This Windows server role will permit us to manage, renew or revoke certificates , as well as guaranteeing the identity of entities through our network.
Before we can install the certification authority, there are a few requirements first that we need to accomplish:
- Install a server with a static IP.
- The server must have an unchanged name.
- It is a domain joined server.
- (optional) It may have a static record on DNS, even though this one can be changed.
The role can be installed from Server Manager, or we can do it through Powershell:
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Once the role was installed, we can finish the installation from Server Manager or Powershell:
-CAType EnterpriseRootCa `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 2048 `
-HashAlgorithmName SHA512 `
-ValidityPeriod Years `
For the -CAType parameter there are four types of certification authorities, if you have a domain or lab server is recommended an enterprise root CA, instead of Standalone (or isolated server from Domain) unless you don’t have another RootCA in the same network is not needed to be subordinated.
Finally, once the certificates are created, we can export the CA Certificate in order to use it in other applications, e. g., to revoke superseded certificates.
certutil -ca.cert \\myserver\myshare$\CA_myCAServer.cer