Problem solve Get help with specific problems with your technologies, process and projects.

Windows Server 2008 R2 Enterprise Certificate Authority setup

If you are deploying an SSTP VPN to secure the remote users on your enterprise wide area network (WAN), then your VPN server must be provisioned with an X.509 certificate. Use these steps to learn how to configure Microsoft Windows Server 2008 R2 to act as an Enterprise Certificate Authority in this tip.

These Microsoft Windows Server 2008 R2 Enterprise Certificate Authority setup instructions explain how to configure...

Windows 2008 R2 as a CA so that you do not have to purchase a commercial certificate authority for the Secure Sockets Layer Virtual Private Network (SSL VPN) deployment in your wide area network (WAN).

If you plan to set up an SSTP VPN, then your VPN server must be provisioned with an X.509 certificate. Although you can purchase such a certificate from a commercial certificate authority, such certificates can be expensive. Therefore, many organizations prefer to deploy their own certificate authorities, which they can use to issue the necessary certificate themselves. In this article, I will show you how to configure Windows Server 2008 R2 to act as an enterprise certificate authority.

Installing Windows Server 2008 R2 as an Enterprise Certificate Authority disclaimer

Before you decide to install Windows Server 2008 R2 to act as an Enterprise Certificate Authority, be aware that the major drawback is that your VPN clients will not initially trust the VPN's certificate because it was not issued by a trusted certificate authority. Therefore, if you are going to use this approach, it is advisable to download a server certificate to your clients so they will trust the certificate authority and the certificate that is being presented by the VPN server.

Another disadvantage to setting up your own Enterprise Certificate Authority is that if you are going to operate your own certificate authority, then you must protect that server against failures and security breaches at all costs. If someone manages to compromise your certificate authority then they own your network.

Installing the Enterprise Certificate Authority

Begin the process by opening Server Manager and clicking on the Add Roles link. You will be taken to an introductory screen. Click Next to bypass this screen, and you will be taken to a screen that asks you to select the roles you want to install. Select the Active Directory Certificate Services option, as shown in Figure A, and click Next.

Figure A: Select the Active Directory Certificate Services option.
Active Directory Certificate Services
Click to enlarge Active Directory Certificate Services image.

At this point, you will see a warning message telling you that once the Active Directory Certificate Services have been installed, you won't be able to rename the server or join it to a different domain. Click Next to acknowledge this warning, and you will be taken to the screen shown in Figure B, which asks you which components you want to install.

Figure B: The Certificate Authority option is selected by default because it is a required component.
Certificate Authority option
Click to enlarge Certificate Authority image.

The Certificate Authority option is selected by default and is a required component. The remaining components are optional and may or may not be necessary depending on how you plan on using the Certificate Authority that you are creating. Below is a summary of what each role does.

  • Certificate Authority is the core component of the certificate services.
  • The Certificate Authority Web Enrollment provides a website that can be used for certificate requests.
  • The Online Responderis used to manage and configure Online Certificate Status Protocol (OCSP) responders.
  • Network Device Enrollment Service is a component that allows devices such as routers and switches to be provided with x.509 certificates from a certificate authority.
  • The Certificate Enrollment Web Service enables certificate enrollment over HTTP or HTTPS.
  • The Certificate Enrollment Policy Web Service allows for policy-based certificate enrollment even when the client computer is not a domain member (or is not connected to a domain).

If your goal is to use the Enterprise Certificate Authority to facilitate an SSL VPN, then I recommend selecting the Certificate Authority and the Certificate Authority Web Enrollment options.

After making your selection, Windows will ask you for permission to install some additional role services. Click the Add Required Role Services button, followed by Next.

At this point, you will see a screen similar to the one shown in Figure C, asking whether you want to install an Enterprise or a Standalone Certificate Authority. Choose the Enterprise option, and click Next.

Figure C: Select the Enterprise option.
Active Directory Enterprise option
Click to enlarge Enterprise option image.

Windows will now ask if you would like to install a Root CA or a Subordinate CA. The first certificate authority server that you deploy must be a Root CA. Subsequent CAs can be Subordinate CAs. Some organizations like to deploy a Root CA and a Subordinate CA, and then take steps to keep the Root CA unavailable for access. That way, the subordinate CAs will handle all of the certificate enrollment, and there is no risk of the Root CA being compromised. Of course, this method is not a requirement, but it is recommended for network security.

Go ahead and select the Root CA option, and click Next. You should now see a screen asking if you want to create a new private key or if you would prefer to use an existing private key. Choose the New Private Key option and click Next.

The following screen asks you to select a cryptographic service provider. Simply click Next to accept the defaults.

The next screen asks you to provide a common name that can be used to identify the certificate authority. By default, Windows constructs a common name by combining the domain name with the server name and the letters CA (domain-server-CA). This works fine in smaller organizations, but in larger ones, you might want to use a different common name as a way of designating this server as the root CA.

Click Next, and you will be asked to specify the certificate validity period. By default, certificates are valid for five years, but you can change the validity period to meet your needs.

Click Next, and you will be asked to select a location for the certificate database. Given the importance of the certificate database, you should locate it on a fault-tolerant volume that is regularly backed up.

After specifying the certificate database location, click Next and you will see an introductory screen for the Internet Information Services (IIS). Click Next to bypass this screen, and another appears asking you which IIS role services should be installed. All of the necessary services are selected by default, so just click Next.

You should now see a screen displaying a summary of the configuration options that you have chosen. Verify that all of the information is correct. Once you are satisfied with the accuracy of the configuration information, click the Install button to deploy the certificate services. When the installation completes, click the Close button.

Concluding your Enterprise Certificate Authority setup

Certificate Services are easy to install. Even so, a certificate authority is one of the most security-sensitive servers on your network, so be sure to plan ahead so the server will be adequately protected.

Resources on SSTP VPNs

  • Windows Server 2008 and its Secure Socket Tunneling Protocol (SSTP).
  • SSL VPN vs. SSTP VPN: Is there a difference? 
  • Read this Web SSL VPN introduction.
  • Learn how to configure a Vista VPN connection to use SSL.
  • Fix your Windows 2008 SSTP VPN trouble.
  • Understand how to authorize VPN traffic for RADIUS authentication Windows 2008.

About the author:
Brien M. PoseyBrien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

This was last published in July 2010

Dig Deeper on Network Security