Archiwa miesięczne: Wrzesień 2015

Microsoft Windows Server – Certificate Authority – Install, Locate and Migrate

Properly configured and maintain Certificate Authority will help You great deal with Certificates Management in Your Active Directory Environment. And Can in many occasions save money on Public Certificates and provide security within AD.

!! If you migrate CA between Server start with point 2 and get back to point 1 🙂

1. Install Certificate Authority (CA)

1.1 Active Dierectory Certificate Authority is a first Role on the list (impossible to miss). Just open Server Manager and Add Role

1.2 From my personal experience it is always good to install Certificate Authority Web Enrollemnt feature. Of course You can use certutil and Certificate Authority MMC but sometimes it is easier and faster to use Web Enrollment to generate Certificate using template you select. This Feature will required IIS.

1.3 Go back to Server Manager and on information Flag enter post deployment Configuration.

1.4 Proceed with Configuration wizard.

1.4.1 Provide CA Rool services Account

1.4.2 Select Configuration Certificate Authority and if u selected Certificate Authority Web Enrollment.

1.4.3 Specific CA type. In this example since we are providing it within CA we select Enterprise CA

1.4.4 Specific CA level in this scenario Root CA

1.4.5 This step is very important and depends if you Migrate Certificate Authority or perform Fresh Installation

If this is new CA just select Creat a new private key

If you migrate CA and plan to restore previously created Backup select Use Existing private key and Select a certficaten and us its previously issued certificates when reinstalling CA and go to point 1.4.7

New CA

1.4.6 Provide Cryptography options and Certificate Name (usually Hostname-CA), Validity Period and folder path. and skip to point 1.4.9

Restor CA

1.4.7 Import Certificate Backup and provide certificate authentication

1.4.8 Select imported certificate and finish the configuration wizard.

1.4.9 Now You CA should be available. Check it by opening Certificate Authority MMC and also see if Cert Web Enrollemnt is accessible. http://<server_fqnd>/certsvr (http://localhost/certsrv/)

2. Backup Certificate Authority for Migration

Open Certificate Authority MMC

2.2 Fom Context menu select All Task -> Back up CA

2.3 Select Private key and CA certificates as well as Certificate database and certificate database log

2.4 Provide access password.

2.5 Export CA configuration – open regedit and export whole Configuration key


2.5 Uninstall Active Directory Certificate Authority Role form server

3. Locate Certificate Authority server

Open elevated command prompt and type (don’t miss double minus)

certutil -config – -ping

You will get Popup with list of CA in Domain and correspondent host names.


Maciek Jędryszek