or need further guidance let me know.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s