Install Active Directory Certificate Services on Windows Server 2008
Content
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
(http://pluralsight.com/training?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=header%3Alogo)
→
Categories: Home (http://blog.pluralsight.com) News (http://blog.pluralsight.com/category/news)
Tips and Tutorials (http://blog.pluralsight.com/category/tips-and-tutorials)
Career (http://blog.pluralsight.com/category/tech-career-help)
Certifications (http://blog.pluralsight.com/category/it-certifications)
Learning Paths (http://blog.pluralsight.com/category/learning-paths)
Free Computer Training Videos (http://blog.pluralsight.com/category/free-computer-training-videos)
August 20, 2008
I gave a good overview of what Active Directory Certificate Services (AD CS) are and what they do in
my last article: Server 2008: Active Directory Certificate Services (http://blog.pluralsight.com/activedirectory-certificate-services).
For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI)
implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your
email. Now let’s take a look at installing Active Directory Certificate Services.
Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a
1 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
look at this table for reference:
CA – issues certificates to users, computers and services while also managing their validity; comes in
root and subordinate
Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive
certificates based on Simple Certificate Enrollment Protocol (SCEP)
Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating
certificate status, decoding revocation status requests, and sending back signed responses containing
certificate status information
As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone.
Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.
I am going to be installing this root CA server in my test Active directory domain named
ADExample.com on a Windows Server 2008 Enterprise version.
The server is a member of the domain, and is a domain controller. Let’s get started.
1. Open Server Manager.
2. Select Roles, then click Add Roles in the center pane.
2 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click
Next.
4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by
placing a checkmark next to it, then go ahead and click Next.
5. Now you will see an Introduction to Active Directory Certificate Services, where you can read
3 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
about the good things you can do with AD CS.
The biggest thing to note here is the following:
Name & Domain settings of this computer cannot be changed after a CA has been installed. If
you want to change the computer name, join a domain, or promote this server to a domain
controller do so BEFORE install thing the CA.
Now with that warning out of the way, go ahead and click on Next.
6. Next you get to Select Role Services, which can include any of the following depending on what
version of Windows Server 2008 you are installing this on — refer to the table above for specifics.
For this install I am going to choose the Certification Authority only.
4 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.
8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.
5 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
9. In Set Up Private Key, I am going to choose Create a new private key radio button and then
select Next.
10. Now you have to Configure Cryptography for CA in this window and there are quite a few to
choose from.
6 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it
is to crack. For our purposes I am going to use the following settings:
RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm
Now I am going to click Next.
11. In Configure CA Name you can choose to overwrite the default common name for this CA and
also the Distinguished name suffix if you so choose.
I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest
alone.
7 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
12. Next we will Set Validity Period for this CAs certificate.
Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You
can change this based on any need you might have in your environment. Click Next.
13. Configure Certificate Database will let you specify where you want to put the database and log
8 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
files for the CA.
I am going to leave the default in place. Click Next.
14. On the Confirm Installation Selections you can see the answers you have chosen and you will
again see a warning that you cannot change the computer name or domain settings for this server
after installing the CA.
Go ahead and click Install… you know you want to!
9 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
15. After a few minutes you will see the Installation Results, and with any luck you will have the
message: Installation succeeded.
After your glow of certificate happiness fades go ahead and click Close.
16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if
10 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
you get a UAC pop up just click Ok).
17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a
bunch of folders for certificates.
18. You can also see that if you click the Certificate Templates folder, there are quite a few default
11 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
templates that are already setup and ready to go.
Now that we have installed the Active Directory Certificate Services the next step would be to request
some certificates and configure them. The installation for a stand-alone CA is very similar to this. In
fact if you are not in a domain and if you are not installing as a domain admin you will not even get the
option for an Enterprise CA setup, so if you see that grayed out you now know why.
In my next article we will take a look at some of the uses for certificates and how to request and install
them on servers and clients.
12 of 16
Dave Lawlor (http://blog.pluralsight.com/author/dave-lawlor) (MCTS, MCP, A+) has been working in the IT
field since leaving the U.S. Army in 1996. Working his way up from printer hardware repair to running a
corporate datacenter for a multinational corporation, Dave has seen many environments throughout the
years. Focusing on web sites and search engine optimization the last few years, with the release of Server
2008 it has renewed his passion for the Wintel platform and server technologies. David also runs WindowsServer-Training.com where he posts free videos and walk-throughs for a variety of server technologies. David
currently works as a freelance technical consultant and writer for a variety of companies in the Chicago area.
Author's Website: http://www.DaveLawlor.com (http://www.DaveLawlor.com)
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
13 of 16
http://blog.pluralsight.com/install-active-directory-certificate-services
Nicolas Wang
If you need windows server 2008 key, you can click http://www.mskeystore.com/
windows-server-2008-key-p-27.html to download. The homepage is
www.mskeystore.com.
Reply · Like · January 12 at 4:15am
Facebook social plugin
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
(http://pluralsight.com/training?utm_medium=ad&utm_campaign=dt&utm_source=blog&
utm_content=post)
Windows Server (http://blog.pluralsight.com/category/windows-server)
14 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Sign up for Newsletter (http://pluralsight.com/training/Community/Newsletter?utm_source=blog&
utm_medium=category&utm_campaign=link)
1. Windows Server 2008: Active Directory Certificate Services (http://blog.pluralsight.com/activedirectory-certificate-services)
2. Windows Server 2008: Install Active Directory Domain Services (http://blog.pluralsight.com
/windows-server-2008-install-active-directory-domain-services)
3. Windows Server 2008: Auditing Active Directory (http://blog.pluralsight.com/windows-server2008-auditing-active-directory)
4. Active Directory Improvements in Windows Server 2008 (http://blog.pluralsight.com/windowsserver-2008-active-directory)
5. Server 2008 Active Directory User Groups — the Easy Way! (http://blog.pluralsight.com/windowsserver-2008-active-directory-user-groups)
6. How to Create Users and User Templates in Windows Server 2008 Active Directory
(http://blog.pluralsight.com/windows-server-2008-active-directory-users)
7. Install Read-Only Domain Controller on Windows Server 2008 (http://blog.pluralsight.com/server2008-install-rodc-read-only-domain-controlle)
8. How to Install Windows Server 2008 (http://blog.pluralsight.com/install-windows-server-2008)
9. How to Install Exchange Server 2007 on Windows Server 2008 (http://blog.pluralsight.com/installexchange-2007-windows-server-2008)
10. Windows Server 2008: Installing Distributed File System (DFS) (http://blog.pluralsight.com
/windows-server-2008-installing-distributed-file-system)
Server 2008
15 of 16
117 (/tag/server-2008)
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Our mission is to publish high-quality relevant, and timely online training courses for serious developers and IT
admins. Every day.
Browse courses (http://www.pluralsight.com/training/Courses?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Abrowse+courses)
Top 100 (http://www.pluralsight.com/training/Courses/TopCourses?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Atop+100)
New releases (http://www.pluralsight.com/training/Courses/NewReleases?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Anew+releases)
Our authors (http://www.pluralsight.com/training/Authors?utm_source=blog&utm_content=/install-active-directorycertificate-services&utm_medium=footer%3Aauthors)
10-day free trial (http://www.pluralsight.com/training/Subscribe/Step1?isTrial=True&failedCaptcha=False&
utm_source=blog&utm_content=/install-active-directory-certificate-services&utm_medium=footer%3Afree+trial)
Individual plans (http://www.pluralsight.com/training/Products/Individual?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Aindividual+plans)
Business plans (http://www.pluralsight.com/training/Products/Businesses?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Abusiness+plans)
Academic (http://www.pluralsight.com/training/Products/Academic?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Aacademic+plans)
©2015 Pluralsight
16 of 16
09-02-2015 16:03
http://blog.pluralsight.com/install-active-directory-certificate-services
(http://pluralsight.com/training?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=header%3Alogo)
→
Categories: Home (http://blog.pluralsight.com) News (http://blog.pluralsight.com/category/news)
Tips and Tutorials (http://blog.pluralsight.com/category/tips-and-tutorials)
Career (http://blog.pluralsight.com/category/tech-career-help)
Certifications (http://blog.pluralsight.com/category/it-certifications)
Learning Paths (http://blog.pluralsight.com/category/learning-paths)
Free Computer Training Videos (http://blog.pluralsight.com/category/free-computer-training-videos)
August 20, 2008
I gave a good overview of what Active Directory Certificate Services (AD CS) are and what they do in
my last article: Server 2008: Active Directory Certificate Services (http://blog.pluralsight.com/activedirectory-certificate-services).
For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI)
implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your
email. Now let’s take a look at installing Active Directory Certificate Services.
Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a
1 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
look at this table for reference:
CA – issues certificates to users, computers and services while also managing their validity; comes in
root and subordinate
Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive
certificates based on Simple Certificate Enrollment Protocol (SCEP)
Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating
certificate status, decoding revocation status requests, and sending back signed responses containing
certificate status information
As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone.
Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.
I am going to be installing this root CA server in my test Active directory domain named
ADExample.com on a Windows Server 2008 Enterprise version.
The server is a member of the domain, and is a domain controller. Let’s get started.
1. Open Server Manager.
2. Select Roles, then click Add Roles in the center pane.
2 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click
Next.
4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by
placing a checkmark next to it, then go ahead and click Next.
5. Now you will see an Introduction to Active Directory Certificate Services, where you can read
3 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
about the good things you can do with AD CS.
The biggest thing to note here is the following:
Name & Domain settings of this computer cannot be changed after a CA has been installed. If
you want to change the computer name, join a domain, or promote this server to a domain
controller do so BEFORE install thing the CA.
Now with that warning out of the way, go ahead and click on Next.
6. Next you get to Select Role Services, which can include any of the following depending on what
version of Windows Server 2008 you are installing this on — refer to the table above for specifics.
For this install I am going to choose the Certification Authority only.
4 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.
8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.
5 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
9. In Set Up Private Key, I am going to choose Create a new private key radio button and then
select Next.
10. Now you have to Configure Cryptography for CA in this window and there are quite a few to
choose from.
6 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it
is to crack. For our purposes I am going to use the following settings:
RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm
Now I am going to click Next.
11. In Configure CA Name you can choose to overwrite the default common name for this CA and
also the Distinguished name suffix if you so choose.
I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest
alone.
7 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
12. Next we will Set Validity Period for this CAs certificate.
Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You
can change this based on any need you might have in your environment. Click Next.
13. Configure Certificate Database will let you specify where you want to put the database and log
8 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
files for the CA.
I am going to leave the default in place. Click Next.
14. On the Confirm Installation Selections you can see the answers you have chosen and you will
again see a warning that you cannot change the computer name or domain settings for this server
after installing the CA.
Go ahead and click Install… you know you want to!
9 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
15. After a few minutes you will see the Installation Results, and with any luck you will have the
message: Installation succeeded.
After your glow of certificate happiness fades go ahead and click Close.
16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if
10 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
you get a UAC pop up just click Ok).
17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a
bunch of folders for certificates.
18. You can also see that if you click the Certificate Templates folder, there are quite a few default
11 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
templates that are already setup and ready to go.
Now that we have installed the Active Directory Certificate Services the next step would be to request
some certificates and configure them. The installation for a stand-alone CA is very similar to this. In
fact if you are not in a domain and if you are not installing as a domain admin you will not even get the
option for an Enterprise CA setup, so if you see that grayed out you now know why.
In my next article we will take a look at some of the uses for certificates and how to request and install
them on servers and clients.
12 of 16
Dave Lawlor (http://blog.pluralsight.com/author/dave-lawlor) (MCTS, MCP, A+) has been working in the IT
field since leaving the U.S. Army in 1996. Working his way up from printer hardware repair to running a
corporate datacenter for a multinational corporation, Dave has seen many environments throughout the
years. Focusing on web sites and search engine optimization the last few years, with the release of Server
2008 it has renewed his passion for the Wintel platform and server technologies. David also runs WindowsServer-Training.com where he posts free videos and walk-throughs for a variety of server technologies. David
currently works as a freelance technical consultant and writer for a variety of companies in the Chicago area.
Author's Website: http://www.DaveLawlor.com (http://www.DaveLawlor.com)
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
13 of 16
http://blog.pluralsight.com/install-active-directory-certificate-services
Nicolas Wang
If you need windows server 2008 key, you can click http://www.mskeystore.com/
windows-server-2008-key-p-27.html to download. The homepage is
www.mskeystore.com.
Reply · Like · January 12 at 4:15am
Facebook social plugin
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
(http://pluralsight.com/training?utm_medium=ad&utm_campaign=dt&utm_source=blog&
utm_content=post)
Windows Server (http://blog.pluralsight.com/category/windows-server)
14 of 16
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Sign up for Newsletter (http://pluralsight.com/training/Community/Newsletter?utm_source=blog&
utm_medium=category&utm_campaign=link)
1. Windows Server 2008: Active Directory Certificate Services (http://blog.pluralsight.com/activedirectory-certificate-services)
2. Windows Server 2008: Install Active Directory Domain Services (http://blog.pluralsight.com
/windows-server-2008-install-active-directory-domain-services)
3. Windows Server 2008: Auditing Active Directory (http://blog.pluralsight.com/windows-server2008-auditing-active-directory)
4. Active Directory Improvements in Windows Server 2008 (http://blog.pluralsight.com/windowsserver-2008-active-directory)
5. Server 2008 Active Directory User Groups — the Easy Way! (http://blog.pluralsight.com/windowsserver-2008-active-directory-user-groups)
6. How to Create Users and User Templates in Windows Server 2008 Active Directory
(http://blog.pluralsight.com/windows-server-2008-active-directory-users)
7. Install Read-Only Domain Controller on Windows Server 2008 (http://blog.pluralsight.com/server2008-install-rodc-read-only-domain-controlle)
8. How to Install Windows Server 2008 (http://blog.pluralsight.com/install-windows-server-2008)
9. How to Install Exchange Server 2007 on Windows Server 2008 (http://blog.pluralsight.com/installexchange-2007-windows-server-2008)
10. Windows Server 2008: Installing Distributed File System (DFS) (http://blog.pluralsight.com
/windows-server-2008-installing-distributed-file-system)
Server 2008
15 of 16
117 (/tag/server-2008)
09-02-2015 16:03
Install Active Directory Certificate Services on Windows Server 2008
http://blog.pluralsight.com/install-active-directory-certificate-services
Our mission is to publish high-quality relevant, and timely online training courses for serious developers and IT
admins. Every day.
Browse courses (http://www.pluralsight.com/training/Courses?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Abrowse+courses)
Top 100 (http://www.pluralsight.com/training/Courses/TopCourses?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Atop+100)
New releases (http://www.pluralsight.com/training/Courses/NewReleases?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Anew+releases)
Our authors (http://www.pluralsight.com/training/Authors?utm_source=blog&utm_content=/install-active-directorycertificate-services&utm_medium=footer%3Aauthors)
10-day free trial (http://www.pluralsight.com/training/Subscribe/Step1?isTrial=True&failedCaptcha=False&
utm_source=blog&utm_content=/install-active-directory-certificate-services&utm_medium=footer%3Afree+trial)
Individual plans (http://www.pluralsight.com/training/Products/Individual?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Aindividual+plans)
Business plans (http://www.pluralsight.com/training/Products/Businesses?utm_source=blog&utm_content=/installactive-directory-certificate-services&utm_medium=footer%3Abusiness+plans)
Academic (http://www.pluralsight.com/training/Products/Academic?utm_source=blog&utm_content=/install-activedirectory-certificate-services&utm_medium=footer%3Aacademic+plans)
©2015 Pluralsight
16 of 16
09-02-2015 16:03
