Hi again! Now that I’ve introduced what AD CS is and why we use it, it’s time to get our hands dirty by installing an Enterprise Root Certificate Authority. This is the heart of any AD-integrated PKI infrastructure, and I’ll walk you through each step I use in my production and lab setups.
🧠 Quick Recap: What Is an Enterprise Root CA?
An Enterprise Root CA is the top-level CA in a single-tier or two-tier PKI architecture, directly integrated with Active Directory. It can issue certificates to users, computers, and services in your domain.
💡 Unlike a Standalone CA, this setup uses AD to automatically issue certificates based on group policy and templates—making life much easier.
🧰 Prerequisites
Before installing, I make sure I have the following ready:
- ✅ A domain-joined Windows Server (2016 or later)
- ✅ A static IP and proper DNS configuration
- ✅ The server is fully patched
- ✅ An account with Enterprise Admin and Domain Admin rights
- ✅ A clear CA name and certificate validity period plan
🖥️ Step 1: Add the AD CS Role
- Open Server Manager > Add Roles and Features
- Click Next until you reach Server Roles
- Select Active Directory Certificate Services
- On the features page, leave defaults and click Next
- On the Role Services page, select:
- ✅ Certification Authority
- Continue and click Install
⏳ Wait for the installation to complete, but do not close Server Manager—you’ll need it for post-install configuration.
⚙️ Step 2: Configure the Certification Authority
After installation:
- In Server Manager, click the notification flag → “Configure Active Directory Certificate Services on the destination server”
- On the credentials screen, confirm the admin account and click Next
- Select only:
- ✅ Certification Authority
- On the CA Type screen:
- Choose Enterprise CA
- On the Setup Type screen:
- Choose Root CA
- On the Private Key screen:
- Select Create a new private key
- Accept default cryptography settings, or adjust based on your security policy (e.g., 4096-bit key, SHA256)
- Set a Common Name for the CA (e.g.,
MAHARJAN-RootCA) - Set the certificate validity period (default is 5 or 10 years, adjust if needed)
- Review and confirm the paths for the certificate database and logs
- Click Configure and wait for success message
🎉 Your Enterprise Root CA is now installed and operational!
📂 Step 3: Verify the CA Installation
Here’s how I quickly verify the CA is working:
- Open Certification Authority console (
certsrv.msc) - Ensure the CA status is “Running”
- Check the Issued Certificates, Pending Requests, and Revoked Certificates nodes (they’ll be empty for now)
- Look under Certificate Templates to see default templates published by AD
🔄 Step 4: Publish to Active Directory (Auto)
This is done automatically for an Enterprise CA:
- The Root CA certificate is published to AD’s NTAuth store
- Clients in the domain can trust this CA without manual imports
To confirm:
certutil -enterprise -viewstore NTAuthYou should see your CA listed.
✅ Post-Installation Tips
Here’s what I always do right after the CA is installed:
- 📁 Back up the CA database and private key
- 🛡️ Apply access restrictions to the CA console (use role-based delegation)
- 📝 Document the CA name, key size, validity period, and server name
- 🔐 Harden the server (disable unneeded services, restrict RDP access)
- 🧪 Test issuing a manual certificate request
🧭 What’s Next?
In the next blog, I’ll show you how to:
👉 Create and publish certificate templates,
👉 Set up auto-enrollment using Group Policy, and
👉 Start issuing certs to users, computers, or web servers automatically!