• Home
  • |
  • Blog
  • |
  • Step -By-Step Procedure To Set Up An Enterprise Root CA On Windows Server
Step -by-Step Procedure to set up An Enterprise Root CA on Windows Server

When you start setting up a Root CA for your PKI infrastructure, two things will come up to your mind, Standalone or Enterprise Root CA. Both CAs have their own advantages over each other. Both are build for different purpose. If you want to know more about the Standalone Root CA, we published a dedicated post covering Standalone Root CA, and we also covered the comparation (Standalone vs Enterprise Root CA) in a different post. However, let’s limit this post to only Enterprise CAs. Let’s see a step-by-step procedure to set up an Enterprise Root CA in ADCS with a list of requirements and benefits of setting up an Enterprise Root CA in the PKI infrastructure.

What Is An Enterprise Root CA In ADCS?

An Enterprise Root CA in ADCS is a type of Certificate Authority that is used to issue digital certificates to organizations within an enterprise. The Enterprise Root CA is typically installed on a server that is located within the organization’s internal network.

The Enterprise Root CA is responsible for issuing digital certificates to all other types of CAs within the enterprise and issuing digital certificates to devices and users connected to the enterprise network. The Enterprise Root CA can be used to issue digital certificates for SSL/TLS encryption, email security, code signing, and more.

Organizations that use an Enterprise Root CA usually have a high level of security and require a higher degree of trust for their digital certificates. As such, the Enterprise Root CA is typically more expensive and difficult to install and maintain than other types of CAs.

Why You Should Set Up An Enterprise Root CA In ADCS?

An Enterprise Root Certificate Authority (CA) is a top-level CA that is trusted by everyone in the organization. The Enterprise Root CA is typically installed on a domain controller and integrated with Active Directory Domain Services (AD DS).

As the highest level of authority in the PKI hierarchy, the Enterprise Root CA issues and signs certificates for all other CAs in the PKI. In turn, these other CAs issue and sign certificates for devices, users, and applications. By having a centralized Enterprise Root CA, organizations can more easily manage security and access control.

An Enterprise Root CA provides a number of advantages over a Standalone Root CA, some of them are:

  1. Enterprise Root CAs can be integrated with Active Directory Domain Services (AD DS), which simplifies management and increases security. Standalone Root CAs are not integrated with AD DS and require additional effort to manage.
  2. Enterprise Root CAs can issue certificates to computers and users in an AD DS domain. Standalone Root CAs can only issue certificates to computers.
  3. Enterprise Root CAs can be replicated to other servers running AD CS to provide redundant certification services. Standalone Root CAs cannot be replicated.
  4. Enterprise Root CAs support certificate revocation lists (CRLs), which helps ensure that revoked certificates are not used. Standalone Root CAs do not support CRLs.
  5. Enterprise Root CAs can be configured to use Hardware Security Modules (HSMs) to protect the private key. This is important for high security environments. Standalone Root CAs cannot use HSMs.

Requirements To Set Up Enterprise Root CA In ADCS:

  1. A Windows Server (a bare-metal or a virtual machine)
  2. An Administrator account to set up ADCS
  3. Enterprise Root can be configured on Domain Member Server only.

Time needed: 30 minutes.

How To Set Up An Enterprise Root CA On Windows Server?

  1. Set up Active Directory Certificate Service (ADCS) Role- Open the ‘Add Roles and Features’

    Let’s begin this process with setting up ADCS role. Open the ‘Add Roles and Features’.
    In Server Manager, go to Manage –> Add Roles and FeaturesSet up Active Directory Certificate Service (ADCS) Role- Open the ‘Add Roles and Features’

  2. Select Role-Based Installation

    Click Next button in the ‘Add Roles and Features’ wizard.
    Select Role based or Feature based installation since it is a role based
    Click Next.Select Role-Based Installation

  3. Select the Server on that you are going to install the ADCS Role

    Since it has only local server, select that local server then click Next.Select the Server on that you are going to install the ADCS Role

  4. Select ‘Active Directory Certificate Services’ role

    Select “Active Directory Certificate Services” role then click on Next.Select ‘Active Directory Certificate Services’ role

  5. Add the ‘Add Features’

    Click on ‘Add Features’ button to add the ADCS features.
    Click on Next, and Next again.Add the ‘Add Features’

  6. Initiate the ADCS installation process

    Click on Next, and Next again. This will take you to the ADCS installation wizard.
    Click the Next button to initiate the ADCS installation process and Add Features for Web Enrollment.Initiate the ADCS installation process

  7. Add the ADCS

  8. Select ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

    You will be greeted with multiple option to choose.  Select the first  and fourth options ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles then click Next.Select ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

  9. Since we are installing Web Server Roll (IIS) with Default Role services click Next.

    installing Web Server Roll (IIS) with Default Role

  10. image(11)

  11. Begin the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

    Click on the Install button to being the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles.Begin the installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles

  12. Installation of ‘Certificate Authority’ andCertification Authority Web Enrollment’ roles are in progress…

  13. Start the Active Directory Certificate Service configuration wizard Upon the completion of the installation process, it prompts for Configuration, select “Configure Active Directory Certificate Services on destination server” to start the ADCS configuration wizard.

    installation of ‘Certificate Authority’ and ‘Certification Authority Web Enrollment’ roles in progress

  14. Select the Administrator account in the ADCS configuration wizard

    By default, Domain Account should be selected (Server is Member of the Domain). Just ensure it is selected then click Next.Select the Administrator account in the ADCS configuration wizard

  15. Select ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’  roles in the ADCS configuration wizard

    You are allowed to Check the ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’ roles then click Next.Select ‘Certificate Authority’ and ‘Certificate Authority Web Enrollment’ roles in the ADCS configuration wizard

  16. Select the Enterprise CA in the ADCS configuration wizard

    You will be greeted to choose two types of CAs, Enterprise CA and Standalone CA.
    Since we are configuring Enterprise CA, Select the Enterprise CA option then click on NextSelect the Enterprise CA in the ADCS configuration wizard

  17. Select the Root CA

    You will be greeted with two options. Root CA and Subordinate CA.
    Since we are going to set up Enterprise Root CA in this demo go with the Root CA option. We will cover about the Subordinate CA in a different post when we show you how to create two tier PKI system. Select Root CA then click Next.Select the Root CA

  18. Create a new private key for Enterprise Root CA

    Private key is the first element of trust for any Certificate Authority. Let’s create a private key for this root CA. Since this is the newly created CA. Create a new private key.
    Select “Create a New Private Key” then click Next.Create a new private key for Enterprise Root CA

  19. Select Key Length & Hash Algorithm based on requirement

    Select the Cryptographic Provider, Hash Algorithm and Key Length as per your design. Then Click Next.Select Key Length & Hash Algorithm based on requirement

  20. Specify the name of the Certificate Authority

    Specify the name of your CA, By default, Domain Name-Server Name with ‘– CA’ will be taken as the CA name.  Specify the name of the Certificate Authority

  21. Specify the Certificate validation period

    Validity period is the expiration time of the CA’s certificate. Normal practice is to keep the validity period for up to 10 years for root CA certificates. However, you can keep the validity period anywhere between 5 to 10 years.
    Click Next.Specify the Certificate validation period

  22. Specify Database & Logs location for Enterprise Root CA

    Specify the location for database and logs for your Enterprise Root CA. You can leave this default as it is then click Next.Specify Database & Logs location for Enterprise Root CA

  23. Verify the summary of the configuration

    Look at all the configurations then click on Configure button.Verify the summary of the configuration

  24. Close the configuration wizard after the completion

    Click on the Close button upon the completion of the configuration wizard.Close the configuration wizard after the completion

  25. Close the Certificate Authority configuration wizard

    Close the Certificate Authority configuration wizard after installation

  26. Open Certificate Authority Console

    Server Manager -> Tools -> Certificate Authority
    Right click on the Certificate Authority on the consoleCertificate deployed

  27. Certificate of Enterprise Root CA

    Now you can start requesting and issuing the Certificates from this Enterprise Root Certificate Authority using Domain Account.Certificate Authority's web portal

That’s it. You are done with setting up an Enterprise Root CA. This concludes the demo of building the Certificate Authority.

We hope this post will help you know a step-by-step procedure to set up an Enterprise Root CA on Windows Server. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.