Deploying a Certificate Authority on Windows Server 2012 R2 using powershell

Abstract: This howto explains how you can deploying the Active Directory Certificate Services (AD CS) and the Web Enrollment on Windows Server 2012 R2 using powershell.

Steps:

1.) Prepare a new Windows 2012 R2 Server (with or without GUI)

2.) Login into your Server with an domain admin account

3.) Start a new powershell via:

powershell

4.) Install the needed features via:

Install-WindowsFeature AD-Certificate

The AD-CertificateFeature will install the Active Directory Certificate Services and the Certificate Authority Feature.

5.) Create your CA now (in this example we will install one from the Type "EnterpriseRootCA"). With "-whatif" you can check which commands will be used, so run the following:

Install-AdcsCertificationAuthority -CACommonName "Contoso Test Root CA" -CAType EnterpriseRootCa -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 100 -whatif

and check if everything fits your needs. If thats the case, install the AD without "-whatif":

Install-AdcsCertificationAuthority -CACommonName "Contoso Test Root CA" -CAType EnterpriseRootCa -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 100

If you do not wish to setup a test environment then limit the ValidityPeriodUnits to value which fits your needs.

If you wish to use SHA512, then please read KB 2973337 here, you can also use the hash algorithm SHA384 instead SHA256 above

SHA-1 shouldn´t any longer be used. See here for more details.

6.)  Install now the Active Directory Certificate Services (AD CS) Web enrollment via:

Install-WindowsFeature ADCS-Web-Enrollment

and

Install-AdcsWebEnrollment

This will build the virtual applications under the "Default Web Site" (which can be done also via 'certutil -vroot', but not needed here) and will also build the C:\Windows\System32\certsrv\certdat.inc file.

8.) If you setup the CA on a Windows 2012 R2 core you need to connect now to your administration workstation to perform the following steps. If you setup the CA on a Windows 2012 R2 Server with a GUI you can perform the following steps directly on this server.

9.) As the normal two year template might be to short for most companies we will create a new one now. This step is optional, if you wish to renew SSL certificated every two years, you can skip that step.

If you are installing the CA on Windows 2012 R2 with a GUI start the CA Management Console (certsrv.msc) on the server, otherwise start it on your management computer and connect it to the Windows 2012 R2 core server which runs the CA.

10.) Select "Certificate Templates" (A) -> and click on Manage (B).

11.) Select the "Web Server" template (A) and choose "Duplicate Template" (B).

12.) In the "General" tab enter a template name (A), choose the Validity period (B) and click on apply.

13.) In the "Request Handling" tab select the option "Allow private key to be exported" (A). Press Apply (B) and then OK.

Might be useful if you need to move some certificates in the future. But it might also limit the security!

14.) In the CA Management Console (certsrv.msc) click on "Certificate Template" (A) -> New (B) -> Certificate Template to Issue (C).

15.) Select our template (A) we created some steps before and click on OK (B).

Close the CA Management Console (certsrv.msc) now.

16.) Now create a new certificate for this server and add a https port to the default web site (as explained for example here).