In this post learn how to deploy a standalone root Certificate Authority (CA) on a Windows Server 2025 machine that is not joined to Active Directory. Also learn how to configure the web enrollment interface so clients can request certificates using a browser.
A standalone root CA is useful when:
- You only need certificates trusted by a limited set of machines.
- You don’t want to obtain certificates from a commercial provider.
- You’re preparing an offline root CA scenario (covered separately).
Install Active Directory Certificate Services (Standalone Root CA)
1. Open Server Manager.
2. Select Manage then Add Roles and Features.
3. Choose Role-based or feature-based installation.
4. Select the local server.
5. Check Active Directory Certificate Services.
6. Click Add Features when prompted.
7. Click Next through the wizard until the **Role Services** page.
8. Select Certification Authority only.
9. Click Install and wait for completion.
Configure the Certification Authority
1. In Server Manager, click the notification flag.
2. Select Configure Active Directory Certificate Services.
3. Enter credentials.
4. On Role Services, ensure Certification Authority is selected.
5. For Setup Type, select Standalone CA.
6. Choose Root CA on the CA Type page.
7. Select Create a new private key.
8. Increase the key length to 4096 and accept the other defaults.
9. Accept the default CA name (or customize if desired).
10. Keep the default certificate validity period (5 years).
11. Accept the default database locations.
12. Confirm the configuration and allow it to complete.
13. Open the Certification Authority console from Tools to verify the CA was created.
Create an SSL Certificate for Web Enrollment
The CA certificate itself doesn’t include subject alternative names (SANs), so you need a separate SSL certificate for the website otherwise web enrollment will throw errors.
1. Open PowerShell and switch to the root directory.
2. Create and enter a temp folder.
3. Use Notepad to create servercert.inf with details such as:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="CN=ws25-sa-ca"
KeyLength=2048
KeySpec=1
KeyUsage=0xA0
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
RequestType=PKCS10
FriendlyName="IIS Server Cert"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=ws25-sa-ca"
; Add more if needed, e.g., _continue_ = "& " for additional DNS names
4. Save the file.
5. Run certreq -new specifying the INF file and output a .req file.
certreq -new C:\temp\servercert.inf C:\temp\servercert.req
6. Submit the request:
* Run `certreq -submit` with the request file.
certreq -submit -attrib "CertificateTemplate:WebServer" C:\temp\servercert.req C:\temp\servercert.cer
* Select the standalone CA when prompted.
* The request will show as **Pending**.
7. Open the Certification Authority console.
8. Under Pending Requests, right-click the request and select All Tasks → Issue.
9. Retrieve the certificate:
* Use `certreq -retrieve` with the request ID and output a `.cer` file.
certreq -retrieve 2 C:\temp\servercert_issued.cer
10. Install the issued certificate with `certreq -accept` or by double-clicking.
certreq -accept C:\temp\servercert_issued.cer
Install the Web Enrollment Feature
1. Open Add Roles and Features again in Server Manager.
2. Click Next until the Server Roles page.
3. Expand Active Directory Certificate Services.
4. Select Certification Authority Web Enrollment.
5. Click Next and proceed. This also installs IIS automatically.
6. When finished, click Close.
7. Run Configure Active Directory Certificate Services again.
8. Select Certification Authority Web Enrollment and click Configure.
Bind the SSL Certificate in IIS
1. Open IIS Manager.
2. Select Default Web Site.
3. In the Actions pane, choose Bindings.
4. Click Add.
5. Set Type to https.
6. Enter the server’s hostname.
7. Select the SSL certificate you issued earlier (e.g., `IIS serviceert`).
8. Click OK and close IIS Manager.
Access the Web Enrollment Page
1. Open a browser.
2. Navigate to:
`https://<your-server-name>/certsrv`
Example:
`https://WS25-SA-CA/certsrv`
3. The Certificate Enrollment web interface should now load securely.
Microsoft