How to Install Active Directory Certificate Services?

Active Directory Certificate Services (AD CS) is a very convenient and useful cerise in a domain network. AD CS allows you to issue and manage SSL and other certificates within your domain. You can use your own free certificates for Exchange servers, IIS, RDSH farms, etc. In this article, we will show you a simplified scenario for deploying a certification authority in a test environment (it is not recommended to use this manual for a production environment due to a low security). We will show how to install and configure AD CS role and create a Group Policy for deploying root certificate in a domain.

Note. In a production environment, we do not recommend deploying AD CS on an Active Directory domain controller. In a production environment, you need to deploy:

  • Separate root certification server (Enterprise Root CA)—this server issues a certificate for signing the subordinate CA. After generating a trusted root certificate and CRL, it is recommended this server to be turned off (and put it in a safe:) );
  • Subordinate CA—this is the main server that will issue certificates in the organization. It can also store a certificate revocation list and be used to verify revoked certificates.

Certificate Services components are one of the standard Windows Server 2016 roles. In our test environment, we will install the AD CS role on a domain controller. The following role components must be deployed:

  • Certification Authority—certification authority itself;
  • Certification Authority Web Enrollment—CSR(certificate hash) certificate issuing web service.
  1. Launch Server Manager and select Add roles and features;
  2. Select the current server, in the list of roles check Active Directory Certification Authority and click Next;
    active directory certificate services
  3. In the list of AD CS role components, select:
    Certification Authority;
    Certification Authority Web Enrollment;
    Certification Authority Web Service.
    microsoft active directory certificate services
  4. Agree to add and install the necessary IIS components;
    ad certificate services
  5. Click the Install button and wait until the installation of the necessary components is completed;
    active directory certificate services 2016
  6. After the installation of the roles is completed, you need to perform the initial configuration of the ADCS role. To do this, in Server Manager, click on the yellow flag and click on Configure Active Directory Certificate Services on the destination server;
    windows server 2016 active directory certificate services
  7. Select the services to configure;
    adcs active directory
  8. Select CA type—Enterprise CA > Root CA;
    configure active directory certificate services
  9. Select Create a new private key;
    active directory certificate serviceLeave the default setting for the private key:

    • RSA provider;
    • Key length 2048;
    • Hash algorithm: SHA256.
      install active directory certificate services
  10. CN name can be left unchanged;
  11. Specify the validity period of the CA certificate (you can leave 5 years);windows server 2016 certificate services
  12. Use default CA database and log paths: c:windowssystem32certlogcertificate services on domain controller
  13. If everything is configured correctly, the caption appears: Configuration succeeded.
    active directory certificate services policy

Note. You can also install ADCS services using PowerShell. To install AD CS role, run the command:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

After AD CS is installed, run the following command:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

To manage ADCS, a special Certification Authority snap-in is used (you can find it in Administrative Tools). As you can see, the role is running:

active directory certificate services additional attributes

Now you need to configure autoenrollment domain Group Policy to automatically issue certificates for domain clients.

  1. Open the Group Policy Management console, click on the domain root and select “Create a GPO in this domain, and Link it here…”;
    active directory certificate services 2016 step by step
  2. Specify a policy name and go to edit mode;
  3. Go to the section GPO – Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies;
  4. Select a template “Certificate Services Client – Auto-Enrollment”;
  5. Enable the policy and configure it as follows:
    Configuration mode: Enabled
    Renew expired certificates, update pending certificates and remove revoked certificate
    Update certificates that use certificate templates

microsoft active directory certificate services additional attributes

After creating this policy, you need to update the policies on the computer domain with the gpupdate command and make sure your root certificate appears in Trusted Root Certificates.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.