Active Directory Certificate Services (AD CS) allows you to deploy your own PKI infrastructure on a domain network and use it to issue and manage certificates. In this article, we will look at a typical Certification Authority (CA) deployment scenario: installing a root CA and subordinate enterprise AD CS on two Windows Server hosts, and configuring Group Policy to issue certificates in a domain.
In a production environment, you will need to implement a two-tier PKI architecture:
- Separate root Certification Authority host (Root CA) – this server issues a certificate to sign a subordinate certification server. After the generation of the trusted root certificate, the CRL, and the signing of the subordinate CA’s key, it is recommended to shut down this server (which reduces the risk of compromising the root CA). This server is called
RootCAin our example;
- Issuing CA server (Subordinate CA) – this is the main server that will issue certificates to clients in the organization. It also stores a certificate revocation list and is used to check for certificates that have been revoked. The name of this server is
First, you need to configure the RootCA host. This is a computer running Windows Server that does not need to be joined to the AD domain.
Active Directory Certificate Services components are one of the built-in roles on Windows Server 2022/2019/2016. Open the Server Manager and select Add roles and features;
- Select the current server, select Active Directory Certification Authority in the list of roles, and click Next;
- Select Certification Authority from the list of AD CS role services;
- Once the installation is complete, you will need to perform the initial setup of the ADCS role. In the Server Manager, click Configure Active Directory Certificate Services on the destination server;
- Select CA services to configure;
- As the root CA server is not added to the AD domain, select here Standalone CA -> Root CA;
- Select Create a new private key; Leave the default cryptographic options:Cryptographic provider:
- Set the Certificate Authority CN;
- On the Validity Period page, set the CA certificate to be valid for 15 years;
- Leave the default paths to the CA database and logs:
- If everything is configured correctly, the following message will appear: Configuration succeeded.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
After installing the AD Certificate Services role, run the command:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
A special snap-in, the Certification Authority (
certsrv.msc), is used to manage certificates in the ADCS. Open it.
Then go to the
C:\Windows\System32\CertSrv\CertEnroll directory and copy the root certificate and the certificate revocation list from there. You will need these files when configuring an issuing CA (subordinate CA).
Now let’s set up the second subordinate CA host (subordCA). It is not recommended to deploy the AD CS role on an Active Directory domain controller.
- Install the AD CS role on it, with the following:
Certification Authority Web Enrollment
Certification Authority Web Service
- Select CA type – Subordinate CA;
- Then select Create a new private key;
- Leave the cryptography settings at their default values; set the Common Name for this CA;
- On the Certificate request page, select Save a certificate request to file on the target machine and specify the file path for your REQ file;
- Click Configure to start the installation.
Now you need to issue a certificate on your Root CA according to the request you generated:
- Copy your *.REQ file to the root of the C:\ drive on rootCA;
- Run the command:
certreq -submit "C:\subordCA.tect.loc_SUBORDCA-1.req"
- Select your root CA in the Certification Authority List prompts and click OK;
- Now open the Certification Authority console at the Root CA and go to the Pending Requests section. Your request should appear in this section. Note the request number, for example, Request ID 2. Right-click on it and select All Tasks -> Issue;
- Export the signed certificate to a file by using the following command
certreq -retrieve 2 C:\SubordCA.crt
Copy the SubordCA.crt file to the intermediate certificate server (subordCA). Install the root certificates and revocation list from the files you copied earlier:
certutil -dspublish -f "C:\PS\RootCA.crt" certutil -addstore -f root "C:\PS\RootCA.crt" certutil -addstore -f root "C:\PS\RootCA.crl"
Now install the root certificate you signed:
certutil -installcert C:\PS\SubordCA.crt
Start the CertSrv service. Your intermediate certificate server is ready to issue certificates to clients. The RootCA host can be shutdown.
Now you need to configure a Group Policy in the domain to issue certificates (autoenrollment) to domain clients automatically.
- Open the Group Policy Management (
gpmc.msc), click on the domain root, select Create a GPO in this domain, and Link it here;
- Enter a name for the policy and switch to GPO edit mode;
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies;
- Choose a template “Certificate Services Client – Auto-Enrollment“
- Enable the policy and configure it as follows
Renew expired certificates, update pending certificates, and remove revoked certificates.
Update certificates that use certificate templates.
Update the policies on the clients and check that your root certificate appears in the Trusted Root Certificates list.