Certificate Authority (building)

Steve Harris
Steve Harris used Ask the Experts™
I am going to be building a CA on a VM and the Microsoft documentation I have found seems out-dated.

What is the recommended platform for this, I have found having an offline one that is the root and then subordinates to issue the certificates as the idea. This seems really intensive.

I really just need one to issue certificates to devices/users for VPN items and HTTPS certificates for SCCM later. Nothing to intensive.

Does anyone have a good method to get one up and running quickly?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

If you're not transferring a CA to a new server but rather building a brand new one, just follow this:


That's current and will get you up and running
Steve HarrisIT Analyst


@Coolie Ok that is a document I found and tried. I have a VM up and running off that one, but I am not sure it is working properly.

You can search AD and see what it says is your Certification Authority.  This lets you know that you installed it correctly:


And if you want to test it out, you can follow the steps below to see if its working correctly.

JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Steve HarrisIT Analyst


OK, so I did Option 1 & 2 and I don't see it on there: yet I followed the guide. Any ideas or should I just try to rebuild again?

Option 1:
 Name:                         "IFM-CA"
  Organizational Unit:          ""
  Organization:                 ""
  Locality:                     ""
  State:                        ""
  Country/region:               ""
  Config:                       "CA.IFM\IFM-CA"
  Exchange Certificate:         ""
  Signature Certificate:        "CA.IFM_IFM-CA.crt"
  Description:                  ""
  Server:                       "CA.IFM"
  Authority:                    "IFM-CA"
  Sanitized Name:               "IFM-CA"
  Short Name:                   "IFM-CA"
  Sanitized Short Name:         "IFM-CA"
  Flags:                        "13"
  Web Enrollment Servers:       ""
CertUtil: -dump command completed successfully.

Option 2:
1. Logon by using domain administrator to computer that connect to the

2. Install Windows Support Tools.
3. Go to "Start" -> "Run" -> Write "adsiedit.msc" and press on "Enter" button.
4. Navigate to:
CN=Certification Authorities,CN=Public Key

Under "Certification Authorities" you will find your Enterprise Root Certificate Autority server.
Senior Systems Admin
Top Expert 2010
Go to a system on the network. Open MMC > Add Snapin > Certificates > Choose Computer > Open Trusted Third Party > If the CA Certificate for the server is there, the CA is working.
Steve HarrisIT Analyst


@Adam I do see it there, so that is a plus. Though I dont see it in ADSI

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial