Windows Server

Install Enterprise Root Certificate Authority

In this post I will show you how to install Enterprise root certificate authority (root CA) in your lab setup. I will be installing the Root CA on a Windows Server 2019 OS.

This guide will be part of my PKI certificates for SCCM post. Deploying a PKI is not a simple task, so read those posts carefully if you’ve not done this before. I had published almost all the required PKI guides for SCCM however installing the Root CA guide was missing.

Setting up an Enterprise Root Certificate Authority isn’t something you’ll do on a regular basis. That’s because once you properly set up a root CA for organization, you will not need to set it up again.

By definition, a certification authority (CA) is responsible for attesting to the identity of users, computers, and organizations. The root CA authenticates an entity and vouches for that identity by issuing a digitally signed certificate. The CA can also manage, revoke, and renew certificates.

Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure.

Install Enterprise Root Certificate Authority

I will be installing the Enterprise Root Certificate Authority on a virtual machine running Windows Server 2019. The VM is installed with latest windows updates and has been assigned with a static IP address.

Install Active Directory Certificate Services

Begin installing Active Directory Certificate Services (AD CS) using the below steps.

  • On your Windows Server 2019, launch Server Manager.
  • On top right, click Manage > Add Roles and Features.
  • Using the Add Roles and Features wizard, install Active Directory Certificate Services.
  • On Before you begin window, click Next.
Server Manager - Add Roles and Features Wizard
Server Manager – Add Roles and Features Wizard

Select Role-based or feature-based installation. Click Next.

Select Role Based or Feature Based Installation
Select Role Based or Feature Based Installation

On the Server Selection page, ensure the selected server is correct one. Click Next.

Select Certificate Authority Destination Server
Select Certificate Authority Destination Server

On the Server roles page, select Active Directory Certificate Services. Click Next.

Install Active Directory Certificate Services
Install Active Directory Certificate Services

Click Next on the Select Features page.

Install Active Directory Certificate Services

You are about to install Active Directory Certificate Services, click Next.

Install AD CS
Install AD CS

From the AD CS, select the Certification Authority as Role Service. Click Next.

Select Certification Authority
Select Certification Authority

Configure Active Directory Certificate Services

The below steps shows you how to configure Active Directory Certificate Services. Click Configure Active Directory Certificate Services on the destination server.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Specify the credentials to configure the AD CS. Click Next.

Specify Credentials to configure AD CS
Specify Credentials to configure AD CS

On the Role Services page, ensure Certification Authority is selected. Click Next.

Role Services - Certification Authority
Role Services – Certification Authority

Select the Certification Authority type as Enterprise CA. Click Next.

Setup Type - Enterprise CA
Setup Type – Enterprise CA

For CA type, select Root CA and click Next.

CA Type - Root CA
CA Type – Root CA

On the Private key window, select Create a new private key. Click Next.

Create new private key
Create new private key

Leave the settings to default here and click Next.

Specify Cryptographic Options
Specify Cryptographic Options

Click Next.

Verify Certification Authority Name
Verify Certification Authority Name

You can change the validity period of the cert to more than 5 years. I will leave it to default and click Next.

Specify Certificate Validity Period
Specify Certificate Validity Period

Click Next.

Certificate Database Locations
Certificate Database Locations

Verify the settings on Confirmation page and click Configure.

Configure AD CS
Configure AD CS

The certificate authority configuration succeeded. Click Close.

Configure Active Directory Certificate Services
Configure Active Directory Certificate Services

Finally close the Add Roles and Features wizard.

Prajwal Desai

Hi, I am Prajwal Desai. For last few years I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Azure, Security etc. I created this site so that I can share valuable information with everyone.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button