You can set up a Windows Server 2012 Certificate Authority (CA) using the Service Manager wizard.

About this task

The following are standard steps to set up a Microsoft CA. They are detailed here in a simple form suitable for use in a lab environment, but for a real production system it is recommended that you follow industry best practice for CA configuration.

If you need further guidance about setting up a CA, please check out the standard Microsoft technical references: Active Directory Certificate Services Step-by-Step Guide and Install a Root Certification Authority.

Note:

The procedures in this topic are for Windows Server 2012 R2. Very similar steps can be followed on Windows Server 2008 R2.

Procedure

  1. On the Server Manager Dashboard, click Add Roles and Features to open the wizard, and then and click Next.
  2. On the Select Installation Type page, select Role-based or feature-based installation and click Next.
  3. On the Server Selection page, leave defaults and click Next.
  4. On the Server Roles page:
    1. Select Active Directory Certificate Services.
    2. In the dialog, select Include management tool (if applicable) and click Add Features.
    3. Click Next.
  5. On the Features page, click Next.
  6. On the AD CS page, click Next.
  7. On the Role Services page, select Certification Authority and click Next.
  8. On the Confirmation page, select Restart the destination server automatically is required and click Install.

    Installation Progress displays. When the installation is complete, a URL link displays, allowing you to configure the newly installed CA as “Configure Active Directory Certificate Services” on the destination server.

  9. Click on the configuration link to launch the configuration wizard.
  10. On the Credentials page, enter user credentials from Enterprise Admin group and click Next.
  11. On the Role Services page, select CA and click Next.
  12. On the Setup Type page, select Enterprise CA and click Next.
  13. On the CA Type page, select Root or Subordinate CA as appropriate (in this example it is a Root CA) and click Next.
  14. On the Private Key page, select Create a new private key and click Next.
  15. On the Cryptography page, enter information as follows.

    Field

    Description

    Cryptographic Provider

    RSA#Microsoft Software Key Storage Provider

    Key Length

    4096 (or another length if you prefer)

    Hash Algorithm

    SHA256 (or another SHA algorithm if you prefer)

  16. On the CA Name page, configure as preferred or accept defaults and click Next.
  17. On the Validity Period page, configure as preferred and click Next.
  18. On the Certificate Database page, click Next.
  19. On the Confirmation page, review the information and click Configure.
  20. Complete the configuration process by performing the following tasks (run all commands from the command prompt).
    1. Configure CA for non-persistent certificate processing
      certutil –setreg DBFlags 
      +DBFLAGS_ENABLEVOLATILEREQUESTS
    2. Configure CA to ignore offline CRL errors
      certutil –setreg ca\CRLFlags 
      +CRLF_REVCHECK_IGNORE_OFFLINE
    3. Restart the CA service
      net stop certsvc
      net start certsvc

What to do next

Set Up a Certificate Template on the CA