Install Active Directory Certificate Services
Applies To: Windows Server 2012
To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role.
Warning
Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see Active Directory Certificate Services Overview in the Windows Server 2012 Technical Library (https://technet.microsoft.com/library/hh831740.aspx).
To perform this procedure, the computer on which you are installing AD CS must be joined to an Active Directory domain.
Administrative credentials
To complete this procedure, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
To install AD CS
Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.
Click Server Manager in the taskbar. The Server Manager console opens. Click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, ensure Role-based or feature-based installation is selected and click Next.
On the Select destination server page, ensure your server is selected and click Next.
On the Select Server Roles page, select Active Directory Certificate Services, and then click Add Features and then click Next.
On the Select features page, click Next.
On the Active Directory Certificate Services page, click Next.
On the Select role services page, ensure Certification Authority is selected and click Next.
On the Confirm installation selections page, click Install.
After installation completes, click close.
On the Server Manager Dashboard, click the Notifications flag icon and then click Configure Active Directory Certificate Services on the destination server.
On the Credentials page, ensure the default user account is a member of both the local Administrators group and the Enterprise Admins group and then click Next.
On the Role Services page, click Certification Authority, and click Next.
On the Setup Type page, ensure Enterprise CA is selected, and click Next.
On the CA Type page, ensure Root CA is selected, and then click Next.
On the Private Key page, ensure Create a new private key is selected, and then click Next.
On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (sha1), and determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can affect server performance. It is recommended that you keep the default setting of 2048 or, if appropriate for your deployment, reduce key character length to 1024. Click Next.
On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements, and then click Next.
On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next.
On the CA Database page, in Certificate database location and Certificate database log location, specify the folder location for these items. If you specify locations other than the default locations, make sure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files.
Click Next, click Configure, and then click Close.