Share via

Install a Root Certification Authority

Applies To: Windows Server 2008 R2

For most organizations, a root certification authority (CA) certificate is the first Active Directory Certificate Services (AD CS) role service that they install. In a basic public key infrastructure (PKI), a root CA may be the only CA that an organization deploys.

Whether you install just one CA or multiple CAs, the root CA certificate establishes the foundation and basic rules that govern certificate issuance and use for your entire PKI. Where the root certificate defines standards for what is acceptable and unacceptable in the PKI hierarchy, AD CS applies those standards to any other CAs and AD CS role services.

A root CA can be a stand-alone or enterprise CA. If there is more than one CA in the organization, many organizations minimize the exposure of their root CA by keeping it offline except when it is needed to process a request for a subordinate CA certificate.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To install a root CA

  1. Open Server Manager,click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, click Certification Authority. Click Next.

  3. On the Specify Setup Type page, click Standalone or Enterprise. Click Next.


You must have a network connection to a domain controller in order to install an enterprise CA.

  1. On the Specify CA Type page, click Root CA. Click Next.

    For more information, see Types of Certification Authorities.

  2. On the Set Up Private Key page, click Create a new private key. Click Next.

  3. On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm. Click Next.

    For more information, see Cryptographic Options for CAs.

  4. On the Configure CA Name page, create a unique name to identify the CA. Click Next.

    For more information, see Certification Authority Naming.

  5. On the Set Validity Period page, specify the number of years or months that the root CA certificate will be valid. Click Next.

  6. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click Next.

    For more information, see Certificates Database.

  7. On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.

Additional references