How to set up a local certification authority


Article ID: 180321


Updated On:


Endpoint Protection





1.      Open Control Panel.

2.      Double-click Add or Remove Programs.

3.      Click Add/Remove Windows Components.

4.      Double-click Application Server.

5.      Double-click Internet Information Services (IIS).

6.      Double-click World Wide Web Service.

7.      Select Active Server Pages.

8.      Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

9.      Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next on the Windows Components page.

10.  On the CA Type page, choose one of the following, and then click Next:

    • Enterprise root CA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (that are recognized by the domain controller).
    • Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.

11.  On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

12.  On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

13.  On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

How to Install Certificate:

      1.      Open Internet Explorer.

2.      From the menu, select Tools, and then select Internet Options.

3.      Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

      4. Browse to: http://IP address of certification authority server/certsrv

5.      Click Download a CA Certificate, Certificate Chain, or CRL. On the next page, click Download CA Certificate. This is the root CA certificate that must be installed on the Forefront TMG computer. In the File Download dialog box, click Open.

6.      On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

7.      On the Welcome to the Certificate Import Wizard page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next

8.      On the Completing the Certificate Import Wizard page, review the details, and then click Finish.

      9.      Verify that the root certificate was properly installed by performing the following steps.

a.       Open the Microsoft Management Console (MMC) Certificates (local computer) snap-in.

b.      Expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.