Applies To: Windows Server 2008 R2
For most organizations, a root certification authority (CA) certificate is the first Active Directory Certificate Services (AD CS) role service that they install. In a basic public key infrastructure (PKI), a root CA may be the only CA that an organization deploys.
Whether you install just one CA or multiple CAs, the root CA certificate establishes the foundation and basic rules that govern certificate issuance and use for your entire PKI. Where the root certificate defines standards for what is acceptable and unacceptable in the PKI hierarchy, AD CS applies those standards to any other CAs and AD CS role services.
A root CA can be a stand-alone or enterprise CA. If there is more than one CA in the organization, many
organizations minimize the exposure of their root CA by keeping it offline except when it is needed to process a request for a subordinate CA certificate.
Membership in local Administrators. or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in Domain Admins. or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration .To install a root CA
Open Server Manager,click Add Roles. click Next ,and click Active Directory Certificate Services. Click Next two times.
On the Select Role Services page, click Certification Authority. Click Next .
On the Specify Setup Type page, click Standalone or Enterprise. Click Next .