Building a Certificate Authority in Windows Server 2019

Now available for download, the Building a Certificate Authority in Windows Server 2019 guide for creating a Two-Tier Certificate Authority using Active Directory Certificate Services.

This is a free download, and is available on Gumroad for distribution (enter $0 when checking out):

Download on Gumroad

This guide is based on the Building a Certificate Authority in Windows Server 2019 guide series that I released in early 2020, as well as the Practical Guide to PKI with Windows Server book that I published in the fall of 2021.

The guide is a slight modification of the last chapter from the Practical Guide to PKI with Windows Server book, which demonstrates how to rapidly deploy a PKI using Active Directory Certificate Services. It does not add any additional functionality such as automatic deployment using Group Policy or configuring the Online Responder role, but those can be added in the future if needed.

What’s Inside?

  • A 38-page guide to implementing a Two-Tier Certificate Authority using Windows Server 2019 and Active Directory Certificate Services.
  • A guide for installing and configuring Active Directory Domain Services.
  • A guide for creating an offline Standalone/Root CA.
  • A guide for creating an online Enterprise/Subordinate CA.
  • Instructions that use the CLI for installation and configuration whenever possible.

Table of Contents

Included in the guide are 7 sections which explain the process for creating a Two-Tier Certificate Authority using Active Directory Certificate Services:

  1. Building a Certificate Authority in Windows Server 2019
  2. Certificate Authority Environment Setup
  3. Active Directory Setup
  4. Root CA Setup
  5. Subordinate CA Setup
  6. Post-Implementation Tasks
  7. Active Directory Certificate Services Next Steps

Who Is This Guide For?

The purpose of this guide is to create a Certificate Authority using Active Directory Certificate Services (AD CS) with Microsoft Windows Server. This guide offers a rapid step-by-step guide that demonstrates how to successfully create a Certificate Authority using those technologies.

This guide is meant for developers, network administrators and systems administrators who have a basic understanding of Windows Server and Public Key Infrastructures and need to deploy a Certificate Authority rapidly within their environment for various purposes. By using the steps provided in this guide, there will be a Certificate Authority framework created that can be customized for whatever requirements are needed in any environment.

This guide is also meant to be used by developers, network administrators and system administrators who can interpret this guide and modify it for their existing environment. Simply following this guide will not implement a functioning PKI for your organization, you will need to modify the steps accordingly to make it function properly. This means creating different servers, modifying steps for different Active Directory domains, modifying LDAP settings, modifying file paths, creating different certificates, and other critical steps as needed.

Updates and Additional Materials

If there are any updates for the guide or additional materials, they will be posted to the page.