Add the required server roles to make the computer a Certificate Authority

After you have verified that you have an appropriate account and computer configuration, you can use Server Manager to add the appropriate server roles.

To install IIS and Certificate Services on a Windows Server

  1. Open the Server Manager Dashboard and click Add Roles and Features.

    Click Next.

  2. For Installation Type, select Role-based or feature-based installation, then click Next.

  3. Ensure that Select a server from the server pool is selected and highlight the server on which you would like to install roles and features. Click Next.

  4. Select Active Directory Certificate Services, then click Add Required Features in the pop-up window.

    Click Next.

  5. Click Next to accept the default selections for Select Features.

  6. Click Next on the notification that you will be unable to change the domain settings after installing Certificate Services.

  7. Select Certification Authority and click Next.

  8. Click Install.

After Windows restarts, you will see a new Role in Server Manager called AD CS. In the following procedure, you will configure this role to allow your server to act as a Certification Authority.

Configure the Certificate Authority

  1. Click the notification icon in the Server Manager command bar to open the Add Roles and Features Wizard.
  2. Click the link, Configure Active Directory Certificate Services on the destination server.
  3. In the AD CS configuration screen, verify that you are logged on as an administrator and click Next.
  4. Select Certification Authority and click Next.
  5. Select Enterprise CA and click Next.

    Note:   You must be a member of both the Enterprise Admins group and the Domain Admins group to configure an Enterprise Certificate Authority.

  6. Select Root CA and click Next.

  7. Select Create a new private key and click Next.

  8. Accept the defaults for the cryptographic provider, key length, and hash algorithm. Click Next.

  9. Enter a name for the Certificate Authority or accept the defaults, and click Next..

    Note:   After the Certificate Authority is configured, you will not be able to change the name.

  10. Specify the validity period of the certificate, click Next.

  11. Accept the default location for the certificate database and click Next.

  12. Review your CA configuration and click Configure.

  13. Click Close when the confirmation message appears, and restart the server to retrieve a certificate from the CA.