Preparing a Computer to be a Certificate Authority (CA) | Delinea (2024)

Table of Contents
What's Required to Install Certificate Services Adding the Required Server Roles to Make the Computer a Certificate Authority Configuring the Certificate Authority

The first step in configuring the environment is to identify a computer to be the Certificate Authority server for the Active Directory forest. This computer must be connected to a network with a server that has Windows Server 2008 (or later) Domain Name Service installed, and it must be joined to the Active Directory domain. In most cases, the computer designated to be the CA should not be a domain controller in a live production environment. To configure the computer as a Certificate Authority, you must install Microsoft Internet Information Services (IIS) and Certificate Services.

Microsoft Internet Information Services (IIS) are required to handle Certificate Revocation List (CRL) requests made by the authentication service and to provide the virtual directories required to issue and manage certificates.

Certificate Services are required to enable the computer to act as a Certificate Authority (CA) and issue certificates to other computers that join the domain. The Application server role, which installs IIS, and the Certificate Services server role must be on the same computer. Therefore it is recommended that you install IIS at the same time you install Certificate Services.

What's Required to Install Certificate Services

Before installing Certificate Services, check that you have the following:

  • Account credentials for an account that is an Enterprise Administrator and a Domain Administrator of the forest root domain of the Active Directory forest.

  • A computer with Windows Server 2008 Enterprise Edition or later. Previous versions of Windows Server do not support auto-enrollment within the certificate templates. In addition, the computer must be running Enterprise Edition because Standard Edition does not support the V2 or V3 certificate templates that are required for auto-enrollment.

  • Active Directory services must be installed on the Certificate Services server. If you install the Certificate Services server role on a domain controller, no further action is required. When you promote a computer to be a domain controller, the Active Directory services are installed automatically.

    This guide details how to configure auto-enrollment on a computer running Windows Server 2012 R2. For information on configuring auto-enrollment for computers running other versions of Windows Server, please visit the Microsoft website.

    See Also
    What is Active Directory? How does it work? | QuestWhat is Active Directory Certificate Services?What Is Active Directory and How Does It Work?Understanding ADCS: Types of Certificate Authorities

Adding the Required Server Roles to Make the Computer a Certificate Authority

After you have verified that you have an appropriate account and computer configuration, you can use Server Manager to add the appropriate server roles.

To install IIS and Certificate Services on a Windows Server

  1. Open the Server Manager Dashboard and click Add Roles and Features.

    Click Next.

  2. For Installation Type, select Role-based or feature-based installation, then click Next.

  3. Ensure that Select a server from the server pool is selected and highlight the server on which you would like to install roles and features. Click Next.

  4. Select Active Directory Certificate Services, then click Add Required Features in the pop-up window.

    Click Next.

  5. Click Next to accept the default selections for Select Features.

    See Also
    Active Directory Domain Services (AD DS): Overview and Functions

  6. Click Next on the notification that you will be unable to change the domain settings after installing Certificate Services.

  7. Select Certification Authority and click Next.

  8. Click Install.

After Windows restarts, you will see a new Role in Server Manager called AD CS. In the following procedure, you will configure this role to allow your server to act as a Certification Authority.

Configuring the Certificate Authority

  1. Click the notification icon in the Server Manager command bar to open the Add Roles and Features Wizard.

  2. Click the link, Configure Active Directory Certificate Services on the destination server.

  3. In the AD CS configuration screen, verify that you are logged on as an administrator and click Next.

  4. Select Certification Authority and click Next.

  5. Select Enterprise CA and click Next.

    You must be a member of both the Enterprise Admins group and the Domain Admins group to configure an Enterprise Certificate Authority.

  6. Select Root CA and click Next.

  7. Select Create a new private key and click Next.

  8. Accept the defaults for the cryptographic provider, key length, and hash algorithm. Click Next.

  9. Enter a name for the Certificate Authority or accept the defaults, and click Next..

    After the Certificate Authority is configured, you will not be able to change the name.

  10. Specify the validity period of the certificate, click Next.

  11. Accept the default location for the certificate database and click Next.

  12. Review your CA configuration and click Configure.

  13. Click Close when the confirmation message appears, and restart the server to retrieve a certificate from the CA.

Preparing a Computer to be a Certificate Authority (CA) | Delinea (2024)
Top Articles
The Ins and Outs of Managing Debt
How Real People Manage Their Money In Retirement - The Retirement Manifesto
Somboun Asian Market
Top Scorers Transfermarkt
Google Jobs Denver
Santa Clara College Confidential
Northern Whooping Crane Festival highlights conservation and collaboration in Fort Smith, N.W.T. | CBC News
Words From Cactusi
Elden Ring Dex/Int Build
Premier Boating Center Conroe
Restaurants Near Paramount Theater Cedar Rapids
Non Sequitur
Craigslist Farm And Garden Tallahassee Florida
Myhr North Memorial
Reborn Rich Kissasian
How to Watch Every NFL Football Game on a Streaming Service
Maine Racer Swap And Sell
Expression Home XP-452 | Grand public | Imprimantes jet d'encre | Imprimantes | Produits | Epson France
Tim Steele Taylorsville Nc
Craigs List Jax Fl
Desirulez.tv
Tas Restaurant Fall River Ma
Roto-Rooter Plumbing and Drain Service hiring General Manager in Cincinnati Metropolitan Area | LinkedIn
About Us | SEIL
Obsidian Guard's Skullsplitter
Greater Keene Men's Softball
Elgin Il Building Department
KM to M (Kilometer to Meter) Converter, 1 km is 1000 m
R Nba Fantasy
Labyrinth enchantment | PoE Wiki
Oriellys Tooele
Craigslist En Brownsville Texas
How To Upgrade Stamina In Blox Fruits
Sukihana Backshots
2007 Peterbilt 387 Fuse Box Diagram
SF bay area cars & trucks "chevrolet 50" - craigslist
Vindy.com Obituaries
Bustednewspaper.com Rockbridge County Va
2013 Honda Odyssey Serpentine Belt Diagram
Matt Brickman Wikipedia
Gonzalo Lira Net Worth
De boeken van Val McDermid op volgorde
Evil Dead Rise - Everything You Need To Know
Sleep Outfitters Springhurst
Craigslist Com Brooklyn
Tanger Outlets Sevierville Directory Map
Zom 100 Mbti
Aspen.sprout Forum
Taterz Salad
Palmyra Authentic Mediterranean Cuisine مطعم أبو سمرة
Die 10 wichtigsten Sehenswürdigkeiten in NYC, die Sie kennen sollten
Latest Posts
Real Estate Investing 101 | White Coat Investor
Common Online Scams and How to Avoid Them — Investors Diurnal Finance Magazine
Article information

Author: Annamae Dooley

Last Updated:

Views: 6104

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.