How to setup Microsoft Active Directory Certificate Services [AD CS]

Microsoft Active Directory Certificate Services [AD CS] provides a platform for issuing and managing public key infrastructure [PKI] certificates. On top of securing application and HTTP traffic the certificates that AD CS provides can be used for authentication of computer, user, or device accounts on a network.

In this post I will be setting up a single AD CS server on my domain and configuring group policy to auto enroll my servers. For an enterprise environment you will deploy subordinate CA’s and shut down your root CA for security. For more information about this setup click here: PKI Design Options

Installing the AD CS Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

PKI 1 - Add Roles and Features

Click Next:

PKI 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

PKI 3 - Installation Type

Select the server you want to install this role then click Next:

PKI 4 - Server Selection

Select Active Directory Certificate Services then click Next:

PKI 5 - Server Role Selection

On the pop up window click the box Include management tools then Add Features:

PKI 5-1 - Server Role Selection Addition

Click Next:

PKI 5-2 - Server Role Confirm

No additional Features are needed. Click Next:

PKI 6 - Features

Click Next:

PKI 7 - AD CS

Select the services you want to enable. At a minimum enable Certificate Authority. Click Next:

PKI 8 - Role Services

A reboot was not required. Click Install:

PKI 9 - Confirmation

Once the installation is complete click Close:

PKI 10 - Results

AD CS Post-Deployment Configuration:

Back on Server Manager under Notifications click the message Configure the Active Directory Certificate Services on this server:

PKI 11 - AD CS Configuration Required

Select a user account that has the permissions depending on the role services you selected above. Click Next:

PKI 12 - AD CS Configuration Credentials

In my example I will be configuring the Certification Authority. Click Next:

PKI 13 - AD CS Configuration Role Services

Since I am on a domain I will select Enterprise CA. Click Next:

PKI 14 - AD CS Configuration Setup Type

Since this is my first PKI server I selected Root CA. Click Next:

PKI 15 - AD CS Configuration CA Type

Create a new private key then click Next:

PKI 16 - AD CS Configuration Private Key

Enter your cryptographic options then click Next:

Note: Do not select SHA1 as it is being deprecated by all browsers and Microsoft Server Authentication; use SHA256 instead.

PKI 17 - AD CS Configuration Cryptography

The fields should be pre-populated but you can change the Common name if you wish. Click Next:

PKI 18 - AD CS Configuration CA Name

Enter a validity period. This is how often the CA certificate will expire and will need to be renew on subordinate CA (if applicable).

Take note of the message: The validity period configured for the CA certificate should exceed the validity period for certificates it will issue.

Click Next:

PKI 19 - AD CS Configuration Validity Period

Advise leaving these as defaults. Click Next:

PKI 20 - AD CS Configuration Certificate Database

Ensure the summary is correct then click Configure:

PKI 21 - AD CS Configuration Confirmation

Finished! Click Close:

PKI 22 - AD CS Configuration Results

Create Certificate Template for Workstation and Client Authentication:

This step is to create a certificate template that will enable your domain computers to request certificates from your PKI server.

Open Control Panel then go to Administrative Tools -> Certification Authority:

PKI 23 - Certification Authority

Right click Certificate Templates then Manage:

PKI 24 - Certification Authority - Manage Certificate Templates

Scroll down to Workstation Authentication, right click then select Duplicate Template:

PKI 25 - Certification Authority - Duplicate Template

On the General Tab enter a template display name then select a validity period. Click the two boxed options:

PKI 26 - Certification Authority - Properties of Templates

On the Security tab add Domain Computers as this will give permission to your Domain Computers. Check the boxes for Read and Autoenroll:

PKI 26-1 - Certification Authority - Properties of Templates

On the Extensions tab click Application Policies then Edit:

PKI 26-2 - Certification Authority - Properties of Templates

Click Add -> Server Authentication then Ok:

PKI 26-3 - Certification Authority - Properties of Templates

Ensure Server Authentication is selected then click Ok:

PKI 26-4 - Certification Authority - Properties of Templates

On the Subject Name tab click the DNS name box to add the DNS name to the SAN of the certificate. Click Apply and Ok:

PKI 26-5 - Certification Authority - Properties of Templates

You will now have a new template with the intended purposes of Client Authentication, Server Authentication. You can now close the Certificate Templates Console window.

PKI 27 - Certification Authority - Template Console

Back on the Certification Authority window, right click Certification Template -> New -> Certificate Template to Issue:

PKI 28 - Certification Authority - Create Template to Issue

Select the Certificate Template we created then click Ok. The custom template should now show under Certificate Templates.

PKI 29 - Certification Authority - Enable Certificate Templates

Configure Group Policy for Automatic Certificate Enrollment:

This step is to create the group policy so computer will request a certificate from your PKI server.

On your Domain Controller open Control Panel then Administrative Tools -> Group Policy Management:

PKI 30 - Group Policy Management

You can edit the Default Domain Policy so all computers are configured to request a certificate from your PKI or you can create a policy in a specific OU. I opted to create a new policy for my Windows Servers OU.

PKI 31 - Group Policy - Create GPO

Enter a name and click Ok:

PKI 32 - Group Policy - New GPO

Now right click the new policy then click Edit:

PKI 33 - Group Policy - Edit GPO

Drill down to Public Key Policies. In the right pane right click Certificate Services Client – Certificate Enrollment Policy then Properties:

PKI 34 - Group Policy - Public Key Policies

Change the drop down menu to Enabled then click Apply -> Ok:

PKI 36 - Group Policy - Certificate Enrollment

Now right click Certificate Services Client – Auto-Enrollment then Properties:

PKI 35 - Group Policy - Auto Enrollent Properties

 

Change the drop down menu to Enabled and check the two boxes. Click Apply then Ok. You can now exit the Group Policy Management Editor:

PKI 37 - Group Policy - Enable Certificate Enrollment

Right click your Policy then click Enforced to enable the policy:

PKI 38 - Group Policy - Enable GPO

Also right click the OU and click Group Policy Update to accelerate getting the policy pushed out.

PKI 39 - Group Policy - Group Policy Update

Back on your PKI server if you open Certification Authority and go to Issued Certificates you will start seeing your computers have requested and obtained a certificate. If you don’t see anything yet give it some time and refresh later.

PKI 40 - Certificates are being issues

You now have a working PKI server in its simplest form. Leave comments below if you had any issues or helpful tips!

24 thoughts on “How to setup Microsoft Active Directory Certificate Services [AD CS]”

  1. I’ve done all of this, left it overnight, but the server that absolutely requires a certificate still isn’t showing in Issued Certificates – It has a self-signed certificate, but this isn’t enough for testing. Have I missed a registry entry, or something?

    Reply
  2. We have one 2012 R2 Enterprise Root CA in our env. we have a requirement to generate SAN certs , how do we generate SAN cert without enabling the Flag on the Root CA ?? I read online that it can be done by developing custom SAN extensions for Certificate template but that is out of scope for me as it needs programming experience. Is there any recommended and tested way to securely generate SAN Cert ? Can we setup a subordinate Ent. CA and set Registry flag on that to generate SAN cert and then power off that server ??

    Appreciate any suggestions !

    Reply
  3. Root CAs should never be Online Enterprise CAs. Its a security risk and goes against MS best practices.

    The Root CA should be Offline and Not AD Integrated.

    Reply
  4. Am I able to utilize this to allow domain login if a cert exists for a workstation or deny login if the workstation either doesn’t have a valid cert (expired) or it doesn’t have one at all?

    I have workstations connected automatically through an APN to the network. Trying to find out if PKI can be used as a dual factor authentication method.

    Reply
  5. Can I have WSUS server and CA role in same VM? and when connecting other servers using RDP getting the following warning message “Remote Desktop Connection – The Certificate is not from a trusted certifying authority”. will the above steps help to fix this security issue?

    Reply
  6. Hi Daniel,
    We deployed AD CS on 2012 R2 Enterprise and was working perfectly with Office 2010. After Office 2016 was rolled out, the certificate issued by the server is not recognized as valid. Do you know what can be the problem?
    My IT department say that there is no information on our “end user” certificates that tells Office where to get the CRL.Office 2010 simply disregards the revocation check if this information is missing in the certificate, but Office 2016 is returning a warning when it is unable to check the validity.

    Thank you for your help.

    Reply
  7. I had used this with my servers and seems to be working well, would the same process be used to push to my workstations?

    Reply
  8. This all worked at the first go. Yes some of the steps were different to my server 2019 box, but, what a great help, you have been
    very helpful. looking forward to new posts via email…. :-]

    Reply

Leave a Reply