Install and Configure Active Directory Certificate Authority using Powershell

This tutorial shows you how to install and configure a Certificate Authority (CA) using Powershell.
You can install a CA on a domain controller or on a separate server. For this tutorial, let’s install the CA on the domain controller. For this tutorial a Windows Server 2016 Standard Edition server has been used without Desktop Experience.

Log in to the server that will become the CA as Domain Administrator. A Command Shell is shown. Type ‘powershell’ and hit enter.

Install the CA using the Install-WindowsFeature cmdlet.

Install-WindowsFeature ADCS-Cert-Authority


Now configure the CA using the Install-AdcsCertificationAuthority. Because this is the first CA it is called a Root CA. It is a best-practice that a Root CA is a Standalone CA (not AD integrated) and not a Enterprise CA, but for this tutorial, let’s install an Enterprise Root CA.


Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5 -CACommonName lab01-CA


If you want to request certificates using a website, you need to install Certification Authority Web Enrollment. To do so, first use the Install-WindowsFeature cmdlet.


Install-WindowsFeature ADCS-Web-Enrollment


To configure the Certificate Authority Web Enrollment, use the Install-AdcsWebEnrollment cmdlet.



After the Web Enrollment configuration has been completed, browse to http://<servername>/certsrv to request a certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *