Friday , August 7 2020

how to install certificate authority on windows server 2012

Step 1:

You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange itself
I have done this in the Exchange Server itself (No Harm)

Open Server Manager – Manage – Add Roles and Features


Step 2:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment


Choose :

Certification Authority

Certification Authority Web Enrollment


Choose Install


Choose Close


Step 3:

To Configure Active Directory Certificate Services

Choose the Exclamation Mark on the Flag


Choose Next



Certificate Authority


Certification Authority Web Enrollment

Choose Enterprise


Step 4:
Choose Root CA


Step 5:
Create a new Private key


Step 6:
Have this Default with 2048 key Character length

Updated === Its recommended to use SHA256 as SHA1 is retiring.

To Upgrade your existing internal CA –

certutil -setreg ca\csp\CNGHashAlgorithm SHA256


Step 7:
Click Next


Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next


Step 9:



Choose Configure


Installing and Configuring is Done.

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority

Step 10:
Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

Use the right side column “Browse *.443(https)

Note :

If you don’t see a “Browse *.443(https) , It means binding is not there. As my Example as Exchange 2013 , Exchange added the binding.

To add binding – Right Click on Default Web Site – Click on Edit Bindings


Click on ADD

HTTPS – 443 – Choose the CA Cert


Now you can see 443 in your website.


Step 11:
You would see a page like this , Choose Request a Certificate


Step 12:
Click on Advanced Certificate Request


Step 13:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC


Step 14:
Now Copy the  Note pad  – You have to generate a Certificate Request from the application. For example how we are doing in exchange server

Or you can use
Choose Template : WebServer


Step 15:
Choose “Base 64 encoded”


Step 16:
Save the Certificate


About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Office 365 Branding

Office 365 Branding is the first thing i do on most of the Office 365 …


  1. Great job. thank you!

  2. its good Very tnx :X

  3. Hi, many thanks for the write up.

    will this cert enable internal outlook users to connect to internal exchange server 2013?

    thanks in advance

    Ajay Paul

  4. Thanks Satheshwaran,
    i have 2012 dc and exchange 2007 sp3 can i use this certificate with it and how can i import it to exchange.

  5. Thanks for the guide! I’m getting the following message when trying to request a certificate by using a base-64-encoded CMC: “No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing Active Directory.” This is a brand new Windows Server 2012 installation and I followed your guide from start to finish. Any ideas?


  6. Thanks, I’m not sure what happened but I uninstalled ADCS and reinstalled it and everything is working properly now.

  7. Great post…thanks..this helped me lot

  8. Hi Rajnish.

    Are we missing a step or two?

    When IIS is installed HTTPS is not enabled. In Step 10 the option to browse “Use the right side column “Browse *.443(https)” is not available.

    Step 14 requires clarification – Now Copy the Note pad – We need an explanation of how the data in the Note pad coming from.

    Please review and clarify

  9. no https. you have left out some important parts !!!!!!!!!!!

  10. Is it possible to migrate 2008 CA server to other 2012 CA server..

  11. OK – I’m at Step 14 – where does the NOTEPAD info come from !!! ?

    I’m TESTING Exchange so don’t have a proper certificate
    Will this work with a self-signed Certificate ?

    (there is little or no information about using Self-Signed Certs with Exchange – I appreciate I’ll need one eventually if and when this gets into production)

  12. I dont have web server in certificate template.
    someone help me

  13. Great information, but request the following information:

    In step 10 am I right clicking each port and copying information from each port, then copying into notepad, then pasting the information from notepad in step 14.
    You have done a great job with your post and I am probably being naïve, but clarification would be appreciated.

  14. good job mate weldone

  15. And Where can I Find the Certificate Request file? Which is the location of the file?

  16. As the others have mentioned, While in IIS Manager, only Browse *.80 (http) is available to select. Browse *.443 (https) is not seen, nor are any others as shown in your description.

    Any Thoughts?

  17. Hi,

    It is possible to deploying a Windows Server 2012 R2 Certificate Authority in a windows server 2003 domain.


    Carlos Santos

  18. Hey,

    In Step 3:Setup type->Specify the setup typeof the CA->the 1st option “Enterpirse CA” is greyed out for me.What should i do to enable it.Please suggest
    thank you

  19. Great post…thanku ..this post helped me lot

  20. DID EXATCTLY WHAT YOU INSTRCTRUCTED AND IT DID NOT WORK FOR ME! I am having the same issue at step 10 that others have been telling you about. You have assumed that when we get there that “Browse: 443 (https)” will be to on the right, and my friend, for some of us including myself, it “DOES NOT APPEAR”. And since it does not appear, when we get to step 14, the screen for the certificate text is blank. THEREFORE, YOUR INSTRUCTIONS FOR US WHO DO NOT SEE “443”, YOUR INSTRUCTIONS ARE NOT CORRECT! Please make note of this and adjust your post!

    • Satheshwaran Manoharan

      Updated the Blog .If you are installing this on a Non Exchange machine . You got to add bindings to see 443. Check now


        Déjà, rien que le ton condescendant de certains… Petits bourgeois que tout ça. Il faut de l’excès en toutes choses, quitte à revenir parfois en arrière. Vous nous proposez la mesure en toutes choses, quitte à ne pas bouger d’un pouce.Petits bourgeois que tout ça.

  21. Check out my Windows 2012 R2 Certification Authority installation guide

  22. Where can I Find the Certificate Request file? I don’t see where you saved it? Can I get help on this please. Thanks!

  23. when I go to certsrv I get no network, what should I do here?

  24. Thank you so much for this Article and Very informative…All the best!!

  25. How do I generate the Certificate before downloading it? where do they get the IP address used to log in to the url came from. when I on the web browser, it will not take

  26. I do not have a Default Website in the list, thus there is no CertSrv. What could I do to remedy this? I know how to create Sites but the directories… I don’t know where they should point to.

  27. how to migrate CA from windows 2003 DC to windows 2012 DC

  28. Hi, many thanks for the write up.

    will this cert enable external outlook users to connect to exchange server 2013?

    thanks in advance

    • Satheshwaran Manoharan

      No. Its just for internal users. Its higly recommended to use a External cert for both. Internal and External

  29. hi
    will this cert enable external outlook users to connect to exchange server 2013?

  30. shivendra Mishra

    Hi Satheshwaran,

    Could you please let me know whether can we install the CA in window 7 Machine?

  31. Hello,

    Thanks for this guide.

    I’m almost done with it but at Certification template i cannot choose “Web server”. There is only User and Basic template. Why did I wrong?

    Thank you!

  32. Hi Satish,

    I am in the Step 14, I could not able to proceed after Step 13, could you please let me know the location from where I can copy the text and paste it in the request box. I searched in Certserv folder and in certrqxt, but not able to see the requested file contents.

    Could you please help me out. Thanks..

  33. When I get to step 14 I am not getting the option to select web server. I am only getting a user option. Is there any way to correct this?

  34. Thank you so much,
    if i create the CA server , can i assign outlook anywhere, auto discover with this server ?
    after can i turn it off ? turn it on only when i need it ?

    thank you

  35. i am missing WEB server certificate template .
    any suggestions how to create a compatible on for exchange 2013 ?

  36. Hello,

    I’ve seen internal CA servers more often nowadays. I’m not too familiar with its benefits for a business or company. The only certs I ever had to deal with was from 3rd party like GeoTrusts. So the question is, what are the benefits of having an internal CA server in the environment if it’s usually recommended to have external certs for both internal (Outlook) and external (OWA) users of Exchange? What other benefits will an internal CA server provide? Why are reasons why it would be beneficial for a business to setup one up? Please advise as I would like to get this going for our business if there are good benefits.

  37. videntes tarotistas

    Very good article. I absolutely appreciate this site.
    Keep it up!

  38. Thanks for the guide. I’m trying to create a User Certificate and i get the error below. What am i missing?

    Your request failed. An error occurred while the server was processing your request.

    Contact your administrator for further assistance.

    Request Mode:
    newreq NN – New Request (keygen)
    (never set)
    Disposition message:
    Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    COM Error Info:
    CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    No suggestions.

  39. Thanks for some other informative blog. Where else may just I am getting that type of info written in such a perfect way?
    I’ve a undertaking that I’m simply now running on, and I have been on the
    glance out for such information.

  40. I am getting below error when installing second CA server with SHA256 within the same forest

    certification authority web enrollment network name is no longer available 0x80070040 (win32:64 ERROR_NETNAME_DELETED)

    Can anyone help on the same

Leave a Reply

Your email address will not be published.