You can use this procedure to install Active Directory® Certificate Services (AD CS) so that you can enroll a server certificate to servers running Network Policy Server (NPS). If you deploy certificate-based authentication, NPS servers must have a server certificate. During the authentication process, NPS servers send their server certificate to client computers as proof of identity.

Membership in both the Enterprise Admins group and the Domain Admins group of the root domain is the minimum required to complete this procedure.

To install Active Directory Certificate Services
  1. Log on as a member of both the Enterprise Admins group and the root domain Domain Admins group.

  2. Click Start, click Administrative Tools, and then click Server Manager. The Server Manager console opens. In the left pane, click Roles, and then in the details pane, click Add roles.

  3. The Add Roles wizard opens. Click Next.

  4. On the Select Server Roles page, in Roles, select Active Directory Certificate Services, and then click Next twice.

  5. On the Select Role Services page, in Role services, click Certification Authority, and then click Next.

  6. On the Introduction to Active Directory Certificate Services page, review the provided information, and then click Next.

  7. On the Select Role Services page, ensure that Certification Authority is selected, select any additional role services that you require, and then click Next.

  8. On the Specify Setup Type page, ensure that Enterprise is selected, and then click Next.

  9. On the Specify CA Type page, click Root CA, and then click Next.

  10. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.

  11. On the Configure Cryptography for CA page, keep the default settings or change them according to your requirements. Note that the default Key character length is 2048, which is twice as large as previous default key character lengths of 1024. Depending on your network size and traffic, you might want to adjust the size of the key character length. Click Next.

  12. On the Configure CA Name page, keep the suggested common name for the CA or change the name according to your requirements, and then click Next.

  13. On the Set Validity Period page, in Select validity period for the certificate generated for this CA, type the number and select the time value (years, months, weeks, or days) that determines the date upon which certificates issued by the CA will expire. The default setting of five years is recommended. Click Next.

  14. On the Configure Certificate Database page, in Certificate database location and Certificate database log location, specify the folder location for these items. If you specify locations other than the default locations, ensure that the folders are secured by using access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next, and then click Finish or continue with the installation of any additional role services you selected.