In this tutorial I will show you how to install Active Directory with a certificate from a trusted certificate authority (CA). I got this experience from deployment of a Windows domain in the Silicon Hill student’s club.

Prerequisities

We need to have a certificate and a corresponding private key in the .pfx or .p12 format. If you have it in the classic .pem format, here’s a tutorial how to convert it.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Note: No Active Directory Certificate Services needed as some tutorials may suggest.

Versions

Versions are always important to every tutorial, since what works on one version, may not work on others.
We will be using Windows Server 2012.

Overview of the steps

1. Add the Active Directory Domain Services role to the server.
2. Import the certificate with private key (*.pfx or *.p12) to the correct certificate store.
3. Promote the server to a domain controller (dcpromo.exe)

Step 1: Adding the ADDS role

1. Open Server Manager
2. Click Manage → Add Roles and Features
3. Click Next > until the Server Roles phase.
4. Select Active Directory Domain Services.
5. Press Next > and Finish until the end of process.

Warning: Do not run the dcpromo (DC promotion) yet.

Step 2: Install certificate

1. Open mmc.
2. Add/Remove Snap-in… (Ctrl+M)
3. Certificates
4. Add >
5. Service Account
6. Local Computer
7. Active Directory Domain Services
   
8. Finish, OK
9. Import the .pfx or .p12 into NTDS\Personal

Step 3: dcpromo

Run dcpromo (domain controller promotion) from the Server Manager. You will notice a yellow triangle with exclamation mark, it is enough to follow it.

Test it!

After you restart the server, it should probably work. To test it, try an OpenSSL command

openssl s_client -host dc1.example.com -port 636

If you see the desired certificate information, you’re done.

Conclusion

Hope the tutorial was useful. Let me know if that works for you and feel free to comment.