Home > SSL, Windows > Install an Enterprise Certificate Authority in Windows 2008 R2

Install an Enterprise Certificate Authority in Windows 2008 R2

In this post I will walk through the steps of setting up an enterprise certificate authority (CA) in a Windows Server 2008 R2 Active Directory domain.  The steps needed to configure this are fairly simple and straightforward.  Having your own CA is useful for testing SSL and other services that require certificates without the need to purchase certificates from a third party.  However, these certificates will not be automatically trusted by computers external to your AD domain, so there are some limitations.  Lets get to it.

First, start the Server Manager.

Click Add Roles under Roles Summary.

Check the Active Directory Certificate Services role and click Next.

Under Role services check Certification Authority and Certification Authority Web Enrollment.  The Web Enrollment service is useful if you choose to make requests for certificates from computers that are not members of your AD domain.  If you have not yet installed all of the IIS components the Web Enrollment service needs, it will ask for prerequisites to be installed.  Go ahead and accept these, then click Next.

I will keep the default and use an Enterprise CA, click Next.

This if my first and only CA, so I’ll choose Root CA and click Next.

This is a new CA without existing keys so select Create an new private key and click Next.

Keep the default CSP, hashing method, and key length and click Next.

I’ll keep the defaults and click Next.

Click Next.

Accept the default database locations and click Next.  Then at the confirmation screen click Install.  See how easy that was.  See you next time!

Categories: SSL, Windows Tags:
  1. Andrew
    June 27, 2010 at 5:39 am

    Hi Aaron, it looks like you can’t enable certificate services on a server who has AD enabled but is not configured as a domain controller. I’m new to this, could you let me know what you think the pros/cons are of having your CA server as a domain controller?


    • June 28, 2010 at 3:12 am

      Hi Andrew,

      As long as the server is a member of an AD domain you should be able to install certificate services and run it as an enterprise CA. Actually I am running my enterprise CA on a member server. If you’ve tried it and it doesn’t work what happens during the install?

      As for pros/cons of putting the CA on a domain controller it should work fine but is not recommended from a security perspective. Also if you choose to install the certificate web enrollment service you’ll need to run IIS on the server and this is definitely not recommended on a DC. Of course if this is a small environment with hardware and software limitations security may not be as much of a concern.

      Best wishes,


  2. July 17, 2010 at 5:43 pm

    Check out my step-by-step guide for installing Windows 2008 R2 certificate authority server

  3. September 20, 2011 at 2:44 am


    do you have any other instruction on how to setup recovery agent and deploy signature certs to clients for use to sign PDF files.


  4. Scott Rosenblatt
    May 22, 2012 at 12:48 pm

    Can we install the cert auth server on the RD web access server?

  5. Scott Rosenblatt
    May 22, 2012 at 1:35 pm

    sorry, i also have a broker connection server would the cert server work on that ?

  6. vijay
    June 8, 2012 at 8:06 am

    Thank you. This worked like a charm for me. Very good Explanation.

  7. Paul Harley
    July 12, 2012 at 5:27 pm

    I also want to say thanks! I appreciate that you took the time to explain the steps and what they mean in plain english

  1. April 16, 2010 at 10:52 pm
  2. May 25, 2010 at 12:31 am
  3. December 23, 2011 at 3:01 pm
  4. April 22, 2012 at 9:21 am
  5. June 26, 2012 at 11:59 am
  6. September 10, 2012 at 8:07 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: