1. Log into your server that you are installing the role on, or a server that has the ability to manage the destination server.
  2. Open the server manager application. (servermanager.exe)
  3. Click ‘Manage > Add Roles and Features’
  4. The ‘Add Roles and Features Wizard’ will now open, in the ‘Before You Begin’ page click the ‘Next’ button.
  5. In the ‘Installation Type’ page choose ‘Role-based or feature-based installation’.
  6. Click ‘Next’
  7. In the server selection screen keep the current settings and hit ‘Next >’.
    • If you are using another server to install the role on the target server choose the correct server.
  8. Click ‘Next >
  9. On the ‘Server Roles’ page choose the role ‘Active Directory Certificate Services’.
  10. A new window will pop up confirming the roles and features that need added. Keep the defaults and click the ‘Add Features’ button.
  11. In the ‘Features’ page click ‘Next >’.
  12. In the ‘Active Directory Certificate Services’ page click ‘Next >’.
  13.  In the ‘Role Services’ page leave the defaults and click ‘Next >’.
  14. In the confirmation page leave the ‘Restart the destination server automatically if required’ unchecked. Click ‘Install’.
  15. Allow the installation to complete.
  16. Once complete click the ‘Configure Active Directory Certificate Services on the destination server’ hyperlink.
  17. After clicking the hyper link a new window will open named ‘AD CS Configuration’
  18. On the ‘Credentials’ page provide credentials, it will use the current logged in user by default.
  19. Click ‘Next >’.
  20. In the setup type you will need to specify whether or not you want to install the CA as a Enterprise CA or a Standalone CA.
    • In this guide I am setting up a Standalone CA.
    • If you are installing this CA in a Active Directory environment you will want to configure a Enterprise CA (Especially if you are performing these steps to set up LDAPS).
  21. Click ‘Next >’.
  22. In the ‘CA Type’ window you will be prompted to choose Root CA or Subordinate CA.
    • Choose a Root CA if this server is going to be the primary certificate authority.
    • If you already have a Root CA in your environment and you are looking to add a second CA that is authorized to issue certificates from the Root CA then choose Subordinate CA.
  23. After choosing your ‘CA Type’ click ‘Next >’.
  24. In the ‘Private Key’ page we are going to want to create a new private key. Choose ‘Create a new private key’. Then click ‘Next >’.
  25. For the ‘Cryptography’ page choose the following options, unless your environment calls for other settings.
    • Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
    • Key Length: 2048
    • Hashing Algorithm: SHA256
  26. Click ‘Next >’.
  27. In the ‘CA Name’ set the common name for this CA to the machine’s hostname.
  28. Click ‘Next >’.
  29. For the validity period choose 5 years. Then click ‘Next >’.
  30. In the ‘Certificate Database’ page leave the defaults and click ‘Next >’.
  31. In the ‘Results’ page click ‘Close’.
  32. If you set up the CA on a DC for use with LDAPS then you will want to reboot and then from a administrative command prompt run:
Gpupdate /force