Skip to content

Step by Step : Deploying a Standalone Root CA in Server 2012 R2 (Part 1)

August 29, 2013

Hi all,

Today lets go through a step by step on how to Deploy a Standalone Root CA in Server 2012 R2. This will be a Part 1 of the ADCS deployment…

1st. what is Certification Authority (CA) ?

A CA is a well-designed and highly trusted service in an enterprise, which provides users and computers with certificates, maintains the CRLs, and optionally responds to OCSP requests. You can install a CA in your environment by deploying the AD CS role on Windows Server 2012. When you install the first CA, it establishes the PKI in the network, and it provides the highest point in the entire structure. You can have one or more certification authorities in one network, but only one CA can be at the highest point on the CA hierarchy.

The main purposes of the CA are to issue certificates, revoke certificates, and publish AIA and CRL information. By doing this, the CA ensures that users, services, and computers are issued certificates that can be validated.

A CA performs multiple functions or roles in a PKI. In a large PKI, separation of CA roles among multiple servers is common. A CA provides several management tasks, including:

• Verifying the identity of the certificate requestor.

• Issuing certificates to requesting users, computers, and services.

• Managing certificate revocation.

When you deploy a first CA (root CA) in your network, it issues a certificate for itself. After that, other CAs receive certificates from the first CA. You can also choose to issue a certificate for your CA by using one of public CAs.

For more info on Windows Server 2012 R2 CA, please refer to :

Before I start, let get down to the Server for this Demo, for this CA deployment, I will be using only 2 Server which is my Domain Controller (DC01.comsys.local and my member Server which is SVR01.comsys.local). the standalone Root CA will be install in SVR01.comsys.local.

Orait, lets get started :

1 – On the SVR01.comsys.local server, click Add roles and features…


2 – On the Before you begin box, click Next to proceed…


3 – On the Select installation type box, verify that you select Role-Based or feature-based installation and click Next…


4 – On the Select destination server box, click Next


5 – On the Select server roles box, select Active Directory Certificate Services. ** When the Add Roles and Features Wizard displays, click Add Features, and then click Next…



6 – On the Select features box, click Next


7 – On the Active Directory Certificate Services box, click Next


8 – On the Select role services box, verify that Certification Authority is selected, and then click Next to proceed…


9 – On the Confirm installation selections box, click Install


10-  On the Installation progress page, after installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server…



11 – In the AD CS Configuration Wizard box, on the Credentials box, click Next


12 – On the Role Services box, select Certification Authority, and then click Next


13 – On the Setup Type box, select Standalone CA, and then click Next…


14 – On the CA Type box, verify that root CA is selected, and then click Next…


15 – On the Private Key box, verify that Create a new private key is selected, and then click Next…


16 – On the Cryptography for CA box, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next


17 – On the CA Name box, in the Common name for this CA box, verify that Comsys-SVR01-CA is listed, and then click Next…


18 – On the Validity Period box, I choose 1 year only instead of 5 years CA expiration and click Next…


19 – On the CA Database box, click Next


20 – On the Confirmation box, click Configure


21 – On the Results box, click Close (verify that Configuration succeeded)…


22 – Next, you need to configure a new certificate revocation location, for this demo I will keep my CA in DC01 server…

On the Server Manager, click Tools, and then click Certification Authority…


23 – In the certsrv – [Certification Authority (Local)] console, right-click Comsys-SVR01-CA, and then click Properties…


24 – In the Comsys-SVR01-CA dialog box, click the Extensions tab then on select extension drop-down list, click CRL Distribution Point (CDP) and then click the Add button…


25 – In the Location text box, type http://svr01.comsys.local/CertData/, in the Variable drop-down list box, click <CaName>, and then click Insert


26 – In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert


27 – In the Variable drop-down list box, click <DeltaCRLAllowed>, and then click Insert, then at the end of URL, type .crl, and then click OK


28 – Next, tick the following options, and then click Apply:

– Include in CRLs. Clients use this to find Delta CRL locations

– Include in the CDP extensions of issued certificates


29 – In the Certification Authority pop-up box, click No


30 – In the Select extension drop-down list box, click Authority Information Access (AIA), and then click Add


31 – In the Location text box, type http://svr01.comsys.local/CertData/, in Variable drop-down boxclick <ServerDNSName>, and then click Insert


32 – In the Location text box, type an underscore (_), in the Variable drop-down list box, click <CaName>, and then click Insert. Put your cursor at the end of URL…


33 – In the Variable drop-down list box, click <CertificateName>, and then click Insert


34 – In the Location text box, put your cursor at the end of URL, type .crt, and then click OK


35 – Select the Include in the AIA extension of issued certificates box, and then click OK


36 – Click Yes to restart Certification Authority service…


37 – In the Certification Authority console, expand Comsys-SVR01-CA, right-click Revoked Certificates, point to All Tasks, and then click Publish…


38 – In the Publish CRL box, click OK


39 – Right-click Comsys-SVR01-CA, and then click Properties


40 – In the Comsys-SVR01-CA Properties box, click View Certificate


41 – In the Certificate box, click the Details tab and then click Copy to File…


42 – In the Certificate Export Wizard, on the Welcome box, click Next


43 – On the Export File Format box, select DER encoded binary X.509 (.CER), and then click Next…


44 – On the File to Export box, click Browse and then in the File name text box, type \\dc01\C$, and then press Enter…



45 – In the File name text box, type RootCA, click Save, and then click Next



46 – Click Finish, and then click OK



47 – Next, browse to C:\Windows\System32\CertSrv\CertEnroll, copy both files…


48 – and then paste to \\dc01\c$…



Orait, we done for now, we have successfully deploy a root standalone CA in SVR01 server.

In my part 2, I will still continue with CA but next round lets try deploy Enterprise Subordinate CA…

Wait for my part 2…….

  1. Hotshot permalink

    Very nice description!

  2. Nice post
    At this point should you not take srv01 offline as it is the Root CA and is better protected being offline. Also because you move the root.cer file to DC01 you don’t need it online to chain.

  3. Made this task very easy! Thanks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: