Active Directory Certificate Services Role allows you to install a certificate authority in your Active Directory environment which allows you to issue self signed certificates for a variety of purposes and uses. We want to step through this process on a Windows 2008 R2 server and show how easily the role can be added to a server in your environment.
- First of all you need to launch Server Manager and Choose Roles and “Add Roles.”
- Select the Active Directory Certificate Services Role
In the example we are installing the first CA in our environment so we are choosing “Root CA”
In the wizard, the next step is to “Create a new private key” or “use existing private key”…
Configure Cryptography for the CA including “Key character length” and “Hash algorithm for signing certificates.”
The Name of the CA is chosen including the “Common name” and the “Distinguished Name.”
You are asked to choose the “Validity Period” of the CA
The Default location of the Certificate Database and the Certificate Database Logs are chosen:
Since we installed the Web Enrollment option, we are asked here to configure IIS
Role Services to be included in the IIS installation are configured:
We are asked to “Confirm Installation Selections”
The installation process begins:
The installation finishes with any errors/successes listed:
Installing the Active Directory Certificate Services Role on a server is not difficult at all and is a rather straight forward wizard that guides you through the process. However, use forethought and plan ahead before running the wizard as you need to think about really important aspects of the CA including the name, server it is going on, validity period, and features that need to be installed. Having thought through all of these things beforehand makes the install much easier and doesn’t cause unwanted headaches in the future.
- Also of consideration is the fact that if you install the role on a domain controller, you will not be able to rename the server with the certificate services role installed.