Setting Up a Windows Certificate Authority
Complete Installation Guide
Understanding Windows Certificate Services
Active Directory Certificate Services (AD CS) is Microsoft’s public key infrastructure (PKI) implementation. Unlike third-party CAs, AD CS integrates deeply with Active Directory, Group Policy, and other Windows services, enabling automated certificate enrollment, renewal, and revocation across your entire domain.
Think of it as your organization’s digital notary service. Once established, AD CS can automatically issue certificates to users, computers, and services based on templates you define, eliminating manual certificate requests for most scenarios.
Prerequisites and Planning
Proper planning prevents costly mistakes when deploying a CA. Once you issue certificates, changing fundamental CA settings requires starting over.
System Requirements
Your CA server should run Windows Server 2019 or later (2022 recommended for the latest security features).
For Enterprise CA (recommended for domain environments):
- Windows Server 2019/2022 Standard or Datacenter
- Member of an Active Directory domain
- Minimum 4GB RAM (8GB recommended)
- 60GB available disk space
- Static IP address
- Domain Admin rights for installation
For Standalone CA (for workgroup environments):
- Windows Server 2019/2022 (any edition)
- Can be workgroup or domain member
- Minimum 2GB RAM
- 40GB available disk space
- Local Administrator rights
For production environments, Enterprise CA is recommended as it provides auto-enrollment, certificate templates, and seamless Active Directory integration.
Active Directory Considerations
If deploying an Enterprise CA, ensure your Active Directory forest functional level is Windows Server 2008 R2 or higher. Your schema should be up to date for advanced features.
The CA server should be a dedicated member server, not a domain controller. Installing AD CS on a domain controller creates security and maintenance complications.
Network and DNS Configuration
Verify your DNS is functioning correctly before installing AD CS. The CA must have a proper DNS record, and clients must be able to resolve it reliably.
Configure the server with a static IP address. Changing the IP address after installation breaks CDP and AIA URLs embedded in issued certificates.
Certificate Hierarchy Planning
Decide on your PKI hierarchy before installation:
Single-tier (all-in-one): One CA serves as both root and issuing CA. Simple to manage but exposes the root CA private key to the network.
Two-tier (recommended for production): An offline root CA issues a certificate to an online subordinate CA. More complex but significantly more secure.
Installation Process
Let’s proceed with installing and configuring your Windows Certificate Authority.
Installing the AD CS Role
Method 1: Using Server Manager (GUI)
- Open Server Manager on your Windows Server
- Click Manage → Add Roles and Features
- Click Next through the Before You Begin page
- Select Role-based or feature-based installation, click Next
- Select your destination server, click Next
- Check Active Directory Certificate Services, click Add Features when prompted
- Click Next through Features and AD CS introduction
- On Role Services, select Certification Authority (required)
- Click Next, then Install
- Wait for installation to complete
Method 2: Using PowerShell (faster for automation)
# Install AD CS role
Install-WindowsFeature -Name AD-Certificate, ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools
The installation adds role binaries but doesn’t configure the CA. That’s the next crucial step.
Configuring the Certification Authority
After role installation, you must configure AD CS where you make critical decisions about your CA’s identity.
Using Server Manager:
- In Server Manager, click the notification flag
- Click Configure Active Directory Certificate Services
- Ensure your account has Enterprise Admin privileges, click Next
- On Role Services page, select Certification Authority
- Click Next
- On Setup Type: Select Enterprise CA if domain-joined
- Click Next
- On CA Type: Select Root CA for single-tier
- Click Next
- On Private Key: Select Create a new private key
- Click Next
- On Cryptography: Set to RSA, Key Length 4096, Hash SHA256
- Click Next
- On CA Name: Enter descriptive name (e.g., ‘Contoso Root CA’)
- Click Next
- On Validity Period: Set appropriate period (Root: 10-20 years)
- Click Next
- Review database locations, Click Next
- Click Configure and wait for completion
Post-Configuration Steps
- Configure CDP and AIA Extensions
These extensions tell clients where to find certificate revocation information.
In CA console: Right-click your CA name → Properties → Extensions tab
- Remove any file:// paths
- Ensure HTTP path exists for CRL distribution
- Check: Include in CRLs
- Check: Include in the CDP extension of issued certificates
- Configure CRL Publication Settings
certutil -setreg CACRLPeriodUnits 7
Restart-Service CertSvc
- Publish the Initial CRL
certutil -CRL
- Configure Certificate Templates
In CA console, expand your CA → Right-click Certificate Templates → Manage
- Configure Auto-Enrollment
Navigate to Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies
Post-Installation Testing
Thorough testing confirms your CA is functioning correctly and can issue valid certificates.
Verify CA Service Status
Get-Service CertSvc
certutil -ping
You should see ‘Server ping successful’ output.
Test Certificate via Web Enrollment
Navigate to: http://yourserver.domain.com/certsrv
- Authenticate with domain credentials
- Click ‘Request a certificate’
- Click ‘advanced certificate request’
- Click ‘Create and submit a request to this CA’
- Fill in details (Name, Email, Certificate Type)
- Set Key Size to 2048 or higher
- Click Submit, then Install this certificate
Operational Considerations
Your CA is now functional, but ongoing management ensures security and reliability.
Regular Backups
The CA database contains all issued certificates and the CA private key—critical data requiring protection.
certutil -backupDB “D:CABackup”
certutil -backupKey “D:CABackupPrivateKey”
Best practices:
- Back up daily or after significant changes
- Store backups on separate media/location
- Test restoration procedures quarterly
- Keep CA private key backup in physically secure location
Monitor CA Health
certutil -setreg CALogLevel 5
Restart-Service CertSvc
Review logs in Event Viewer → Applications and Services Logs → Microsoft → Windows → CertificationAuthority
Security Hardening
Implement these measures:
- Restrict CA administrative access to essential personnel
- Use dedicated admin accounts (not everyday accounts)
- Enable multi-factor authentication for admin accounts
- Apply latest security updates regularly
- Enable object access auditing
- Implement role separation (Administrators, Managers, Auditors)
Quick Reference Commands
Check CA health:
certutil -ping
Publish new CRL:
certutil -CRL
Back up CA:
certutil -backupDB “D:Backup”
View issued certificates:
certutil -view
Revoke certificate:
certutil -revoke <SerialNumber>
Restart CA service:
Restart-Service CertSvc
Force Group Policy update:
gpupdate /force
Trigger auto-enrollment:
certreq -enroll -machine -q
Conclusion
You now have a fully functional Windows Certificate Authority capable of issuing and managing certificates throughout your enterprise. AD CS integration with Active Directory provides powerful automation capabilities that simplify certificate management at scale.
Remember that PKI security depends on protecting your CA’s private key and maintaining proper operational procedures. Regular backups, monitoring, and security audits ensure your CA remains a trusted foundation for your organization’s security infrastructure.
Explore advanced topics like Network Device Enrollment Service (NDES) for mobile devices, Online Responder for OCSP, or integrating certificate-based authentication with applications and services.