Summary: How to setup active directory certificate services on a domain controller.
Date: Around 2017
Refactor: 20 February 2025: Checked links and formatting.

This is a follow up on Active Directory Domain Controller in Azure. My next project is to create a PointToSite VPN towards the same azure environment but that requires certificates. And that brings in Certificate Services. Now remember, installing the Root CA in the same server that is a Domain Controller is not considered best practice. Reasons (among others) are:

• Root CAs are best kept offline for security reasons which is not possible if you install it on a Domain Controller
• You can't demote the Domain Controller without first having to remove the CA
• The more services you host on one system, the more services you have to recover if that server goes down

But there are also benefits. Since you need less servers you pay less for OS, (virtual) hardware and licenses. This is especially a benefit if you are running a lab environment that is limited on budget.

Note that this kind of CA setup is also known as “Enterprise root CA on a Domain Controller online” and is only considered acceptable for lab environments.

Follow these instructions to install and configure the AD CS:

• Once logged in on the server start server manager → Manage → Add Roles and Features
• Select the Role-based or feature-based installation type
• Select the server from the server pool, which is in my case, the DC I installed in Active Directory Domain Controller in Azure:
  

• Select “Active Directory Certificate Services” from the Roles list, which will popup a new window. Make sure everything including the management tools is selected and click Add Features to continue:
  

• Click next on both the Roles as the Features window as no additional features are needed
• Read the information and click next on the Active Directory Certificate Services information window:
  

• Select the Certificate Authority (selected by default) in the Select Role Services window:
  

• Select the “Restart the destination server automatically if required” checkbox, review your settings and click Install to start the installation

When the installation is done could use the link provided after the installation to start the configuration, but as we already used that method to start the configuration in Active Directory Domain Controller in Azure we'll use another way this time. Click Close to close the installation window.

• Again, start Server Manager and click AD CS. This will show you a warning that configuration is required for Active Directory Certificate Services:
  

• Click on the yellow notification triangle and click the “Configure Active Directory Certificate Services on th…” link:
  

• Now specify the credentials to configure the Certificate Services. I only have one account so far, and it is up for the task:
  

• Select the Certificate Authority role to configure:
  

• Select Enterprise CA as your CA type:
  

• As we are installing the first CA select Root CA:
  

• As we are creating a whole new PKI we choose to Create a new private key:
  

• Select the cryptographic options. The default is set to SHA256 with 2048 key length which is fine (do not select SHA1 as it is being deprecated by the entire industry):
  

• Even though you can change the Common Name it is advised to keep the defaults:
  

• Specify the validity period for the CA certificate. Read the information careful, if you need client certificates that will be longer valid than the default of 5 years, you should change the default here. As I want to create client certificates for 10 years for my lab I will set the validity period to 20 years:
  

• As this server was made in Azure you need to keep some configuration in mind. I never want logfiles and or databases on my C-drive and on Azure the first data disk (as configured here) is on F so specify the file locations accordingly:
  

• Review all your settings and click Configure to start the configuration
• Click close to close the window once the configuration is finished

• Go to Server Manager → Tools → Certificate Authority
• Right-Click the CA and click properties
• Check for the settings you've configured:
  

Note that we will actually issue certificates in Setup a Point To Site VPN to Azure so further steps will be explained there.

• PKI design options: https://social.technet.microsoft.com/wiki/contents/articles/2901.public-key-infrastructure-design-guidance.aspx
  
• How to setup Microsoft Active Directory Certificate Services [AD CS]