SharePoint 2013 Install Certificate Authority on Windows Server 2012R2


This article is part 2 in our SharePoint 2013 ADFS 3.0 Installation and Configuration series for SharePoint 2013.  However this can be a stand alone article on how to configure the Certificate Authority on Windows Server 2012. In this post we’ll walk through the procedures to setup a Certificate Authority (CA) by provisioning the Active Directory Certificate Services role.  This is necessary because ADFS uses certificates for the purpose of encrypting and signing SAML tokens.  In production you may opt to use 3rd Party Certificates from a trusted issuer and in a lab setup you may opt to use the self-signed certificates that ADFS will provide in the absence of a certificate being available during the installation process.

Select Server

This post in no way is intended to outline how you would setup a CA for production use, but will instead guide you through the installation for a lab environment.  The lab used for this blog series includes the following machines:

  • DC1– Windows Server 2012 R2 Standard Domain Controller
  • SQL1– SQL 2014 Server Enterprise on Windows Server 2012R2
  • SP-APP-1– SharePoint 2013 Application Server on Windows Server 2012R2
  • SP-WFE-1– SharePoint 2013 Web Front End Server on Windows Server 2012R2
  • SP-Win7-01– Windows 7 Professional

In this example we’ll provision the Active Directory Certificate Services role on DC1.

Install Active Directory Certificate Services

  • Launch Server Manager
  • Click “Add roles and features”in the center pane under “Configure this local server”


  • Click “Next” to skip the wizard instruction page


  • Leave the “Role-based or feature-based installation” default radio checked and click “Next


  • Select the server you wish to deploy to, we are using “DC1.splab.local” then click “Next


  • Under “Roles” select “Active Directory Certificate Services


  • It will ask you to add features that are required for this service. Click “Add Features


  • Click “Next” and then “Next” again and “Next” one more time to move past the Features page.


  • Under “Role Services”  select “Certification Authority” and “Certification Authority Web Enrollment” service and accept the required features. Then click “Next“.


  • On the “Confirm installation selections” page you may have to designate an alternate source page for you Windows Server installation media if it doesn’t already know where it is. Otherwise just click “Install” to begin the installation.


  • Wait for the installation to complete


  • Once the installation is complete you can click the yellow exclamation point on the Server Manager dashboard to configure the AD CS service.


  • This is asking what credentials you want to use to configure the CA services. The admin role you are using must be an Enterprise Admin to create the Enterprise CA.  So make sure you have those permissions before continuing or choose an account that does. Then click “Next


  • Select both “Certification Authority” and “Certification Authority Web Enrollment” to configure and then click “Next >


  • On the “Setup Type”screen select the “Enterprise” option and click “Next >” to continue


  • On the “CA Type”screen select the “Root CA” option and click “Next >”


  • On the “Private Key”screen select the “Create a new private key” option and click “Next >”


  • On the “Cryptography for CA”screen accept the defaults and click “Next >”


  • On the “CA Name”screen select a common name and click “Next >”


  • On the “Set Validity Period” screen accept the default of 5 years and click “Next >”


  • On the “Certificate Database”screen accept the default location of the database and log files and click “Next >”


  • On the “Confirmation”screen review the settings and click “Configure” to begin provisioning the CA.


  • On the “Results”screen verify the components were successfully installed and click “Close”


Verify Installation

Now that the “Active Directory Certificate Services” role has been provisioned on the “DC1”domain controller we can verify it’s installed in “Server Manager”.


  • Click on “AD CS” in the left pane. It will display the servers that have that role installed on them in the center pane. Right-click on “DC1” and then select “Certification Authority”.


  • This will launch the CA snap-in and verifies your CA is running properly



How to Install Certificate Authority on Windows Server 2012

Tagged with: , , , , , , , ,
Posted in ADFS, ADFS 3.0, SharePoint 2013, SSL, Windows Server 2012

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: