How to Set Up a Certificate Authority on Windows Server 2016

April 9, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Certificate Authority

A Certificate Authority (CA) is a cornerstone of public key infrastructure (PKI). In Windows Server 2016, Active Directory Certificate Services (AD CS) provides the role needed to issue and manage digital certificates used for authentication, encryption, and digital signatures. This guide walks you through installing and configuring a standalone or enterprise CA on Windows Server 2016.

Prerequisites

Before installing AD CS, ensure the following conditions are met:

The server is joined to the domain (for Enterprise CA) or configured as a standalone server.
You have local administrator or domain administrator privileges.
The server has a static IP address and proper DNS configuration.
Active Directory Domain Services (AD DS) is installed if you plan to deploy an Enterprise CA.

Step 1: Install the AD CS Role

Open Server Manager and add the Active Directory Certificate Services role, or use PowerShell to install it:

Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools

This installs the CA role along with the Certification Authority management console.

Step 2: Configure the CA Using PowerShell

After installing the role, configure it using the Install-AdcsCertificationAuthority cmdlet. The following example configures an Enterprise Root CA:

Install-AdcsCertificationAuthority `
  -CAType EnterpriseRootCA `
  -CACommonName "Corp-Root-CA" `
  -KeyLength 2048 `
  -HashAlgorithmName SHA256 `
  -ValidityPeriod Years `
  -ValidityPeriodUnits 10 `
  -Force

For a Standalone Root CA (not joined to a domain), replace EnterpriseRootCA with StandaloneRootCA and omit domain-specific parameters.

Step 3: Verify the CA Service Is Running

Get-Service -Name CertSvc

The status should show Running. You can also start the service manually:

Start-Service -Name CertSvc

Step 4: Configure Certificate Templates

For Enterprise CAs, certificate templates define what types of certificates can be issued. Open the Certification Authority console and navigate to Certificate Templates. To duplicate and publish a template using PowerShell:

Add-CATemplate -Name "WebServer"

To list all available templates:

Get-CATemplate

Step 5: Configure the CRL Distribution Point

The Certificate Revocation List (CRL) must be accessible to clients verifying certificates. Configure the CDP extension:

certutil -setreg CACRLPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%3%8.crln2:http://pki.corp.local/CertEnroll/%3%8.crl"

After updating the CRL settings, restart the CA service and publish the CRL:

Restart-Service CertSvc
certutil -crl

Step 6: Publish the CA Certificate to Active Directory

For enterprise deployments, publish the root CA certificate so domain clients trust it automatically:

certutil -dspublish -f RootCA.cer RootCA

Step 7: Request and Issue a Certificate

To request a certificate from the command line using certreq:

certreq -new request.inf request.csr
certreq -submit -attrib "CertificateTemplate:WebServer" request.csr certificate.cer
certreq -accept certificate.cer

Alternatively, use the Certificates MMC snap-in (certmgr.msc) for a GUI-based request workflow.

Step 8: Back Up the CA

Always back up your CA after configuration. Use the following command:

certutil -backupDB C:CABackup
certutil -backupKey C:CABackup

This exports the CA database and private key to the specified directory. Store the backup in a secure, offline location.

Step 9: Enable the Online Certificate Status Protocol (OCSP)

OCSP provides real-time certificate status and is preferred over CRL in many environments. Install the OCSP responder role:

Install-WindowsFeature ADCS-Online-Cert -IncludeManagementTools

Then configure it with:

Install-AdcsOnlineResponder

Troubleshooting Tips

If the CA fails to start, check the Application event log for errors related to CertSvc. Common issues include permission problems on the CA database folder or expired CA certificates. To view CA configuration:

certutil -getreg CA

This command lists all registry settings under the CA configuration key, allowing you to diagnose misconfigurations quickly.

Summary

Setting up a Certificate Authority on Windows Server 2016 using AD CS provides a robust PKI foundation for your organization. Whether deploying an Enterprise or Standalone CA, the process involves installing the role, configuring key parameters, publishing CRL and OCSP information, and issuing certificates. Regular backups and proper CRL publishing are essential for maintaining a healthy PKI environment.