Endpoint management
Microsoft Intune

Install and configure AD CS

3min

If Active Directory Domain Services is not already installed, install it before proceeding. You need an Enterprise CA to use with Intune. Install and join the server to your existing Domain

The section describes the tasks to install and configure AD CS.

Install AD CS

Install AD CS unless you want to set up a standalone CA.

Perform the following steps to install AD CS:

1

Select Start > Administrative Tools > Server Manager and then Manage. Select Add roles and features.

2

When the Before You Begin box opens, select [ Next ].

3

Choose one of the following installation types: Role-based installation or feature-based installation. Select [ Next ].

4

In the Server Selection window, select the server from the domain (or local machine) on which to install AD CS. Select [ Next ].

5

In the Server Roles window, select the checkbox next to Active Directory Certificate Services. Select [ Next ] and [ Add Features ].

6

In the Features window, select [ Next ].

7

In the AD CS window, select [ Next ].

8

In the Role Services window, select Certificate Authority. Select [ Next ].

9

In the Confirmation window, select [ Install ].

10

After the installation completes, select [ Close ].

Configure AD CS

Perform the following steps to configure the new AD CS installation with a Public Key Infrastructure (PKI):

If you haven't installed Active Directory yet, install it before proceeding unless this is a standalone CA.

1

Select Start > Administrative Tools > Server Manager. Select the flag icon to the left of Manage.

2

Select Configure Active Directory Certificate Services on the destination.

3

In the Credentials window, ensure your login meets the displayed requirements and press [ Next ].

4

In the Select Role Services window, select Certificate Authority to enable the management and issuance of certificates, and select [ Next ].

5

In the Specify Setup Type window, you must set the Type. The type designates the kind of certificate authority server and depends on your business requirements. Select either Enterprise or Standalone.

  • Enterprise CAs are integrated with Active Directory.
  • Standalone CAs conduct operations offline.

Select [ Next ].

6

In the Specify CA Type window, select Root or Subordinate.

  • Select Root if you have not yet created a PKI.
  • Select Subordinate if you are integrating with an existing PKI.

Select [ Next ].

7

In the Set Up Private Key window, select Use existing private key or Create a new private key.

  • Select Use existing private key if you have integrated this CA with the Futurex hardware previously and the private key already exists on the KMES Series 3 (for example, this is a reinstallation of the CA server). Then, choose Select an existing private key on this computer and proceed to Step 8.
  • If this is a new CA, select Create a new private key and proceed to Step 9.

Select [ Next ].

8

If you selected Create a new private key, perform the following steps:

  1. In the Configure Cryptography for CA window, choose Futurex FXCL KMES CNG from the drop-down menu.
  2. Select a key character length: 2048, 3072, or 4096.
  3. Select a hash algorithm from the drop-down menu: SHA-1, SHA-256, or SHA-512.
  4. Select [ Next ] and proceed to Step 10.

Checking Allow administrator interaction when the private key is accessed by the CA has no effect.

9

If Use existing private key was selected:

  1. In the Existing Key window, change the Cryptographic provider to Futurex FXCL KMES CNG.
  2. Clear the common name field and select [ Search ]. Locate the key you want to use from the search results.
  3. Select [ Next ] and proceed to Step 10.

Checking Allow administrator interaction when the private key is accessed by the CA has no effect.

10

In the CA Name window, configure your PKI names and select [ Next ].

11

If you selected Root CA in step 6, the Set the Certificate Validity Period page opens. Designate the default validity for the root CA and select [ Next ].

12

If you selected Subordinate CA in step 6, the Certificate Request page opens. Perform the following optional tasks:

  • You can choose a parent CA instance of AD CS on your domain to issue you a certificate.
  • You can save a certificate request to file and have it signed by an external CA.

Select [ Next ].

13

In the Certificate Database window, select [ Next ].

14

In the Confirmation window, select [ Configure ].

15

To confirm that the root CA was installed successfully, enter the following command in a command prompt:

PowerShell


If the operation succeeds, the following message displays:

STATE: 4 RUNNING

For more information on installing and configuring Active Directory Certificate Services, refer to Microsoft’s documentation.