Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages.
More over, these digital certificates can be used for authentication of computer, user, or device accounts on a network. Digital certificates are used to provide:
- Confidentiality - through encryption
- Integrity - through digital signatures
- Authentication - by associating certificate keys with computer, user, or device accounts on a computer network.
These certificate services were available starting in Windows 2000 and continue to be available as a server role in Windows Server 2016.
This guide walks you through the steps to deploy a single Active Directory Certificate Server on a existing domain and configuring auto enroll group policy for workstation and servers. For an enterprise environment you will need to deploy subordinate CA’s and turnoff your root CA for security.
Installing Active Directory Certificate Services Role
then click :
Select the server you want to install this role then click
Select then click :
On the pop up window click the box then :
No additional Features are needed. Click :
Select the services you want to enable. At a minimum enable . Click :
Once the installation is complete click :
Back on under click the message :
Select a user account that has the permissions depending on the role services you selected above. Click :
In my example I will be configuring the . Click :
Since I am using a domain controller for this particular role, I will select . Click :
Note: If you are installing CS role on a standalone server then go with Standalone CA
This is our first PKI server so I will select . Click :
then click :
The fields should be pre-populated but you can change the Common name if you wish. Click :
We recommend leaving these as defaults. Click :
Make sure the summary is correct then click :
Creating Certificate Template for Workstation and Client Authentication
Right click then :
Scroll down to , right click then select :
On the enter a template display name then select a validity period. Click the two boxed options:
On the Security tab add as this will give permission to your Domain Computers. Check the boxes for and :
On the tab click then :
Click > then
Make sure is selected then click
On the Subject Name tab click the DNS name box to add the DNS name to the SAN of the certificate. Click and
You will now have a new template with the intended purposes of Client Authentication, Server Authentication. You can now close the window.
Back on the window, right click > >
Select the we created then click The custom template should now show under .
Configuring Group Policy for Automatic Certificate Enrollment:
Enter a name and click
Now right click the new policy then click :
Scroll down to . In the right pane right click then :
Change the drop down menu to then click >
Now right click then :
Change the drop down menu to and check the two boxes. Click then You can now exit the :
Right click your Policy then click to enable the policy:
Again right click the OU and click to accelerate getting the policy pushed out.
Go back on your PKI server if you open and go to you will start seeing your computers have requested and obtained a certificate. If you don’t see anything yet, give it some time and refresh later.