How to Set Up Active Directory Certificate Services on Windows Server 2012 R2

How to Set Up Active Directory Certificate Services on Windows Server 2012 R2

Active Directory Certificate Services (AD CS) on Windows Server 2012 R2 provides Public Key Infrastructure (PKI) services for the enterprise, enabling the issuance and management of digital certificates. These certificates support a wide range of security functions: SSL/TLS for internal servers, smart card authentication, code signing, email encryption, BitLocker Network Unlock, and many other scenarios. A properly deployed AD CS consists of an offline Root CA for maximum security and one or more Enterprise Subordinate CAs for day-to-day certificate issuance. This guide covers the two-tier CA hierarchy deployment that is recommended for production environments.

Prerequisites

Plan your CA hierarchy before installation. The Root CA should be an offline standalone server (not domain-joined) that is powered off when not in use. The Subordinate (Issuing) CA should be domain-joined and online. You need Domain Admin and Enterprise Admin rights to deploy an Enterprise CA. Ensure the server designated for the Issuing CA has a stable hostname and FQDN, as changing the CA computer name after installation is extremely complex. Plan the Certificate Revocation List (CRL) Distribution Point URLs and Authority Information Access (AIA) URLs that will be embedded in all issued certificates — these must be publicly accessible for certificate validation.

Part 1: Installing the Offline Root CA

Install AD CS on a standalone (non-domain-joined) server that will serve as the Root CA. This server should have no network connectivity after the initial CA setup:

# On the OFFLINE Root CA server (standalone, not domain-joined)
Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

# Configure the Root CA as a Standalone Root
Install-AdcsCertificationAuthority `
    -CAType StandaloneRootCA `
    -CACommonName "Contoso Root CA" `
    -CADistinguishedNameSuffix "O=Contoso,C=US" `
    -HashAlgorithmName SHA256 `
    -KeyLength 4096 `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 20 `
    -DatabaseDirectory "C:WindowsSystem32CertLog" `
    -LogDirectory "C:WindowsSystem32CertLog"

Configuring Root CA Extensions (CDP and AIA)

Configure the CRL Distribution Points and Authority Information Access URLs that will be embedded in the Root CA certificate and certificates it issues. Set these BEFORE issuing the Subordinate CA certificate:

# On the Root CA, configure CRL distribution points
# Remove default CDP and AIA, add custom ones pointing to your CRL server

# Set CDP extensions (where clients find the CRL)
certutil -setreg CACRLPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%3%8%9.crln2:http://pki.contoso.com/pki/%3%8%9.crl"

# Set AIA extensions (where clients find the CA certificate for chain building)
certutil -setreg CACACertPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%3%4.crtn2:http://pki.contoso.com/pki/%3%4.crt"

# Configure CRL settings
certutil -setreg CACRLPeriodUnits 52
certutil -setreg CACRLPeriod "Weeks"
certutil -setreg CACRLDeltaPeriodUnits 0
certutil -setreg CACRLDeltaPeriod "Days"
certutil -setreg CACRLOverlapPeriodUnits 12
certutil -setreg CACRLOverlapPeriod "Hours"

# Restart certificate services to apply changes
Restart-Service CertSvc

# Publish the CRL
certutil -crl

Part 2: Generating the Subordinate CA Certificate Request

On the server designated for the Subordinate (Issuing) CA, generate a certificate request to be signed by the Root CA:

# On the SUBORDINATE CA server (domain-joined)
Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

# Create a CAPolicy.inf to define the SubCA certificate parameters
$CAPolicyINF = @"
[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=InternalUseOnly

[InternalUseOnly]
OID=2.16.840.1.101.3.4.1
Notice=For internal use only

[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
"@
$CAPolicyINF | Out-File "C:WindowsCAPolicy.inf" -Encoding UTF8

# Install SubCA - this creates a pending request rather than completing setup
Install-AdcsCertificationAuthority `
    -CAType EnterpriseSubordinateCA `
    -CACommonName "Contoso Issuing CA 01" `
    -CADistinguishedNameSuffix "O=Contoso,C=US" `
    -HashAlgorithmName SHA256 `
    -KeyLength 4096 `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -OutputCertRequestFile "C:CARequestSubCA-Request.req"

Part 3: Signing the Subordinate CA Certificate on the Root CA

Transfer the .req file to the Root CA (via USB or similar out-of-band method) and sign it:

# On the OFFLINE Root CA
# Submit the SubCA certificate request
certreq -submit -config "RootCAContoso Root CA" "C:SubCA-Request.req" "C:SubCA-Cert.cer"

# Or through the CA management console:
# certsrv.msc > Pending Requests > right-click > Issue

# After issuing, export the Root CA certificate chain
certutil -ca.cert "C:RootCA.cer"

# Copy SubCA-Cert.cer and RootCA.cer back to the SubCA server

Part 4: Completing the Subordinate CA Installation

Install the Root CA certificate into the Subordinate CA’s trusted store and complete the installation:

# On the SUBORDINATE CA server
# Install the Root CA certificate into the machine store
certutil -addstore Root "C:RootCA.cer"

# Publish Root CA certificate to Active Directory
certutil -dspublish -f "C:RootCA.cer" RootCA

# Complete the SubCA installation using the signed certificate
Install-AdcsCertificationAuthority -CertFile "C:SubCA-Cert.cer"

# Verify the SubCA service starts
Start-Service CertSvc
Get-Service CertSvc | Select-Object Status

Configuring Certificate Templates

Create and configure certificate templates for common enterprise uses. Duplicate an existing template to create a custom one:

# Using the Certificate Templates console (certtmpl.msc)
# Duplicate "Web Server" template for internal SSL certificates:
# 1. Right-click "Web Server" > Duplicate Template
# 2. Set Validity: 2 years
# 3. Set Renewal: 6 weeks before expiry  
# 4. Security: Add "Authenticated Computers" with Read + Enroll
# 5. Name: "Contoso Internal Web Server"
# 6. Request Handling: "Allow private key to be exported"

# Add the new template to the CA
Add-CATemplate -Name "Contoso Internal Web Server"

# List available templates on the CA
certutil -catemplates

Enabling Auto-Enrollment via Group Policy

Configure Group Policy for automatic certificate enrollment for domain computers and users:

# Configure via GPO:
# Computer Configuration > Windows Settings > Security Settings > 
# Public Key Policies > Certificate Services Client - Auto-Enrollment
# Set: Configuration model = Enabled
# Check: Renew expired certificates, update pending certificates, and remove revoked certificates
# Check: Update certificates that use certificate templates

# User Configuration > Windows Settings > Security Settings >
# Public Key Policies > Certificate Services Client - Auto-Enrollment
# Same settings for user certificates

Setting Up a CRL Distribution Point Web Server

The CRL must be publicly accessible for certificate validation. Configure IIS to serve CRL files:

# Install IIS on the CRL distribution server
Install-WindowsFeature Web-Server -IncludeManagementTools

# Create the PKI virtual directory
New-Item -ItemType Directory -Path "C:PKI" -Force
New-WebVirtualDirectory -Site "Default Web Site" -Name "pki" `
    -PhysicalPath "C:PKI"

# Enable directory browsing for the PKI virtual directory
Set-WebConfigurationProperty -filter "/system.webServer/directoryBrowse" `
    -name enabled -value true `
    -PSPath "IIS:SitesDefault Web Sitepki"

# Copy CRL and CA certificate files to C:PKI
# Configure CA to publish CRL to this location via network share

Verification

# Verify CA is healthy
certutil -ping

# Check CA chain
certutil -verify "C:SubCA-Cert.cer"

# Verify a certificate issued by the CA
certutil -verify -urlfetch "C:IssuedCert.cer"

# View CA configuration
Get-AdcsCertificationAuthority | Select-Object CommonName, Type, Active | Format-List

# Check CRL publication
certutil -CRL
certutil -store -enterprise Root | Select-String "Contoso Root CA"

Summary

A two-tier Active Directory Certificate Services deployment on Windows Server 2012 R2 provides a secure, scalable PKI for the enterprise. The offline Root CA signs only the Subordinate CA certificate and is then powered down, protecting the root of trust. The Issuing CA handles day-to-day certificate operations with templates configured for specific use cases. Critical to a functional PKI is properly configured CDP and AIA URLs that are accessible to all clients, and auto-enrollment via Group Policy to distribute certificates without manual intervention. Regular CRL publication and monitoring of certificate expiry ensure uninterrupted operation of all certificate-dependent services.