Installing AD CS with Locally Stored Primary Key

1. Join a machine to the Domain and Log in as a user with Administrative privileges

2. Select Start and select Server Manager to open Server Manager. Select Manage, then select Add Roles & Features

Figure 67: Server Manager window

3. The Before you begin window opens. Select Next

Figure 68: Before You Begin window

4. On the Select installation type window, make sure the default Role or Feature Based Installation is selected. Click Next

Figure 69: Select Installation Type window

5. On Server selection, select a server from the server pool. Click Next

Figure 70: Select Destination Server window

6. On the Select server roles window, select the Active Directory Certificate Services role

Figure 71: Select Destination Server window

7. When prompted to install Remote Server Administration Tools, select Add Features. Click Next

8. On the Select features window, click Next

9. On the Active Directory Certificate Services window, click Next

Figure 72: Active Directory Certificate Services window

10. On the Select role services window, the Certification Authority role is selected by default. Click Next

Figure 73: Select Role Services window

11. On the Confirm installation selections window, verify the information then click Install

Figure 74: Confirm Installation Selections window

12. When the installation is complete, select the Configure Active Directory Certificate Services on the destination server link

Figure 75: Installation Progress window

13. On the Credentials window, make sure that Administrator’s credentials are displayed in the Credentials box. If not, select Change and specify the appropriate credentials. Click Next

Figure 76: Credentials window

14. On the Role Services window, select Certification Authority. This is the only available

selection when the certification authority role is installed on the server, click Next

Figure 77: Credentials window

15. On the Setup Type window, select the appropriate CA setup type for your requirements. Click Next

Figure 78: Setup Type window

16. On the CA Type window, Root CA is selected by default. Click Next

Figure 79: CA Type window

17. On the Private Key window, leave the default selection to Create a new private key selected. Click Next

Figure 80: Private Key window

18. On the Cryptography for CA window, select the appropriate Microsoft cryptographic provider along with the key type, key length, and suitable hash algorithm and click Next

Figure 81: Cryptography for CA window

19. On the CA Name window, give the appropriate CA name. Click Next

Figure 82: CA Name window

20. On the Validity Period window, enter the number of years for the certificate to be valid. Click Next

Figure 83: Validity Period window

21. On the CA Database window, leave the default locations for the database and database log files. Click Next

Figure 84: CA Database window

22. On the Confirmation window, click Configure

Figure 85: Confirmation window

23. Click Close to exit the AD CS Configuration wizard after viewing the installation results. A private key for the CA will be generated and stored on the HSM

Figure 86: Results window

24. Open a command prompt and run the following command to verify that service is running:

> sc query certsvc

25. Open a command prompt and run the following command to verify the CA key:

> certutil –verifykeys