Creating an Active Directory Certificate Authority

This is a simple tutorial for folks starting off with Active Directory. This focuses on creating a Certificate Authority to use internally. This leads into creating resources in later articles to use with Jamf Pro to distribute certificates to Macs and iOS devices.


  1. A Windows Server VM joined to an Active Directory Domain.
    • OR an existing Windows Server VM. You don’t need to have each service on it’s own VM in a test environment.
  2. Enable Remote Desktop on the server.
    • Search “Remote Desktop Settings”, then toggle the radio button to enable remote desktop.
  3. Knowledge of installing Windows server roles.

Adding the Active Directory Certificate Services role

  1. Connect to your Windows Server and open Server Manager if it’s not opened automatically.
  2. Once loaded, click Manage in the top right corner, then click Add Roles and Features.
  1. Advance through the Before you begin section.
  2. Ensure Role or feature based installation is selected, then advance through the Installation Type section.
  3. Ensure that the correct server name and IP address are selected in the Server Selection section, then advance through this section.
  4. Select Active Directory Certificate Services in the list of Roles.
  1. Click Add Features on the pop-up window, then advance through the Server Roles section.
  2. Leave the default options checked under Features, then advance through that section.
  3. Advance through the AD CS section.
  4. Select Certification Authority in the Role Services section, then advance through the section.
    • Other role services can be selected here if so desired, but I’m making a root CA and do not want these role services on my root CA.
  1. Select Restart the destination server automatically if required and confirm the selection, then click Install.
  1. Once finished, click Close.

Configure Active Directory Certificate Authority

  1. In Server Manager, you’ll now see a notification has come up.
  2. Click on the notifications flag, then click Configure Active Directory Certificate Services on the destination server.
  1. Verify that your administrator account or Active Directory user account meets the installation criteria, then proceed to the next screen.
    • The installer will not proceed until an acceptable account authenticates.
  1. Select Certification Authority under Role Services and wait a few seconds before you can move to the next screen.
  1. Ensure Enterprise CA is selected, then move forward to the next screen.
  1. Select the appropriate CA type. For this guide, we are configuring a root CA.
    • Once a root CA is configured, you can choose to create a subordinate CA on another Windows Server VM joined to the domain.
  1. Proceed with the default option to Create a new private key.
  1. Keep the default Cryptography settings, then proceed to the next section.
  1. Specify a common name for the CA.
    • This can be anything you want, but I like to be descriptive.
  1. Specify a validity period for the certificate generated for this CA.
    • It’s recommended by Microsoft to leave this at the default value of 5 years.
  1. Keep the default log settings, then move to the next section.
  1. Click Configure to finish configuring the CA.
  1. Once finished, click Close.

Congratulations, you now have an Active Directory Certificate Authority!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.