• Home
  • |
  • Blog
  • |
  • Step -By-Step Procedure To Set Up A Standalone Root CA On Windows Server
Procedure to set up A Standalone Root CA on Windows Server

In this era of digital world, there is no need to explain the importance of a digital certificate or a system that manages the digital certificate, Public Key Infrastructure (PKI). If your company is quite behind in this and not implemented a PKI infrastructure yet, it’s time to do now. The very first thing you should do is to set up a root CA, then one or more subordinate CA according to the environment size and structure, and a CA database, enforcement servers, and many more. Well, when it comes to set up a root CA, there are two types of root CAs. Enterprise Root CA and Standalone Root CA. Let’s see about setting up a Enterprise Root CA in a different post, let’s limit this post to a Standalone Root CA (Certificate Authority). Let’s see a step-by-step procedure to set up a Standalone Root CA in ADCS with a list of requirements and benefits of setting up a Standalone Root CA in the PKI infrastructure.

What Is ADCS?

Microsoft ADCS is the Active Directory Certificate Services server role in Windows Server. It allows administrators to manage and generate digital certificates for use in a variety of scenarios, such as authenticating users and devices, encrypting communication, and validating signatures. ADCS is a key component of many PKI deployments and helps organizations to secure their data and communications.

ADCS includes a number of features that make it a powerful and flexible tool for certificate management. For example, ADCS can be used to issue certificates to user accounts and computers in an Active Directory domain. ADCS can also be configured to automatically enroll users and computers in a certificate program, making it easy to keep track of who has which certificates. In addition, ADCS provides a web enrollment interface that allows users to request and retrieve certificates without having to use the ADCS console.

ADCS is an important part of many PKI deployments and can help organizations to secure their data and communications.

What Is A Root CA?

A Root CA is a certification authority that is trusted by all other CAs in a given PKI hierarchy. A Root CA’s certificate is self-signed and contains information that identifies the Root CA as well as the Root CA’s public key. The Root CA’s public key is used to verify the signatures of all other certificates in the PKI hierarchy.

What Is A Standalone Root CA In ADCS?

A standalone root CA is a  Certification Authority (CA) that is not  integrated with  an  existing  public  key infrastructure  (PKI). A PKI is  a  system  of  digital  certificates,  public  and  private keys, and other related components that are used to verify the identity of individuals or devices and to encrypt information. A standalone root CA can issue and manage digital certificates for use in a PKI, but it is not itself part of a PKI.

A standalone root CA is typically used in organizations that do not have an existing PKI, or in situations where it is not possible or desirable to integrate a new CA into an existing PKI. For example, a standalone root CA might be used to issue digital certificates for use in a PKI that is  being  created  from  scratch,  or  to  issue  digital  certificates  for  use  in  a  PKI  that  exists  outside  of  the organization.

There are several benefits to using a standalone root CA. First, it can be faster and easier to deploy than a CA that is integrated into an existing PKI. Second, it can be less expensive to maintain and operate than a CA that is part of a PKI. Finally, it can provide more flexibility in terms of the types of certificates that can be issued and the way in which they are used.

However, there are also some drawbacks to using a standalone root CA. First, it is  more  vulnerable  to  attack  than  a  CA  that  is  part  of  a  PKI.  Second,  it  can  be  more difficult to manage and operate than a CA that is integrated into an existing PKI. Finally, it may not be possible to issue all types of certificates that are available from a CA that is part of a PKI.

In summary, a standalone root CA is a CA that is not integrated with an existing PKI. It has several benefits, but also some drawbacks. It is typically used in organizations that do not have an existing PKI, or in situations where it is not possible or desirable to integrate a new CA into an existing PKI.

Why You Should Need to Have a Root CA?

Why You Should Set Up A Standalone Root CA?

A lot of people ask why they should set up A Standalone Root CA. The answer is simple: because it’s more secure. When you set up A Standalone Root CA, your server will be its own Certificate Authority. This means that your server will generate its own certificates, and no one else will be able to issue certificates for your domain.

There are a few reasons why this is more secure:

  1. It’s much harder for someone to spoof your certificates if they can’t generate their own.
  2. If someone does manage to get ahold of your private key, they won’t be able to use it to issue new certificates – they’ll only be able to use it for the sites that already have certificates from your server.
  3. set up A Standalone Root CA is more resistant to attack than other types of Certificate Authorities. This is because the attacker would need to compromise the server itself in order to issue new certificates.

Overall, set up A Standalone Root CA is a more secure way to manage your certificates. If you’re looking for the highest level of security possible, this is the way to go.

Things Required To Set Up A Standalone Root CA In ADCS:

There are nothing much required to set up Standalone Root CA server. You just need to have these two things. That’s all.

  1. A Windows Server (a bare-metal or a virtual machine)
  2. An Administrator account to set up ADCS

How To Set Up A Standalone Root CA On Windows Server?

Let’s see steps to set up a standalone root CA for your organization. We have created a Windows VM on our lab to demonstrate this demo. You can go through this steps on your production or test environments to set up a standalone root CA. Let’s get started.

Note: This server is not attached to the Active Directory. It’s a workgroup machine.

Time needed: 30 minutes.

How To Set Up A Standalone Root CA On Windows Server?

  1. Set up Active Directory Certificate Service (ADCS) Role- Open the ‘Add Roles and Features’

    Let’s begin this process with setting up ADCS role. Open the ‘Add Roles and Features’.

    In Server Manager, go to Manage –> Add Roles and FeaturesSet up ADCS

  2. Select Role-Based Installation

    Click Next button in the ‘Add Roles and Features’ wizard.

    Select Role based or Feature based installation since it is a role based

    Click Next.Select Role-Based Installation

  3.  Select the Server on that you are going to install the ADCS Role

    Since it has only local server, select that local server then click Next.Select the Server on that you are going to install the ADCS Role

  4. Select ‘Active Directory Certificate Services’ role

    Select “Active Directory Certificate Services” role then click on Next.Select 'Active Directory Certificate Services' role

  5. Add the ‘Add Features’

    Click on ‘Add Features’ button to add the ADCS features.

    Click on Next, and Next again.Add the 'Add Features'

  6. Initiate the ADCS installation process

    Click on Next, and Next again. This will take you to the ADCS installation wizard.

    Click the Next button to initiate the ADCS installation process.Initiate the ADCS installation process

  7. Select ‘Certificate Authority’ role

    You will to greeted with multiple option to choose.  Select the first option ‘Certificate Authority‘ role alone then click Next.Select 'Certificate Authority' role

  8. Begin the installation of ‘Certificate Authority‘ role

    Click on the Install button to being the installation of ‘Certificate Authority‘ role.Begin the installation of 'Certificate Authority' role

  9.  Installation of ‘Certificate Authority‘ role in progress…

    Installation of 'Certificate Authority' role in progress

  10. Start the Active Directory Certificate Service configuration wizard

    Upon the completion of the installation process, it prompts for Configuration, Select “Configure Active Directory Certificate Services on destination server” to start the ADCS configuration wizard.Start the Active Directory Certificate Service configuration wizard

  11. Select the Administrator account in the ADCS configuration wizard

    By default Local Administrator Account should be selected (Server is in WorkGroup). Just ensure it is selected then click Next.Select the Administrator account in the ADCS configuration wizard

  12. Select ‘Certificate Authority’ role in the ADCS configuration wizard

    You are allowed to Check the ‘Certificate Authority’ role alone as we have installed only CA role. Select ‘Certificate Authority’ role then click Next.Select 'Certificate Authority' role

  13.  Select the Standalone CA in the ADCS configuration wizard

    You will be greeted to choose two types of CAs, Enterprise CA and Standalone CA. Enterprise CA option should be greyed out since this computer is not attached to the Active Directory and not part of any domain.

    You are allowed to select only Standalone CA option. Select the Standalone CA option then click on NexSelect the Standalone CA in the ADCS configuration wizard

  14. Select the Root CA

    You will be greated with two options. Root CA and Subordinate CA. Since we are going to set up standalone root CA in this demo go with the Root CA option. We will cover about the Subordinate CA in a different post when we show you how to create two tier PKI system. Select Root CA then click Next.Select the Root CA

  15. Create a new private key for Standalone Root CA

    Private key is the first element of trust for any Certificate Authority. Let’s create a private key for this root CA. Since this is the newly created CA. Create a new private key.

    Select “Create a New Private Key” then click Next.Create a new private key for Standalone Root CA

  16. Select Key Length & Hash Algorithm based on requirement

    Select the Cryptographic Provider, Hash Alogarithm, and Key Length as per your design. Then Click Next.Select Key Length & Hash Algorithm based on requirement

  17.  Specify the name of the Certificate Authority

    Specify the name of your CA, By default, Common Name with ‘- CA’ will be taken as the CA name.Specify the name of the Certificate Authority

  18. Specify the Certificate validation period

    Validity period is the expiration time of the CA’s certificate. Normal practice is to keep the validity period for up to 10 years for root CA certificates. However, you can keep the validity period anywhere between 5 to 10 years.Specify the Certificate validation period

  19. Specify Database & Logs location for Standalone Root CA

    Specify the location for database and logs for your Standalone Root CA. You can leave this default as it is then click Next.Specify Database & Logs location for Standalone Root CA

  20. Verify the summary of the configuration

    Take a look at all the configurations then click on Configure button.Verify the summary of the configuration

  21.  Close the configuration wizard after the completion

    Click on the Close button upon the completion of the configuration wizard.Close the configuration wizard after the completion

  22. Close the Certificate Authority configuration wizard

    Close the Certificate Authority configuration wizard

  23. Open Certificate Authority Console

    Server Manager -> Tools -> Certificate Authority

    Right click on the Certificate Authority on the console then select PropertiesOpen Certificate Authority Console

  24. View the Certificate of the Standalone Root CA

    Click on the View Certificate to open the certificate.
    View the Certificate of the Standalone Root CA

  25.  Certificate of Standalone Root CA

    Now you can start issuing the Certificates from this Standalone Root Certificate Authority.image

That’s it. You are done with setting up a Standalone Root CA. This concludes the demo of building the Certificate Authority.

We hope this post will help you know a step-by-step procedure to set up a Standalone Root CA in ADCS. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.