Here I’m going to share the steps to configure a Certificate Authority in your environment with a windows based server. Most of the companies use Active Directory Certificate Services (AD CS) as their root Certificate Authority.
This root CA can be stand-alone or Enterprise CA, in my case I don’t have another CA and I’m installing this as an Enterprise CA on Windows Server 2008 R2.
Jump in to your server and open the Server Manager and add a new role by clicking the “Add Roles” option and click “Next” on the second step
Select the “Active Directory Certificate Services” and click “Next” to continue
In the AD CS Installation window you can see the introduction and the important notice in the, please note that you are not able to change the Computer name after installing the CA role on the server, if you are planing to do so, please do all the changes before you install the service. Also, if you are planning to install additional services such as ADDS or any other service on this server please install all these services before you install the CA.
Click “Next” to move forward
In the Role Services select the required services, here I’m installing only the “CA” first and I will show later to add another Role Service after installing the CA. Let’s say you need the “Certification Authority Web Enrollment” select the option at the same time. Once you select the Role Services click “Next” to continue.
Select the CA type , those are self explanatory options, in my case I don’t have a Enterprise CA and I’m installing the first CA which is my “Enterprise” CA, select the option and click “Next” to continue
At the next step select the “Private Key” option whether you are going to create a new key or going to use an existing one. Those are self explanatory options, select the option and click “Next” to continue
Select the Cryptography and the Key character length. I’m leaving the default options which is “Microsoft Software Key Storage Provider”. There is an option to select the “Allow administrator interaction when the private key is accessed by the CA. This option is for the advanced administrative protection, if you enable the option it will prompt to enter the administrator password
In the next step CA Name will generate, I don’t recommend to do any modification here. Click “Next” to continue
Set the validity period in the next step. I leave the default options here.
Set the certificate database location in the next step. I’m leaving the default options
You can see the confirmation of the details and the summary in the next window and click on “Install” to start the installation
You can see the Installation progress and the the results in the next window, close the window once it complete the installation, That’s it.
Installing the Certificate Authority Web Enrollment
As I mentioned earlier you can do this step when you are installing the CA. I would like to show how you can install another services after installing the CA on the server.
Open your Server Manager and expand the roles as showing in the below screen capture, select the services which you want to install and click on “Add Roles Services” option to begin the installation
Select the required services in the next window and click on “Install” option to start the installation. It will prompt to add the required services as below
This role will install a IIS Web server and it will install the other required components accordingly
You can see the progress and the results as below
So, this is my Root CA for my domain