How to Deploy an Enterprise Certification Authority Root Server on Microsoft Server 2019

If you need certificates for your internal websites, applications, wireless network or pilot lab test, having an internal enterprise authority server is a good choice. Today, I am going to show you how to deploy an Enterprise Authority root server on Microsoft Windows server 2019. This is the simple way to have a certificate service for Internal and easy to maintain but it maybe not a good best practice, if you need the certificate service is deployed securely, you need to consider deploying Two-Tier (or more) PKI Hierarchy (at least a Root CA server and a subordinate server), I will show you how to deploy them for future post.

1. Login to windows server 2019 (this is a member server of domain) via member of enterprise admins.
2. On the Server Manager page, click Manager and select Add Roles and Features.

   

3. On the Before you begin page, click Next.

   

4. On the Installation Type page, select Role-based or features-based installation, click Next.

   

5. On the Server Selection page, select the CA server and click Next.

   

6. On the Server Roles page, select Active Directory Certificate Services, click Next.

   

7. On the Add Features that are required for Active Directory Certificate Services? page, click Add Features.

   

8. Click Next on the Server Roles page.

   

9. On the Features page, click Next.

   

10. On the Active Directory Certificate Services page, click Next.

    

11. On the Select role services page, select Certification Authority and Certification Authority Web Enrollment, click Next.

    

12. On the Add features that are required for Certification Authority Web Enrollment? page, click Add Features.

    

13. Click Next on the Select role services.

    

14. On the Web Server Role (IIS) page, click Next.

    

15. On the Select role services page, click Next.

    

16. On the Confirm installation selections page, select Restart the destination server automatically if required, click Yes on the warning message.

    

17. On the Confirm installation selections page, click Install.

    

18. Click Configure Active Directory Certificate Services on the destination server after Features installation completed.

    

19. On the Credentials page, make you select the credential is a member of local Administrators group and Enterprise Admins group, click Next.

    

20. On the Role Services page, select Certification Authority and Certification Authority Web Enrollment, click Next.

    

21. On the Setup Type page, select Enterprise CA, click Next.

    

22. On the CA Type page, select Root CA, click Next.

    

23. On the Private Key page, select Create a new private key (because this is no existing CA server), click Next.

    

24. On the Cryptography for CA page, select 4096 as key length (windows server 2019 supports 4096 now) and select SHA256 as hash algorithm, click Next.

    

25. On the CA Name page, keep the Default settings, click Next.

    

26. On the Validity Period page, keep the default 5 years settings, click Next.

    

27. On the CA Database page, click Next.

    

28. On the Confirmation page, click Configure.

    

29. On the Results page, make sure Configuration succeeded, click Close.

    

30. On the Installation progress page, click Close.

    

31. On the Server Manager page, select Tools and click Certification Authority.

    

32. You will see the Certification Authority up and running now.

    

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun