How to Set Up a Certificate Authority on Windows Server

A Windows Server Certificate Authority (CA) lets you issue and manage SSL certificates internally — for internal websites, encrypted RDP connections, Wi-Fi authentication, and code signing. This guide covers installing Active Directory Certificate Services, issuing your first certificate, and distributing the root certificate to clients so they trust it automatically.

Why Run Your Own CA

Public certificate authorities charge per certificate and require domain validation. An internal CA lets you issue certificates for any internal hostname, including servers not publicly accessible. Once your CA root certificate is trusted by clients (pushed via Group Policy), every certificate you issue is trusted automatically — no browser warnings.

Enterprise CA vs Standalone CA

• Enterprise CA — integrated with Active Directory. Can auto-enrol certificates to domain computers and users. This is the right choice for most domain environments.
• Standalone CA — no AD integration. Suitable for DMZ servers or issuing certificates in environments without AD.

This guide covers the Enterprise CA setup, which is the most common and most powerful option.

Installing Active Directory Certificate Services

Install on a domain member server (ideally not a domain controller):

Install-WindowsFeature AD-Certificate, ADCS-Cert-Authority, ADCS-Web-Enrollment, RSAT-ADCS

After installation, configure the CA:

1. In Server Manager, click the notification flag → Configure Active Directory Certificate Services
2. Use domain admin credentials
3. Select Certification Authority and optionally Certification Authority Web Enrollment
4. Select Enterprise CA
5. Select Root CA (this is your first CA — if you already have a root, choose Subordinate)
6. Select Create a new private key
7. Choose RSA 2048 (minimum) or 4096. SHA-256 hash algorithm.
8. Set a CA common name (e.g. CompanyName-CA)
9. Set validity period — 5 years is typical for an internal root CA
10. Accept default certificate database locations
11. Click Configure

Distributing the Root Certificate

Domain computers will automatically trust your new CA because setup pushes the root certificate to the NTAuth store in AD. However, verify it’s deployed via Group Policy:

1. Open Group Policy Management
2. Edit the Default Domain Policy
3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities
4. Import your CA certificate here if it’s not already present

Once applied, all domain computers will trust certificates signed by your CA — no browser warnings.

Certificate Templates

Enterprise CAs issue certificates based on templates. Templates define the key usage, validity period, and who can enrol. Open Certificate Templates Console (certtmpl.msc) to view available templates.

To make a template available for issuance:

1. Open the Certification Authority console (certsrv.msc)
2. Right-click Certificate Templates → New → Certificate Template to Issue
3. Select the template and click OK

Common templates to enable: Web Server (for IIS SSL), Computer (for machine authentication), User (for user certificates).

Requesting a Certificate for a Web Server

On the server running IIS:

1. Open IIS Manager → click the server → Server Certificates
2. Click Create Domain Certificate in the Actions pane
3. Fill in the common name (e.g. intranet.company.local), organisation details
4. Click Next → select your CA from the list
5. Give the certificate a friendly name → click Finish

The certificate is issued immediately (Enterprise CA) and appears in the Server Certificates list. Bind it to your HTTPS site in IIS bindings.

Auto-Enrolment with Group Policy

For computer and user certificates, configure auto-enrolment so certificates are issued and renewed automatically:

1. Edit a GPO applied to the target computers/users
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies
3. Double-click Certificate Services Client – Auto-Enrollment
4. Set to Enabled, tick both checkboxes (renew expired and update)

Computers will request and renew certificates at the next Group Policy refresh.

Managing the CA

Key management tasks in certsrv.msc:

• Issued Certificates — view all certificates currently valid
• Pending Requests — manually approve or deny pending requests
• Revoked Certificates — revoke compromised certificates
• Publish CRL — right-click Revoked Certificates → All Tasks → Publish (update the Certificate Revocation List after revoking)

Backing Up the CA

Back up the CA private key and certificate — without this you cannot re-issue certificates if the server fails:

certutil -backup C:\CA-Backup -p YourBackupPassword

Store the backup securely offline. Treat the CA private key with the same care as any critical credential.

Related Guides

• How to Set Up a VPN on Windows Server
• How to Configure DNS on Windows Server
• How to Set Up Group Policy on Windows Server