Windows – Enterprise Root CA Install and Configure

By using ADCS we can generate and renew certificates in an enterprise. ADCS is more helpful in a domain internal network

Step-by-Step Guide

Install AD CS Role
  • Log in to a windows server
  • Launch Server manager
  • Click on Manage –> Add Roles & features
  • Click on Next –> Select Role-based or feature-based installation
  • Select Active Directory Certificate Services and select Include management tools checkbox then click on Add Features
  • Click on Next –> In the Features section leave defaults and click Next
  • Click Next on Active Directory Certificate Services section
  • In Select role services, select below
    Certification Authority
    Certification Authority Web Enrolment (Include Management tools)
  • Click Next and in the Web Server Role (IIS) section again click Next
  • Go with Defaults on Role Services
  • Click on Install and wait till feature install completes


  • Click on Close
  • Now you will see AD CS in Server Manager and a warning message as post-deployment configuration required


AD CS Configuration
  1. Click on Configure Active Directory Certificate Services on the destination server
  2. Click Next on the Credentials section
  3. Select Role Services to configure
    Certification Authority
    Certification Authority Web Enrollment
  4. Click Next and Select Enterprise CA
  5. And in the next page, Select Root CA then click Next
  6. Select Create a new private key and click Next
  7. Choose SHA256 as a hash algorithm and other options as shown below and click Next
  8. Provide a Name to the CA
  9. Specify the validity period
  10. Leave the defaults in the Specify the database locations section
  11. Click on Configure
  12. And now we have CA is configured

Launch CA Web enrollment page

Once the CA is configured, we can access the web enrollment page in any one of 2 ways listed below

  1. http://<serverFQDN>/certsrv
  2. http://localhost/certsrv
Download CA Certificate
  1. Launch CA wen enrollment page (shown above)
  2. Click on Download a CA certificate
  3. Click on the Download CA certificate
  4. You can certificate downloaded.
    If you select CA certificate chain download, then p7b file will be downloaded
Scroll to Top