Configure Active Directory Certificate Systems
Now, you must configure a new installation of Active Directory Certificate Services (ADCS) with a Public Key Infrastructure (PKI).
If you have not installed Active Directory, do that before proceeding, unless this is a standalone CA.
Select Start > Administrative Tools > Server Manager. Select the flag icon to the left of Manage.
Select Configure Active Directory Certificate Services on the destination.
On the Credentials page, ensure your login meets the displayed requirements. Select [ Next ].
On the Select Role Services page, select Certification Authority to enable the management and issuance of certificates. Select [ Next ].
On the Specify Setup Type page, the type designates the kind of certificate authority server and depends on your business requirements. Select either Enterprise or Standalone. Enterprise CAs integrate with Active Directory, while standalone CAs conduct operations offline.
On the Specify CA Type page, select Root or Subordinate. Select Root if you have not yet created a PKI. Select Subordinate if you are integrating with an existing PKI. Select [ Next ].
On the Set Up Private Key page, select Use existing private key or Create a new private key.
- If you have integrated this CA with the hardware previously and the private key already exists on the (for example, this is a reinstallation of the CA server), select Use existing private key. Then, choose Select an existing private key on this computer.
- If this is a new CA, select Create a new private key.
If Create a new private key was selected:
- On the Configure Cryptography for CA window, choose Futurex FXCL KMES CNG from the drop-down menu.
- Select a key character length: 2048, 3072, or 4096.
- Select one of the following hash algorithms from the drop-down menu: SHA-1, SHA-256, or SHA-512.
- Checking Allow administrator interaction when the private key is accessed by the CA has no effect.
- Select [ Next ].
If Use existing private key was selected:
- In the Existing Key window, change the Cryptographic provider to Futurex FXCL KMES CNG.
- Clear the common name field. Select [ Search ]. Locate the key you want to use from the search results.
- Checking Allow administrator interaction when the private key is accessed by the CA has no effect.
- Select [ Next ].
In the CA Name page, configure your PKI names and select [ Next ].
If you selected Root CA in step 6, the Set the Certificate Validity Period page opens. Enter the default validity for the root CA and select [ Next ].
If you selected Subordinate CA in step 6, the Certificate Request page opens. You can choose one of the following options:
- Choose a parent CA instance of AD CS on your domain to issue you a certificate.
- Save a certificate request to a file, and have it signed by an external CA.
In the Certificate Database page, select [ Next ].
In the Confirmation page, select [ Configure ].
For more information on installing and configuring Active Directory Certificate Services, see the Microsoft documentation.