Breadcrumbs

Installing AD CS with Locally Stored Primary Key

  1. Join a machine to the Domain and log in as a user with Administrative privileges.

  2. Select Start and select Server Manager to open Server Manager. Select Manage, then select Add Roles & Features.

image-20250805-084103.png


"Server Manager" Window

  1. The Before you begin window opens. Select Next.

image-20250805-084125.png


"Before You Begin" Window

  1. On the Select installation type window, make sure the default Role or Feature Based Installation is selected. Click Next.

image-20250805-084145.png


"Select Installation Type" Window

  1. On Server selection, select a server from the server pool. Click Next.

image-20250805-084201.png


"Select Destination Server" Window

  1. On the Select server roles window, select the Active Directory Certificate Services role.

image-20250805-084229.png


"Select Server Roles" Window

  1. When prompted to install Remote Server Administration Tools, select Add Features. Click Next.

  2. On the Select features window, click Next.

  3. On the Active Directory Certificate Services window, click Next.

image-20250805-084307.png


"Active Directory Certificate Services" Window

  1. On the Select role services window, the Certification Authority role is selected by default. Click Next.

image-20250805-084321.png


"Select Role Services" Window

  1. On the Confirm installation selections window, verify the information, then click Install.

image-20250805-084338.png


"Confirm Installation Selections" Window

  1. When the installation is complete, select the Configure Active Directory Certificate Services on the destination server link.

image-20250805-085157.png


"Installation Progress" Window

  1. On the Credentials window, make sure that the Administrator’s credentials are displayed in the Credentials box. If not, select Change and specify the appropriate credentials. Click Next.

image-20250805-085216.png


"Credentials" Window

  1. On the Role Services window, select Certification Authority. This is the only available selection when the certification authority role is installed on the server. Click Next.

image-20250805-085227.png


"Select Roles to configure" Window

  1. On the Setup Type window, select the appropriate CA setup type for your requirements. Click Next.

image-20250805-085242.png


"Setup Type" Window

  1. On the CA Type window, Root CA is selected by default. Click Next.

image-20250805-085300.png


"CA Type" Window

  1. On the Private Key window, leave the default selection to Create a new private key selected. Click Next.

image-20250805-085314.png


"Private Key" Window

  1. On the Cryptography for CA window, select the appropriate Microsoft cryptographic provider along with the key type, key length, and suitable hash algorithm. Click Next.

image-20250805-085332.png


"Cryptography for CA" Window

  1. On the CA Name window, give the appropriate CA name. Click Next.

image-20250805-085401.png


"CA Name" Window

  1. On the Validity Period window, enter the number of years for the certificate to be valid. Click Next.

image-20250805-085417.png


"Validity Period" Window

  1. On the CA Database window, leave the default locations for the database and database log files. Click Next.

image-20250805-085434.png


"CA Database" Window

  1. On the Confirmation window, click Configure.

image-20250805-085448.png


"Confirmation" Window

  1. Click Close to exit the AD CS Configuration wizard after viewing the installation results. A private key for the CA will be generated and stored on the HSM.

image-20250805-085501.png


"Results" Window

24. Open a command prompt and run the following command to verify that the service is running:

›_ Console

 
sc query certsvc

  1. Open a command prompt and run the following command to verify the CA key:

›_ Console

 
certutil –verifykeys

If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.