Prajwal Desai

SCCM | ConfigMgr | Intune | Windows 11 | Azure

  • Home
  • Cloud
    • Autopilot
    • Azure
    • Endpoint Analytics
    • Intune
    • PowerShell
    • Teams
    • Windows 365
  • Microsoft
    • Active Directory
    • Group Policy
    • SCCM
    • SCOM
    • Windows 10
    • Windows 11
    • Windows Server
    • WSUS
  • Software
  • Forums
  • Newsletter
  • Contact
Notification Show More
Latest News
Fix Windows Autopilot Reset Error 0x80070032
Fix Windows Autopilot Reset Error 0x80070032
Autopilot Intune
Windows activation error 0xc004c020
Fix: Windows Activation Error 0xC004C020 with 2 Easy Methods
Windows 11 Windows 10
Find the Package ID of SCCM Application
3 Best Ways to Find the Package ID of SCCM Application
SCCM
SCCM Updates Install Error 0x800b0109 0x8024b303
Fix: SCCM Updates Install Error 0x800b0109 | 0x8024b303
SCCM
Disable Windows Hello for Business using Intune ftimg
Disable Windows Hello for Business using Intune – Comprehensive Guide
Intune Autopilot
Aa

Prajwal Desai

SCCM | ConfigMgr | Intune | Windows 11 | Azure

Aa
Search
  • Home
  • Cloud
    • Autopilot
    • Azure
    • Endpoint Analytics
    • Intune
    • PowerShell
    • Teams
    • Windows 365
  • Microsoft
    • Active Directory
    • Group Policy
    • SCCM
    • SCOM
    • Windows 10
    • Windows 11
    • Windows Server
    • WSUS
  • Software
  • Forums
  • Newsletter
  • Contact
Follow US

Home » Windows Server » Install Enterprise Root Certificate Authority

Windows Server

Install Enterprise Root Certificate Authority

By Prajwal Desai 1 View 2 comments January 23, 2021 5 Min Read

In this post I will show you how to install Enterprise root certificate authority (root CA) in your lab setup. I will be installing the Root CA on a Windows Server 2019 OS.

This guide will be part of my PKI certificates for SCCM post. Deploying a PKI is not a simple task, so read those posts carefully if you’ve not done this before. I had published almost all the required PKI guides for SCCM however install Enterprise root certificate authority guide was missing.

When you plan to install Enterprise Root Certificate Authority, it isn’t something you’ll do on a regular basis. That’s because once you properly set up a root CA for organization, you will not need to set it up again.

By definition, a certification authority (CA) is responsible for attesting to the identity of users, computers, and organizations. The root CA authenticates an entity and vouches for that identity by issuing a digitally signed certificate. The CA can also manage, revoke, and renew certificates.

- Advertisement -
Ad image

Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure. Let’s look at the steps to install Enterprise root certificate authority.

Table of Contents

  • Install Enterprise Root Certificate Authority
  • Install Active Directory Certificate Services
  • Configure Active Directory Certificate Services

Install Enterprise Root Certificate Authority

I will be installing Enterprise Root Certificate Authority on a virtual machine running Windows Server 2019. The VM is installed with latest windows updates and has been assigned with a static IP address.

Install Active Directory Certificate Services

Begin installing Active Directory Certificate Services (AD CS) using the below steps.

  • On your Windows Server 2019, launch Server Manager.
  • On top right, click Manage > Add Roles and Features.
  • Using the Add Roles and Features wizard, install Active Directory Certificate Services.
  • On Before you begin window, click Next.
Server Manager - Add Roles and Features Wizard
Server Manager – Add Roles and Features Wizard

Select Role-based or feature-based installation. Click Next.

Select Role Based or Feature Based Installation
Select Role Based or Feature Based Installation

On the Server Selection page, ensure the selected server is correct one. Click Next.

Select Certificate Authority Destination Server
Select Certificate Authority Destination Server

On the Server roles page, select Active Directory Certificate Services. Click Next.

Install Active Directory Certificate Services
Install Active Directory Certificate Services

Click Next on the Select Features page.

Install Active Directory Certificate Services

You are about to install Active Directory Certificate Services, click Next.

Install AD CS
Install AD CS

From the AD CS, select the Certification Authority as Role Service. Click Next.

Select Certification Authority
Select Certification Authority

Configure Active Directory Certificate Services

The below steps shows you how to configure Active Directory Certificate Services. Click Configure Active Directory Certificate Services on the destination server.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Specify the credentials to configure the AD CS. Click Next.

Specify Credentials to configure AD CS
Specify Credentials to configure AD CS

On the Role Services page, ensure Certification Authority is selected. Click Next.

Role Services - Certification Authority
Role Services – Certification Authority

Select the Certification Authority type as Enterprise CA. Click Next.

Setup Type - Enterprise CA
Setup Type – Enterprise CA

For CA type, select Root CA and click Next.

CA Type - Root CA
CA Type – Root CA

On the Private key window, select Create a new private key. Click Next.

Create new private key
Create new private key

For Cryptography, leave the settings to default and click Next.

Specify Cryptographic Options
Specify Cryptographic Options

That’s your CA name and distinguished name suffix. Click Next.

Verify Certification Authority Name
Verify Certification Authority Name

You can change the validity period of the cert to more than 5 years. I will leave it to default and click Next.

Specify Certificate Validity Period
Specify Certificate Validity Period

On the Certificate database window, you can specify the certificate database location and certificate database log location. I will leave this to default. Click Next.

Certificate Database Locations
Certificate Database Locations

Verify the settings on Confirmation page and click Configure.

Configure AD CS
Configure AD CS

The certificate authority configuration succeeded. Click Close.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Finally close the Add Roles and Features wizard.

Install Enterprise Root Certificate Authority Snap20

Sign Up For Weekly Newsletter

Get the most recent information on Configuration Manager, Intune, Windows 11, Windows 365, Autopilot, Azure, Software Reviews, and much more by subscribing to the newsletter.
By signing up, you agree and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share this Article
Facebook Twitter Copy Link Print
Avatar photo
By Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Enterprise Mobility. He writes articles on SCCM, Intune, Configuration Manager, Microsoft Intune, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
Previous Article Configuration Manager Technical Preview 2008 Configuration Manager Technical Preview 2008
Next Article SCCM 2006 Upgrade Guide Step-by-Step SCCM 2006 Upgrade Guide
2 Comments 2 Comments
  • Avatar photo Ian Bennett says:
    May 2, 2022 at 4:40 am

    how do you renew the existing offline root CA certificate and give it a new end year of say 20 years for the lab?

    Reply
  • Avatar photo danish says:
    May 25, 2021 at 11:24 am

    excellent

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recast Sponsored AD
Ad image
Patch My PC Sponsored AD
Ad image

Latest Articles

Fix Windows Autopilot Reset Error 0x80070032
Fix Windows Autopilot Reset Error 0x80070032
Autopilot Intune
Windows activation error 0xc004c020
Fix: Windows Activation Error 0xC004C020 with 2 Easy Methods
Windows 11 Windows 10
Find the Package ID of SCCM Application
3 Best Ways to Find the Package ID of SCCM Application
SCCM
SCCM Updates Install Error 0x800b0109 0x8024b303
Fix: SCCM Updates Install Error 0x800b0109 | 0x8024b303
SCCM
Subscribe to Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

You Might Also Like

How to Install VMware Tools on Windows Server Core
Windows Server

How to Install VMware Tools on Windows Server Core VM

By Prajwal Desai
Patch Server Core Automatically with Windows Update
Windows ServerWSUS

Patch Server Core Installation with latest Windows Updates

By Prajwal Desai
List of Keyboard Shortcuts for Server Manager
Windows Server

List of 40+ Useful Keyboard Shortcuts for Server Manager

By Prajwal Desai

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?