If you need certificates for your internal websites, applications, wireless network or pilot lab test, having an internal enterprise authority server is a good choice. Today, I am going to show you how to deploy an Enterprise Authority root server on Microsoft Windows server 2019. This is the simple way to have a certificate service for Internal and easy to maintain but it maybe not a good best practice, if you need the certificate service is deployed securely, you need to consider deploying Two-Tier (or more) PKI Hierarchy (at least a Root CA server and a subordinate server), I will show you how to deploy them for future post.

  1. Login to windows server 2019 (this is a member server of  domain) via member of enterprise admins.
  2. On the Server Manager page, click Manager and select Add Roles and Features.

  3. On the Before you begin page, click Next.

  4. On the Installation Type page, select Role-based or features-based installation, click Next.

  5. On the Server Selection page, select the CA server and click Next.

  6. On the Server Roles page, select Active Directory Certificate Services, click Next.

  7. On the Add Features that are required for Active Directory Certificate Services? page, click Add Features.

  8. Click Next on the Server Roles page.

  9. On the Features page, click Next.

  10. On the Active Directory Certificate Services page, click Next.

  11. On the Select role services page, select Certification Authority and Certification Authority Web Enrollment, click Next.

  12. On the Add features that are required for Certification Authority Web Enrollment? page, click Add Features.

  13. Click Next on the Select role services.

  14. On the Web Server Role (IIS) page, click Next.

  15. On the Select role services page, click Next.

  16. On the Confirm installation selections page, select Restart the destination server automatically if required, click Yes on the warning message.

  17. On the Confirm installation selections page, click Install.

  18. Click Configure Active Directory Certificate Services on the destination server after Features installation completed.

  19. On the Credentials page, make you select the credential is a member of local Administrators group and Enterprise Admins group, click Next.

  20. On the Role Services page, select Certification Authority and Certification Authority Web Enrollment, click Next.

  21. On the Setup Type page, select Enterprise CA, click Next.

  22. On the CA Type page, select Root CA, click Next.

  23. On the Private Key page, select Create a new private key (because this is no existing CA server), click Next.

  24. On the Cryptography for CA page, select 4096 as key length (windows server 2019 supports 4096 now) and select SHA256 as hash algorithm, click Next.

  25. On the CA Name page, keep the Default settings, click Next.

  26. On the Validity Period page, keep the default 5 years settings, click Next.

  27. On the CA Database page, click Next.

  28. On the Confirmation page, click Configure.

  29. On the Results page, make sure Configuration succeeded, click Close.

  30. On the Installation progress page, click Close.

  31. On the Server Manager page, select Tools and click Certification Authority.

  32. You will see the Certification Authority up and running now.

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun