You can set up a Windows Server 2012 Certificate Authority (CA) using the Service Manager wizard.
The following are standard steps to set up a Microsoft CA. They are detailed here in a simple form suitable for use in a lab environment, but for a real production system it is recommended that you follow industry best practice for CA configuration.
If you need further guidance about setting up a CA, please check out the standard Microsoft technical references: Active Directory Certificate Services Step-by-Step Guide and Install a Root Certification Authority.
Note: The procedures in this topic are for Windows Server 2012 R2. Very similar steps can be followed on Windows Server 2008 R2.
Procedure
- On the Server Manager Dashboard, click Add Roles and Features to open the wizard, and then and click Next.
- On the Select Installation Type page, select Role-based or feature-based installation and click Next.
- On the Server Selection page, leave defaults and click Next.
- On the Server Roles page:
- Select Active Directory Certificate Services.
- In the dialog, select Include management tool (if applicable) and click Add Features.
- Click Next.
- On the Features page, click Next.
- On the AD CS page, click Next.
- On the Role Services page, select Certification Authority and click Next.
- On the Confirmation page, select Restart the destination server automatically is required and click Install.
Installation Progress displays. When the installation is complete, a URL link displays, allowing you to configure the newly installed CA as “Configure Active Directory Certificate Services” on the destination server.
- Click on the configuration link to launch the configuration wizard.
- On the Credentials page, enter user credentials from Enterprise Admin group and click Next.
- On the Role Services page, select CA and click Next.
- On the Setup Type page, select Enterprise CA and click Next.
- On the CA Type page, select Root or Subordinate CA as appropriate (in this example it is a Root CA) and click Next.
- On the Private Key page, select Create a new private key and click Next.
- On the Cryptography page, enter information as follows.
Field |
Description |
Cryptographic Provider |
RSA#Microsoft Software Key Storage Provider |
Key Length |
4096 (or another length if you prefer) |
Hash Algorithm |
SHA256 (or another SHA algorithm if you prefer) |
- On the CA Name page, configure as preferred or accept defaults and click Next.
- On the Validity Period page, configure as preferred and click Next.
- On the Certificate Database page, click Next.
- On the Confirmation page, review the information and click Configure.
- Complete the configuration process by performing the following tasks (run all commands from the command prompt).
- Configure CA for non-persistent certificate processing
certutil –setreg DBFlags
+DBFLAGS_ENABLEVOLATILEREQUESTS
- Configure CA to ignore offline CRL errors
certutil –setreg ca\CRLFlags
+CRLF_REVCHECK_IGNORE_OFFLINE
- Restart the CA service
net stop certsvc
net start certsvc
- Set up a certificate template on the CA by following the steps in Set Up a Certificate Template on the CA .