Install and configure the Certificate Authority in Windows Server 2016

Dear friends, today I will show you how to install the Root Certificate Authority Role in Windows 2016 Server. I am sure many of you who are Windows System Admins have installed this role many times in past on various versions of Windows Server. For myself also the story is also same, however this is my first installation in windows Server 2016. And I have found there is not much changes in Windows 2016 server.

First you can go to the AD CS Configuration.

Click on next and you can select the following Role Services which we need to configure.

The first one is the certificate authority and the second one is the certificate authority web enrollment.

Once you click on next you can find the Enterprise CA option, since this will be the Enterprise CA in my domain controller so I have decided to choose the first option, with the help of this CA I can assign certificates to my domain objects.

The next step is to select the Root CA since this is the first CA of this Enterprise so I have chosen Root CA

In the next step I have to create a new private key.

In this step I need to select a cryptographic provider for this certificate. I have chosen SHA1 as the cryptographic provider.

In the next step I need to mention the name of my Certificate Authority.

In this step I need to specify the validity period for the certificate generated by this CA.

In this step we need to mention the database locations path where the certificate database will be stored.

In this step we need to click on configure button to configure the Certificate Authority.

This message will show that the CA has been configured successfully.

Now I have decided to install the Certificate Authority Web Enrollment Service

In this step we need to choose the Certificate Enrollment Web Services

Now you can click on next to specify the authentication type of the Web Enrollment.

In this step we need to specify the service account which we will use to request the certificates.

I have created a service account called the CertAdmin in my domain which I have decided

There is a pre requisite which I have not taken care so I got the below error.

I have added the service account as a member of the IIS_IUSRS group.

Now it has bypassed the error. In this step we have to choose a Server Authentication Certificate

The next step is to confirm all the steps taken so far.

At last you can find the results as shown here.

That’s all the certificate authority has been installed in this server. I hope you have enjoyed this post. Stay tuned for more posts on Windows Server and Azure in the future.