Two-Tier CA Hierarchy – Installing Root CA Windows Server 2012 R2 (Part I)

In this series, I'll focus on Two-Tier CA installation with Windows Server 2012 R2 and this article covers installation of a Root CA server with Powershell in Windows Server 2012 R2.

PKI Two-Tier CA Infra details,

  • One Root CA server – Server is not joined to domain
  • One Subordinate Enterprise CA server (Issuing CA) – Server is joined to domain
  • Active Directory Domain Name:

Step 1: Create CAPolicy.inf file

  • Create and Save CAPolicy.inf file under c:\Windows on the Root CA server and enter the following content in the file.


Signature="$Windows NT$"











Note: Ensure you change Audit Object Access security policy setting on Root CA server - Open the local security policy and modify the Audit Object Access to record Success and Failures

Step 2: Installation of Certificate Authority

  • Use the following Windows PowerShell commands to Install Active Directory Certificate Authority on Standalone Root CA

Add-WindowsFeature Adcs-Cert-Authority –IncludeManagementTools


Install-ADcsCertificationAuthority -CACommonName "RootCA" -CAType StandaloneRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20

Step 3: Configure Root CA

  • Run Command prompt in Administrative mode and execute following commands to configure Root CA server,

certutil.exe -setreg ca\DSConfigDN "CN=test,DC=co,DC=nz"

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 6

certutil -setreg CA\CRLPeriod "Months"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

net stop certsvc

net start certsvc

certutil –CRL


Step 4: Publish Root CA certificate in Active Directory

  • Logon to Subordinate Enterprise Issuing CA with Enterprise Admin credentials.
  • Copy <servername>_RootCA.crt and RootCA.crl files (C:\Windows\system32\certsrv\certenroll is the default location for this file) from Root CA server to the Issuing CA server.
  • Open Command prompt in administrative mode and execute the following commands

certutil –dspublish –f <ServerName>_RootCA.crt RootCA
certutil –addstore –f root <ServerName>_RootCA.crt
certutil –addstore –f root RootCA.crl

PKI PowerShell References,


Enjoy reading !!


Comments (0)

Skip to main content