- Create a CAPolicy.inf file and place it in this location: %windir%
- Install the Active Directory Certificate Services (ADCS) role.
- Run a post-install script that configures certain components.
- the root certificate
- the certificate of the subordinate CA
- the certificate issued to the end-user (or computer).
Remember that the choice of a name is extremely important. We cannot change it later:
For the root CAs, we can simply select "Certification Authority":
The root CA will be "standalone" (and offline for that matter):
Of course, we need to start with a root CA:
We will opt for a new key since this is a new CA:
For the key character length and the hash algorithm (which I will not explain here), we can choose "2048" and SHA256:
We can review the selected options on the confirmation page:
If all goes well, we should see this:
We have not finished with the root CA yet. We still need to execute a post-installation script and then copy the root certificate and CRL to our subordinate CA (or CAs if there are more than one).
That will be the subject of the next blog post.