Install Microsoft Windows Server Active Directory Certificate Services

In this guide, we describe how to install ADCS via PowerShell. Thus, you can use this guide for GUI as well as core installations. For other methods of installing ADCS, please check the Microsoft TechNet website.

Managing the private key ACL is not possible in a pure core installation of Microsoft Windows Server. Please follow the instructions to install ADCS.

Open a PowerShell with administrator rights.
Install the new role Adcs-Cert-Authority.

›_ PowerShell
`PS C:\>Install-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools`

Now, install the certification authority. Adjust all parameters to your installation. A complete description about all the parameters can be found in the TechNet documentation library.


Parameter Set: NewKeyParameterSet Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CACommonName <String> [-CADistinguishedNameSuffix <String> ] [-CAType <CAType> ] [-Credential <PSCredential> ] [-CryptoProviderName <String> ] [-DatabaseDirectory <String> ] [-Force] [-HashAlgorithmName <String> ] [-IgnoreUnicode] [-KeyLength <Int32> ] [-LogDirectory <String> ] [-OutputCertRequestFile <String> ] [-OverwriteExistingCAinDS] [-OverwriteExistingDatabase] [-OverwriteExistingKey] [-ParentCA <String> ] [-ValidityPeriod <ValidityPeriod> ] [-ValidityPeriodUnits <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: NewKeyParameterSet
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-CACommonName <String>
[-CADistinguishedNameSuffix <String> ]
[-CAType <CAType> ]
[-Credential <PSCredential> ]
[-CryptoProviderName <String> ]
[-DatabaseDirectory <String> ]
[-Force]
[-HashAlgorithmName <String> ]
[-IgnoreUnicode]
[-KeyLength <Int32> ]
[-LogDirectory <String> ]
[-OutputCertRequestFile <String> ]
[-OverwriteExistingCAinDS]
[-OverwriteExistingDatabase]
[-OverwriteExistingKey]
[-ParentCA <String> ]
[-ValidityPeriod <ValidityPeriod> ]
[-ValidityPeriodUnits <Int32> ]
[-Confirm]
[-WhatIf]
[ <CommonParameters>]

In this case we install ADCS with a new key and a new certificate. The following command is an example of how to install ADCS.

Be sure that you use one of the following Utimaco providers:

RSA#Utimaco Cryptoserver Key Storage Provider.
ECDSA_P256#Utimaco Cryptoserver Key Storage Provider.
ECDSA_P384#Utimaco Cryptoserver Key Storage Provider.
ECDSA_P521#Utimaco Cryptoserver Key Storage Provider.

›_ PowerShell
`PS C:\>Install-AdcsCertificationAuthority -AllowAdministratorInteraction -CACommonName rootca.hsm.local -CAType EnterpriseRootCA -CryptoProviderName "RSA#Utimaco Cryptoserver Key Storage Provider" -HashAlgorithmName SHA512 -KeyLength 4096 -ValidityPeriod Years -ValidityPeriodUnits 5`

›_ PowerShell

PS C:\>Install-AdcsCertificationAuthority -AllowAdministratorInteraction
-CACommonName rootca.hsm.local -CAType EnterpriseRootCA
-CryptoProviderName "RSA#Utimaco Cryptoserver Key Storage Provider"
-HashAlgorithmName SHA512 -KeyLength 4096 -ValidityPeriod Years
-ValidityPeriodUnits 5

Start the certificate authority service.

›_ PowerShell
`PS C:\>Start-Service CertSvc`