I gave a good overview of what Active Directory Certificate Services (AD CS) are and what they do in

my last article: Server 2008: Active Directory Certificate Services.

or a short reca!" AD CS is the #ac$#one of %icrosoft&s '(#lic )ey Infrastr(ct(re (')I)
im!lementation. It will allow yo( to iss(e certificates for SS*+,,* (ser on we#sites or digitally sign
yo(r email.
-ow let&s ta$e a loo$ at installing Active Directory Certificate Services.
Certain versions of Server 2008 only allow certain AD CS com!onents to #e installed. !lease ta$e a
loo$ at this ta#le for reference:
CA / iss(es certificates to (sers" com!(ters and services while also managing their validity.
comes in root and s(#ordinate
Network Device Enrollment Service / allows networ$ devices (i.e. ro(ters) to re0(est and
receive certificates #ased on Sim!le Certificate 1nrollment 'rotocol (SC1')
Online Responder Service / im!lements 2nline Certificate Stat(s 'rotocol (2CS') #y
eval(ating certificate stat(s" decoding revocation stat(s re0(ests" and sending #ac$ signed
res!onses containing certificate stat(s information
Install Enterprise Certificate Authority on a Windows !!" Server
As I o(tlined in my earlier article" there are two varieties of root CA&s: the 1nter!rise and Stand3
Alone. 1ach has their advantages and config(ration" #(t in this case we are going to install an
1nter!rise CA.
I am going to #e installing this root CA server in my test Active directory domain named
AD14am!le.com on a 5indows Server 2008 1nter!rise version.
,he server is a mem#er of the domain" and is a domain controller. *et&s get started.
#$ 2!en Server %anager.
$ Select Roles" then clic$ Add Roles in the center !ane.
%$ ,he &efore 'ou &e(in !age may show (! if yo( haven&t t(rned it off already. If yo( see it 6(st clic$
Ne)t.
*$ In the Select Server Roles window go ahead and select Active Directory Certificate Services #y
!lacing a chec$mar$ ne4t to it" then go ahead and clic$ Ne)t.
+$ -ow yo( will see an Introduction to Active Directory Certificate Services" where yo( can read
a#o(t the good things yo( can do with AD CS.
,he #iggest thing to note here is the following:
Name & Domain settings of this computer cannot be changed after a CA has been installed. If you
want to change the computer name, join a domain, or promote this server to a domain controller do
so !"#$! install thing the CA.
-ow with that warning o(t of the way" go ahead and clic$ on Ne)t.
,$ -e4t yo( get to Select Role Services" which can incl(de any of the following de!ending on what
version of 5indows Server 2008 yo( are installing this on 7 refer to the ta#le a#ove for s!ecifics.
or this install I am going to choose the Certification Authority only.
-$ -ow comes the Specify Setup .ype" and for this I am going to select the Enterprise radio #(tton.
"$ or the Specify CA .ype" I am going to choose the Root CA radio #(tton and then clic$ Ne)t.
/$ In Set 0p 1rivate 2ey" I am going to choose Create a new private key radio #(tton and then
select Ne)t.
#!$ -ow yo( have to Confi(ure Crypto(raphy for CA in this window and there are 0(ite a few to
choose from.
-ow I am no e4!ert on cry!togra!hy" #(t some #asic r(les do a!!ly 8 the longer the $ey the harder it
is to crac$. or o(r !(r!oses I am going to (se the following settings:
RSA34icrosoft Software 2ey Stora(e 1rovider
*!/, 2ey Character len(th
md+ 5ash al(orithm
-ow I am going to clic$ Ne)t.
##$ In Confi(ure CA Name yo( can choose to overwrite the defa(lt common name for this CA and
also the Distin(uished name suffi) if yo( so choose.
I am going to overwrite the defa(lt common name with .est6Enterprise6CA" #(t I will leave the rest
alone.
#$ -e4t we will Set 7alidity 1eriod for this CAs certificate.
9emem#er a root CA iss(es itself a certificate. ,he defa(lt is + 'ears so I will 6(st leave it at that. :o(
can change this #ased on any need yo( might have in yo(r environment. Clic$ Ne)t.
#%$ Confi(ure Certificate Data8ase will let yo( s!ecify where yo( want to !(t the data#ase and log
files for the CA.
I am going to leave the defa(lt in !lace. Clic$ Ne)t.
#*$ 2n the Confirm Installation Selections yo( can see the answers yo( have chosen and yo( will
again see a warning that yo( cannot change the com!(ter name or domain settings for this server after
installing the CA.
;o ahead and clic$ Install9 yo( $now yo( want to<
#+$ After a few min(tes yo( will see the Installation Results" and with any l(c$ yo( will have the
message: Installation succeeded.
After yo(r glow of certificate ha!!iness fades go ahead and clic$ Close.
#,$ -ow let&s go in and ta$e a loo$ #y clic$ing on Certification Authority in Administrative .ools
(if yo( get a =AC !o! (! 6(st clic$ 2$).
#-$ -ow yo( can see the sna!3in is showing the CA named .est6Enterprise6CA in the left !ane with
a #(nch of folders for certificates.
#"$ :o( can also see that if yo( clic$ the Certificate .emplates folder" there are 0(ite a few defa(lt
tem!lates that are already set(! and ready to go.
Summary
-ow that we have installed the Active Directory Certificate Services the ne4t ste! wo(ld #e to re0(est
some certificates and config(re them.
,he installation for a stand3alone CA is very similar to this. In fact if yo( are not in a domain and if
yo( are not installing as a domain admin yo( will not even get the o!tion for an 1nter!rise CA set(!"
so if yo( see that grayed o(t yo( now $now why.
In my ne4t article we will ta$e a loo$ at some of the (ses for certificates and how to re0(est and install
them on servers and clients