Active Directory Certificate Services Installation.
In the next tutorial, we will see how to deploy a simple installation of Active Directory Certificate Services and configure it as a standalone CA.
Our first step is to go to Server Manager, add / remove roles and start the installation process. In the “Roles” section, select the Active Directory Certificate Services.
Then we need to choose which role we want for this ADCS server. We have several options, but for this tutorial we will select a Certification Authority. Then click “Next” and “Install”.
After the installation is complete, we click the “Configure Active Directory Certificate Services on Target Server” hyperlink inside the completion window.
Now that we have the binaries for the ADCS service installed, let’s configure it exactly as we need it.
The first prompt will allow us to enter the credentials that we want to use in the configuration passes. Keep in mind that if we give him a domain admin user that is not part of the Enterprise Admins group, then we can only install a stand-alone CA that is independent of AD.
If we want to set up an enterprise CA, we must issue a request to a user who is part of the Enterprise Admins group.
Since we only installed the role of the CA, on the next screen, all other options will be grayed out. We’ll look at other options in another tutorial. For now, we leave the default CA installed and click Next.
In the next invitation, we choose the path we want to take. Either a corporate CA or a stand-alone CA. The difference between the two is that the enterprise CA relies heavily on AD, enables automatic certificate deployment, runs at the forest level, and more.
A stand-alone CA is AD independent, can be installed in a workgroup environment, and does not require actual network connectivity because certificates are issued manually. For a small environment with multiple servers and workstations, I recommend a standalone CA because the setup overhead is much less.
Then we choose whether we want a root CA or a subordinate CA. Since this is the first ADCS server in our environment, we will choose Root CA.
The default values are left for the following steps. We create a new private key, keep the default RSA algorithm, name, expiration and location of the database. Of course, in a larger environment where we have strict rules that we must follow, we would customize them. But for the purposes of this tutorial, we’ll leave them at the default.
Also, keep in mind that the expiration date must be greater than the maximum expiration date that you provide for your client certificates. Personally, I usually put 10 years instead of the default 5, but that’s your choice.
Once we skip past the configuration requests, we’ll finally get to our confirmation page. Make sure everything is in order and then click the “Configure” button.
Once the installation is complete, we can log into the CA administration console and start issuing certificates.
Thanks for taking the time to read this tutorial and there will be many more ADCS related posts. Enjoy!