Properly configured and maintain Certificate Authority will help You great deal with Certificates Management in Your Active Directory Environment. And Can in many occasions save money on Public Certificates and provide security within AD.
!! If you migrate CA between Server start with point 2 and get back to point 1 🙂
1. Install Certificate Authority (CA)
1.1 Active Dierectory Certificate Authority is a first Role on the list (impossible to miss). Just open Server Manager and Add Role
1.2 From my personal experience it is always good to install Certificate Authority Web Enrollemnt feature. Of course You can use certutil and Certificate Authority MMC but sometimes it is easier and faster to use Web Enrollment to generate Certificate using template you select. This Feature will required IIS.
1.3 Go back to Server Manager and on information Flag enter post deployment Configuration.
1.4 Proceed with Configuration wizard.
1.4.1 Provide CA Rool services Account
1.4.2 Select Configuration Certificate Authority and if u selected Certificate Authority Web Enrollment.
1.4.3 Specific CA type. In this example since we are providing it within CA we select Enterprise CA
1.4.4 Specific CA level in this scenario Root CA
1.4.5 This step is very important and depends if you Migrate Certificate Authority or perform Fresh Installation
If this is new CA just select Creat a new private key
If you migrate CA and plan to restore previously created Backup select Use Existing private key and Select a certficaten and us its previously issued certificates when reinstalling CA and go to point 1.4.7
1.4.6 Provide Cryptography options and Certificate Name (usually Hostname-CA), Validity Period and folder path. and skip to point 1.4.9
1.4.7 Import Certificate Backup and provide certificate authentication
1.4.8 Select imported certificate and finish the configuration wizard.
2. Backup Certificate Authority for Migration
Open Certificate Authority MMC
2.2 Fom Context menu select All Task -> Back up CA
2.3 Select Private key and CA certificates as well as Certificate database and certificate database log
2.4 Provide access password.
2.5 Export CA configuration – open regedit and export whole Configuration key
2.5 Uninstall Active Directory Certificate Authority Role form server
3. Locate Certificate Authority server
Open elevated command prompt and type (don’t miss double minus)
certutil -config – -ping
You will get Popup with list of CA in Domain and correspondent host names.