Install Enterprise Root Certificate Authority

Prajwal Desai
Posted by Prajwal Desai

In this post I will show you how to install Enterprise root certificate authority (root CA) in your lab setup. I will be installing the Root CA on a Windows Server 2019 OS.

This guide will be part of my PKI certificates for SCCM post. Deploying a PKI is not a simple task, so read those posts carefully if you’ve not done this before. I had published almost all the required PKI guides for SCCM however install Enterprise root certificate authority guide was missing.

When you plan to install Enterprise Root Certificate Authority, it isn’t something you’ll do on a regular basis. That’s because once you properly set up a root CA for organization, you will not need to set it up again.

By definition, a certification authority (CA) is responsible for attesting to the identity of users, computers, and organizations. The root CA authenticates an entity and vouches for that identity by issuing a digitally signed certificate. The CA can also manage, revoke, and renew certificates.

Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure. Let’s look at the steps to install Enterprise root certificate authority.

Install Enterprise Root Certificate Authority

I will be installing Enterprise Root Certificate Authority on a virtual machine running Windows Server 2019. The VM is installed with latest windows updates and has been assigned with a static IP address.

Install Active Directory Certificate Services

Begin installing Active Directory Certificate Services (AD CS) using the below steps.

  • On your Windows Server 2019, launch Server Manager.
  • On top right, click Manage > Add Roles and Features.
  • Using the Add Roles and Features wizard, install Active Directory Certificate Services.
  • On Before you begin window, click Next.
Server Manager - Add Roles and Features Wizard
Server Manager – Add Roles and Features Wizard

Select Role-based or feature-based installation. Click Next.

Select Role Based or Feature Based Installation
Select Role Based or Feature Based Installation

On the Server Selection page, ensure the selected server is correct one. Click Next.

Select Certificate Authority Destination Server
Select Certificate Authority Destination Server

On the Server roles page, select Active Directory Certificate Services. Click Next.

Install Active Directory Certificate Services
Install Active Directory Certificate Services

Click Next on the Select Features page.

Install Active Directory Certificate Services

You are about to install Active Directory Certificate Services, click Next.

Install AD CS
Install AD CS

From the AD CS, select the Certification Authority as Role Service. Click Next.

Select Certification Authority
Select Certification Authority

Configure Active Directory Certificate Services

The below steps shows you how to configure Active Directory Certificate Services. Click Configure Active Directory Certificate Services on the destination server.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Specify the credentials to configure the AD CS. Click Next.

Specify Credentials to configure AD CS
Specify Credentials to configure AD CS

On the Role Services page, ensure Certification Authority is selected. Click Next.

Role Services - Certification Authority
Role Services – Certification Authority

Select the Certification Authority type as Enterprise CA. Click Next.

Setup Type - Enterprise CA
Setup Type – Enterprise CA

For CA type, select Root CA and click Next.

CA Type - Root CA
CA Type – Root CA

On the Private key window, select Create a new private key. Click Next.

Create new private key
Create new private key

For Cryptography, leave the settings to default and click Next.

Specify Cryptographic Options
Specify Cryptographic Options

That’s your CA name and distinguished name suffix. Click Next.

Verify Certification Authority Name
Verify Certification Authority Name

You can change the validity period of the cert to more than 5 years. I will leave it to default and click Next.

Specify Certificate Validity Period
Specify Certificate Validity Period

On the Certificate database window, you can specify the certificate database location and certificate database log location. I will leave this to default. Click Next.

Certificate Database Locations
Certificate Database Locations

Verify the settings on Confirmation page and click Configure.

Configure AD CS
Configure AD CS

The certificate authority configuration succeeded. Click Close.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Finally close the Add Roles and Features wizard.

Install Enterprise Root Certificate Authority Snap20
Share This Article
Prajwal Desai
Posted by Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
2 Comments