While it is supported to do that, its against best practices to install the CA role on a domain controller for the following reasons:

1- If you are to decommission that Domain Controller, you will have to go through the procedure of moving the CA from it first before decommissioning.

2- If you are to upgrade the version of the CA , this will require the upgrade of the OS of that domain controller, and that will require a decommission for this to take place.

3- In an Event of failure on that specific DC for any reason, restoration of the full functionality of DC and CA will be lengthy, Which could affect certification validity due to downtime.

4- Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.

5- If you have to publish your CRLs externally, that DC will be internet facing and this poses a very big security risk.


You might wanna take a look at these posts below that discusses the same:

1- This link to verify local admin privileges needed. Refer to Roles and Activities http://technet.microsoft.com/en-us/library/cc732590.aspx

2- Please go through these posts for additional reasons on why not to have it on a dc, please see Sander’s reply