> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Active Directory Certificate Systems

> Procedural guide to configure ADCS with a Public Key Infrastructure (PKI).

Now, you must configure a new installation of Active Directory Certificate Services (ADCS)  with a Public Key Infrastructure (PKI).

<Note>
  If you have not installed Active Directory, do that before proceeding, unless this is a standalone CA.
</Note>

<Steps>
  <Step>
    Select **Start** > **Administrative Tools** > **Server Manager**. Select the flag icon to the left of **Manage**.
  </Step>

  <Step>
    Select **Configure Active Directory Certificate Services** on the destination.
  </Step>

  <Step>
    On the **Credentials** page, ensure your login meets the displayed requirements. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Select Role Services** page, select **Certification Authority** to enable the management and issuance of certificates. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Specify Setup Type** page, the type designates the kind of certificate authority server and depends on your business requirements. Select either **Enterprise** or **Standalone**. Enterprise CAs integrate with Active Directory, while standalone CAs conduct operations offline.
  </Step>

  <Step>
    On the **Specify CA Type** page, select **Root** or **Subordinate**. Select **Root** if you have not yet created a PKI. Select **Subordinate** if you are integrating with an existing PKI. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Set Up Private Key** page, select **Use existing private key** or **Create a new private key**.

    * If you have integrated this CA with the Futurex hardware previously and the private key already exists on the CryptoHub (for example, this is a reinstallation of the CA server), select **Use existing private key**. Then, choose **Select an existing private key on this computer**.
    * If this is a new CA, select **Create a new private key**.
  </Step>

  <Step>
    If **Create a new private key** was selected:

    * On the **Configure Cryptography for CA** window, choose **Futurex FXCL KMES CNG** from the drop-down menu.
    * Select a key character length: **2048**, **3072**, or **4096**.
    * Select one of the following hash algorithms from the drop-down menu: **SHA-1**, **SHA-256**, or **SHA-512**.
    * Checking **Allow administrator interaction when the private key is accessed by the CA** has no effect.
    * Select **\[ Next ]**.
  </Step>

  <Step>
    If **Use existing private key** was selected:

    * In the **Existing Key** window, change the Cryptographic provider to **Futurex FXCL KMES CNG**.
    * Clear the **common name** field. Select **\[ Search ]**. Locate the key you want to use from the search results.
    * Checking **Allow administrator interaction when the private key is accessed by the CA** has no effect.
    * Select **\[ Next ]**.
  </Step>

  <Step>
    In the **CA Name** page, configure your PKI names and select **\[ Next ]**.
  </Step>

  <Step>
    If you selected  **Root CA** in step 6, the Set the **Certificate Validity Period** page opens. Enter the **default validity** for the root CA and select **\[ Next ]**.
  </Step>

  <Step>
    If you selected **Subordinate CA** in step 6, the **Certificate Request** page opens. You can choose one of the following options:

    * Choose a parent CA instance of AD CS on your domain to issue you a certificate.
    * Save a certificate request to a file, and have it signed by an external CA.
  </Step>

  <Step>
    In the **Certificate Database** page, select **\[ Next ]**.
  </Step>

  <Step>
    In the **Confirmation** page, select **\[ Configure ]**.
  </Step>
</Steps>

For more information on installing and configuring Active Directory Certificate Services, see the Microsoft

[**documentation**](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority).
