by @chrispanas

Get rid of those annoying self-signed certificates with Microsoft Certificate Services, Part 3

Guillermo Musumeci
6 min readDec 19, 2019

In Part 1 of the guide, we introduced Certificate Services and we discussed the design and the plan to deploy these services.

In Part 2, we installed and configure the Web Server used to distribute Certificate Revocation Lists (CRLs), requests and issue certificates and create a CNAME DNS record for the Web Server.

In this part, we will install and configure the Standalone Root CA. Let’s get to work!


Install a server with Windows Server 2016 or 2019 for the Standalone Root CA server, set a name for the server, configure the computer with a static IP address and don’t join the machine to the domain. This server will be Off-domain and Off-line after we completed the setup.

Installing Standalone Root CA:

Open Server Manager, click on the Add Roles and Features option, Role-based or feature-based installation type and choose Active Directory Certificate Services under Server Roles.

Add Roles and Features Wizard

Ensure you choose only the Certificate Authority role for the Root CA.

Add Roles and Features Wizard

Confirm the installation options:

Add Roles and Features Wizard

Setup the Root CA Certificate Services:

After Certificate Services is installed, start the configuration wizard from Server Manager, clicking on the More link:

Server Manager

Click on the Configure Active Directory… link

Guillermo Musumeci

Certified AWS, Azure & GCP Architect | HashiCorp Ambassador | Terraform SME | KopiCloud Founder | ex-AWS | Entrepreneur | Book Author | Husband & Dad of ✌