Active Directory Certificate Services (AD CS) is a very convenient and useful cerise in a domain network. AD CS allows you to issue and manage SSL and other certificates within your domain. You can use your own free certificates for Exchange servers, IIS, RDSH farms, etc. In this article, we will show you a simplified scenario for deploying a certification authority in a test environment (it is not recommended to use this manual for a production environment due to a low security). We will show how to install and configure AD CS role and create a Group Policy for deploying root certificate in a domain.
Note. In a production environment, we do not recommend deploying AD CS on an Active Directory domain controller. In a production environment, you need to deploy:
- Separate root certification server (Enterprise Root CA)—this server issues a certificate for signing the subordinate CA. After generating a trusted root certificate and CRL, it is recommended this server to be turned off (and put it in a safe:) );
- Subordinate CA—this is the main server that will issue certificates in the organization. It can also store a certificate revocation list and be used to verify revoked certificates.
Certificate Services components are one of the standard Windows Server 2016 roles. In our test environment, we will install the AD CS role on a domain controller. The following role components must be deployed:
- Certification Authority—certification authority itself;
- Certification Authority Web Enrollment—CSR(certificate hash) certificate issuing web service.
- Launch Server Manager and select Add roles and features;
- Select the current server, in the list of roles check Active Directory Certification Authority and click Next;
- In the list of AD CS role components, select:
Certification Authority;
Certification Authority Web Enrollment;
Certification Authority Web Service.
- Agree to add and install the necessary IIS components;
- Click the Install button and wait until the installation of the necessary components is completed;
- After the installation of the roles is completed, you need to perform the initial configuration of the ADCS role. To do this, in Server Manager, click on the yellow flag and click on Configure Active Directory Certificate Services on the destination server;
- Select the services to configure;
- Select CA type—Enterprise CA > Root CA;
- Select Create a new private key;
Leave the default setting for the private key:
- RSA provider;
- Key length 2048;
- Hash algorithm: SHA256.
- CN name can be left unchanged;
- Specify the validity period of the CA certificate (you can leave 5 years);
- Use default CA database and log paths: c:windowssystem32certlog
- If everything is configured correctly, the caption appears: Configuration succeeded.
Leave the default setting for the private key:
Note. You can also install ADCS services using PowerShell. To install AD CS role, run the command:
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
After AD CS is installed, run the following command:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
To manage ADCS, a special Certification Authority snap-in is used (you can find it in Administrative Tools). As you can see, the role is running:
Now you need to configure autoenrollment domain Group Policy to automatically issue certificates for domain clients.
- Open the Group Policy Management console, click on the domain root and select “Create a GPO in this domain, and Link it here…”;
- Specify a policy name and go to edit mode;
- Go to the section GPO – Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies;
- Select a template “Certificate Services Client – Auto-Enrollment”;
- Enable the policy and configure it as follows:
Configuration mode: Enabled
Renew expired certificates, update pending certificates and remove revoked certificate
Update certificates that use certificate templates
After creating this policy, you need to update the policies on the computer domain with the gpupdate command and make sure your root certificate appears in Trusted Root Certificates.