How to Set Up a Certificate Authority on Windows Server 2012 R2
A Certificate Authority (CA) issues digital certificates that bind cryptographic keys to entities such as users, computers, and services. In Windows environments, an internal CA based on Active Directory Certificate Services (AD CS) enables automatic certificate enrolment for domain members, supports smart card authentication, signs code for trusted internal software distribution, and provides the foundation for encrypted communications across your infrastructure.
Windows Server 2012 R2 AD CS supports both standalone and enterprise CA types. An Enterprise Root CA — the most common deployment — is integrated with Active Directory and can automatically issue certificates to domain users and computers based on certificate templates. This guide walks through deploying an Enterprise Root CA, configuring templates, enrolling certificates, and basic CA management.
Prerequisites
- Windows Server 2012 R2 joined to the Active Directory domain.
- Domain Administrator and Enterprise Admin group membership.
- Dedicated server or VM recommended — do not deploy the CA role on a domain controller in production.
- Static IP address and stable DNS resolution.
- Strong consideration of CA naming — the CA name cannot be changed after installation.
Step 1: Install Active Directory Certificate Services
# Install AD CS role with management tools
Install-WindowsFeature -Name AD-Certificate, ADCS-Cert-Authority, ADCS-Web-Enrollment `
-IncludeManagementTools
# Optional: Also install Certificate Enrollment Policy Web Service
Install-WindowsFeature -Name ADCS-Enroll-Web-Pol
# Verify installation
Get-WindowsFeature -Name ADCS-* |
Where-Object { $_.InstallState -eq "Installed" } |
Select-Object Name, DisplayNameStep 2: Configure the Enterprise Root CA
# Import the ADCSDeployment module
Import-Module ADCSDeployment
# Configure as an Enterprise Root CA
Install-AdcsCertificationAuthority `
-CAType EnterpriseRootCA `
-CACommonName "Corp-Root-CA" `
-CADistinguishedNameSuffix "DC=corp,DC=example,DC=com" `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA256 `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-DatabaseDirectory "C:WindowsSystem32CertLog" `
-LogDirectory "C:WindowsSystem32CertLog" `
-Force:$true
# Verify the CA service is running
Get-Service -Name CertSvc | Select-Object Name, StatusAfter configuration, the CA’s root certificate is automatically published to Active Directory and distributed to all domain members via Group Policy, so domain computers trust the CA immediately.
Step 3: Configure CRL Distribution Points
The Certificate Revocation List (CRL) allows clients to check whether a certificate has been revoked. The CA must publish its CRL to an accessible location, and the CRL Distribution Point (CDP) URLs must be reachable by all clients.
# Configure CDP and AIA extensions
$crlPath = "C:WindowsSystem32CertSrvCertEnroll"
# Add an HTTP CDP (for non-domain-joined machines)
certutil -setreg CACRLPublicationURLs "65:C:WindowsSystem32CertSrvCertEnroll%3%8%9.crln6:http://pki.corp.example.com/CertEnroll/%3%8%9.crln10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10"
# Configure AIA (Authority Information Access)
certutil -setreg CACACertPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%1_%3%4.crtn2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11n2:http://pki.corp.example.com/CertEnroll/%1_%3%4.crt"
# Set CRL validity period
certutil -setreg CACRLPeriodUnits 1
certutil -setreg CACRLPeriod "Weeks"
certutil -setreg CACRLDeltaPeriodUnits 1
certutil -setreg CACRLDeltaPeriod "Days"
# Restart the CA service to apply changes
Restart-Service -Name CertSvc
# Publish the CRL
certutil -CRLStep 4: Create and Publish Certificate Templates
Certificate templates define the purpose, validity, key usage, and issuance requirements for certificates. Windows Server 2012 R2 includes many pre-built templates that you duplicate and customise.
# List available certificate templates
Get-CATemplate | Select-Object Name, DisplayName | Sort-Object DisplayName
# Duplicate and configure a template (done in Certificate Templates Console)
# Via CMD: Open certldf.exe or Certificate Authority console
# Start -> Run -> certtmpl.msc to open Certificate Templates console
# Add a template to the CA for issuance
Add-CATemplate -Name "WebServer"
Add-CATemplate -Name "User"
Add-CATemplate -Name "Computer"
# List templates currently enabled on the CA
Get-CATemplateStep 5: Request and Issue Certificates
# Request a certificate from the CA using auto-enrolment (domain member)
# This happens automatically via Group Policy for the "Computer" template
# Manually request a certificate via PowerShell
# First, create a certificate request INF file
$infContent = @"
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=webserver01.corp.example.com,O=Corp,C=US"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
"@
$infContent | Out-File -FilePath "C:Tempwebreq.inf" -Encoding ASCII
# Generate the certificate request
certreq -new "C:Tempwebreq.inf" "C:Tempwebreq.req"
# Submit the request to the CA
certreq -submit -config "CA01Corp-Root-CA" "C:Tempwebreq.req" "C:Tempwebreq.cer"
# Accept/install the issued certificate
certreq -accept "C:Tempwebreq.cer"Step 6: Configure Automatic Certificate Enrolment via Group Policy
Auto-enrolment is one of the most powerful features of an Enterprise CA — domain computers and users automatically receive certificates they need without administrator intervention.
# Enable auto-enrollment via Group Policy (set on Default Domain Policy or dedicated GPO)
# Computer Configuration -> Windows Settings -> Security Settings
# -> Public Key Policies -> Certificate Services Client - Auto-Enrollment
# Set: Enroll certificates automatically
# Check: Renew expired certificates, update pending certificates
# Check: Update certificates that use certificate templates
# Trigger certificate auto-enrolment manually
certutil -pulse
# Check locally installed certificates
Get-ChildItem -Path "Cert:LocalMachineMy" |
Select-Object Subject, Thumbprint, NotAfter | Sort-Object NotAfter
# Check certificate template enrollment permissions
# In ADUC or Certificate Templates MMC:
# Template Properties -> Security tab -> ensure target group has Read and Enroll permissionsStep 7: Monitor and Manage the CA
# List all issued certificates
certutil -view -out "RequestID,Disposition,RequesterName,NotAfter,CommonName"
# List pending requests
certutil -view -restrict "Disposition=9" -out "RequestID,RequesterName,CommonName"
# Revoke a certificate
certutil -revoke 0
# Reason codes: 0=Unspecified, 1=KeyCompromise, 2=CACompromise, 3=AffiliationChanged, 4=Superseded, 5=CessationOfOperation
# Publish updated CRL after revocation
certutil -CRL
# Back up the CA (critical — do this regularly)
certutil -backup "C:CABackup" -p "BackupPassword!"
# Restore the CA from backup
certutil -restore "C:CABackup" -p "BackupPassword!"
# Check CA health
certutil -ping
# View the CA event log
Get-EventLog -LogName "Application" -Source "*certificate*" -Newest 20Summary
Active Directory Certificate Services on Windows Server 2012 R2 provides a robust internal Public Key Infrastructure that automates certificate issuance across your domain. The key deployment steps are: install the AD CS role, configure an Enterprise Root CA with a 4096-bit RSA key, configure CDP and AIA locations so clients can check certificate revocation, add appropriate templates (WebServer, Computer, User) to the CA’s issuance list, and enable auto-enrolment via Group Policy so domain machines receive certificates automatically. Always back up the CA database and private key regularly — the CA private key is irreplaceable, and its loss means you cannot sign new certificates or CRLs until you rebuild the CA from scratch.
