Installing Active Directory Certificate Services

Active Directory Certificate Services Role allows you to install a certificate authority in your Active Directory environment which allows you to issue self signed certificates for a variety of purposes and uses.  We want to step through this process on a Windows 2008 R2 server and show how easily the role can be added to a server in your environment.

  • First of all you need to launch Server Manager and Choose Roles and “Add Roles.”
  • Select the Active Directory Certificate Services Role


We are choosing the “Certification Authority” as well as “Certification Authority Web Enrollment”

Since we are using a domain controller which is running Active Directory, we are choosing the “Enterprise” option



In the example we are installing the first CA in our environment so we are choosing “Root CA”



In the wizard, the next step is to “Create a new private key” or “use existing private key”…




Configure Cryptography for the CA including “Key character length” and “Hash algorithm for signing certificates.”



The Name of the CA is chosen including the “Common name” and the “Distinguished Name.”



You are asked to choose the “Validity Period” of the CA



The Default location of the Certificate Database and the Certificate Database Logs are chosen:



Since we installed the Web Enrollment option, we are asked here to configure IIS



Role Services to be included in the IIS installation are configured:



We are asked to “Confirm Installation Selections”



The installation process begins:



The installation finishes with any errors/successes listed:



Final Thoughts

Installing the Active Directory Certificate Services Role on a server is not difficult at all and is a rather straight forward wizard that guides you through the process.  However, use forethought and plan ahead before running the wizard as you need to think about really important aspects of the CA including the name, server it is going on, validity period, and features that need to be installed.  Having thought through all of these things beforehand makes the install much easier and doesn’t cause unwanted headaches in the future.

  • Also of consideration is the fact that if you install the role on a domain controller, you will not be able to rename the server with the certificate services role installed.


Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.