安裝憑證授權單位Install the Certification Authority

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用此程序,讓您可以註冊伺服器的憑證伺服器的網路原則 Server (NPS)、 路由並遠端存取服務 (RRAS) 或兩者執行安裝 Active Directory 憑證 Services (AD CS)。You can use this procedure to install Active Directory Certificate Services (AD CS) so that you can enroll a server certificate to servers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.

重要

  • Active Directory 憑證服務安裝之前,您必須為電腦、 靜態 IP 位址,以設定電腦和加入網域的電腦。Before you install Active Directory Certificate Services, you must name the computer, configure the computer with a static IP address, and join the computer to the domain. 如需如何完成這些工作,查看 Windows Server 2016核心網路指南For more information on how to accomplish these tasks, see the Windows Server 2016 Core Network Guide.
  • 若要執行此程序,安裝 AD CS 的電腦必須加入的網域裝有 Active Directory Domain Services (AD DS)。To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed.

同時成員資格企業系統管理員並根網域的網域系統管理員」群組是才能完成此程序最小值。Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

注意

使用 Windows PowerShell 來執行這個程序,開放 Windows PowerShell 中輸入下列命令,並再按下 ENTER。To perform this procedure by using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

AD CS 安裝之後,輸入下列命令,然後按 ENTER。After AD CS is installed, type the following command and press ENTER.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

若要安裝 Active Directory 憑證服務To install Active Directory Certificate Services

  1. 登入的群組企業系統管理員和根網域的網域管理群組成員。Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.

  2. 在伺服器管理員中,按一下管理,然後按新增角色與功能In Server Manager, click Manage, and then click Add Roles and Features. 新增角色與功能精靈開啟。The Add Roles and Features Wizard opens.

  3. 在您開始之前,請先,按一下 [In Before You Begin, click Next.

    注意

    在您開始之前,請先頁面上新增角色與精靈中的功能不顯示如果先前已選取預設略過此頁面功能精靈與新增的角色執行。The Before You Begin page of the Add Roles and Features Wizard is not displayed if you have previously selected Skip this page by default when the Add Roles and Features Wizard was run.

  4. 選擇安裝類型,確認以角色為基礎,或為基礎的功能的安裝已選取,然後按一下 [下一步In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.

  5. 選取目的伺服器,確保選取伺服器伺服器集區的選取。In Select destination server, ensure that Select a server from the server pool is selected. 伺服器集區,請確定已選取 [本機電腦。In Server Pool, ensure that the local computer is selected. 按一下下一步Click Next.

  6. 選取伺服器角色,請在角色、 選取Active Directory 憑證服務In Select Server Roles, in Roles, select Active Directory Certificate Services. 當您接到新增所需的功能時,請按一下新增功能,然後按一下 [下一步When you are prompted to add required features, click Add Features, and then click Next.

  7. 選擇功能,按一下 [In Select features, click Next.

  8. Active Directory 憑證服務,讀取提供的資訊,然後按In Active Directory Certificate Services, read the provided information, and then click Next.

  9. 確認安裝選項,按一下 [安裝In Confirm installation selections, click Install. 不要安裝程序期間關閉精靈。Do not close the wizard during the installation process. 安裝完成時,請按一下設定 Active Directory 憑證服務目的伺服器在When installation is complete, click Configure Active Directory Certificate Services on the destination server. AD CS 設定精靈開啟。The AD CS Configuration wizard opens. 朗讀憑證的資訊並視需要提供的認證針對為企業系統管理員群組成員。Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. 按一下下一步Click Next.

  10. 角色服務,按一下 [憑證授權單位,然後按一下 [下一步In Role Services, click Certification Authority, and then click Next.

  11. 安裝類型頁面上,確認企業 CA已選取,然後按一下 [下一步On the Setup Type page, verify that Enterprise CA is selected, and then click Next.

  12. 指定類型 CA 的頁面上,確認根 CA已選取,然後按一下 [下一步On the Specify the type of the CA page, verify that Root CA is selected, and then click Next.

  13. 指定類型私密金鑰的頁面上,確認建立新的私密金鑰已選取,然後按一下 [下一步On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next.

  14. ca 密碼編譯頁面中,保留 CSP 預設設定 (RSA #Microsoft 軟體金鑰儲存提供者) 和 hash 演算法 (SHA1),並判斷您的部署的最佳鍵字元長度。On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (SHA1), and determine the best key character length for your deployment. 大鍵字元長度提供獲得最佳的安全性。不過,他們可能會影響伺服器的效能,可能無法與舊版應用程式相容。Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. 建議您保留 2048年的預設設定。It is recommended that you keep the default setting of 2048. 按一下下一步Click Next.

  15. CA 名稱頁面上,繼續憑證授權單位建議一般的名稱,或變更名稱根據您的需求。On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. 確定您已特定 CA 名稱是相容命名規格與用途,因為您已經安裝 AD CS 之後,您無法變更 CA 名稱。Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. 按一下下一步Click Next.

  16. 有效期頁面上,在指定有效期,輸入數字,然後選取時間的值 (年、 個月,星期或日)。On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). 建議使用預設設定,5 年。The default setting of five years is recommended. 按一下下一步Click Next.

  17. CA 資料庫頁面上,在指定位置資料庫,指定資料夾的位置憑證資料庫和憑證資料庫登入。On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. 若您指定位置以外的預設位置,確保資料夾的安全存取控制清單 (Acl),以防止未經授權的使用者或電腦存取 CA 資料庫並登入檔案使用。If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. 按一下下一步Click Next.

  18. 確認,按一下 [設定以適用於您的選項,然後按關閉In Confirmation, click Configure to apply your selections, and then click Close.