How to Configure Active Directory Certificate Services (AD CS) on Windows Server 2025

How to Configure Active Directory Certificate Services (AD CS) on Windows Server 2025

Public Key Infrastructure (PKI) underpins a vast range of Windows security features: TLS certificates for internal websites and LDAPS, smart card authentication, EFS file encryption, S/MIME email signing, and 802.1X network access control. Active Directory Certificate Services (AD CS) is the Microsoft role that turns a Windows Server into a Certificate Authority (CA), capable of issuing, revoking, and managing digital certificates for every machine and user in the domain. Windows Server 2025 ships with a fully modernised AD CS role that integrates tightly with Active Directory, Group Policy autoenrollment, and the Certification Authority MMC. This tutorial walks through installing an Enterprise Root CA, configuring distribution points, managing certificate templates, and enabling automatic certificate enrollment across the domain.

Prerequisites

• A domain-joined Windows Server 2025 server. Do not install the Enterprise Root CA on a domain controller — use a dedicated member server.
• Domain Admin or Enterprise Admin credentials (required for Enterprise CA installation).
• A static IP address and a fully qualified DNS name for the CA server.
• Sufficient disk space on the CA server — the CA database and logs grow over time. A dedicated volume of at least 20 GB is recommended for production.
• An understanding of your PKI hierarchy. This tutorial deploys a single-tier (standalone Root CA promoted to Enterprise) — suitable for small to medium environments.

Step 1: Install the AD CS Role

Install the Certificate Authority role and its management tools using PowerShell:

# Install the AD CS role with management tools
Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

# Verify the installation
Get-WindowsFeature ADCS-Cert-Authority

# Optionally install the web enrollment service for browser-based certificate requests
Install-WindowsFeature ADCS-Web-Enrollment -IncludeManagementTools

# Install the Online Responder for OCSP support (recommended for production)
Install-WindowsFeature ADCS-Online-Cert -IncludeManagementTools

Step 2: Configure the Enterprise Root CA

After installing the role, configure it using Install-AdcsCertificationAuthority. The configuration step is what actually builds the CA database and generates the root certificate:

# Configure an Enterprise Root CA
Install-AdcsCertificationAuthority `
    -CAType EnterpriseRootCA `
    -CACommonName "Corp-Root-CA" `
    -CADistinguishedNameSuffix "DC=corp,DC=local" `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10 `
    -DatabaseDirectory "D:CertDB" `
    -LogDirectory "D:CertLog" `
    -Force

# Confirm the CA service is running
Get-Service CertSvc | Select-Object Name, Status, StartType

Key parameters explained:

• EnterpriseRootCA — integrates with Active Directory, allowing autoenrollment and domain-aware certificate templates.
• KeyLength 4096 — use 4096-bit RSA for a root CA that may be valid for 10+ years. Subordinate CAs can use 2048-bit keys for operational performance.
• HashAlgorithmName SHA256 — SHA-1 is deprecated; SHA-256 is the current standard.
• ValidityPeriodUnits 10 — root CA certificates should have a long validity; issued certificates will always expire before the issuing CA.

Step 3: Configure the CRL Distribution Point and AIA Extension

Clients must be able to download the Certificate Revocation List (CRL) and verify the CA’s own certificate via the Authority Information Access (AIA) extension. Configure these to point to an accessible web server or file share:

# Remove default CRL and AIA paths, add custom HTTP and LDAP paths
$CAConfig = "CA01.corp.localCorp-Root-CA"

# Define the CRL Distribution Point
certutil -setreg CACRLPublicationURLs `
    "1:C:WindowsSystem32CertSrvCertEnroll%3%8%9.crl`n2:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10`n2:http://pki.corp.local/CertEnroll/%3%8%9.crl"

# Define the AIA extension
certutil -setreg CACACertPublicationURLs `
    "1:C:WindowsSystem32CertSrvCertEnroll%1_%3%4.crt`n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11`n2:http://pki.corp.local/CertEnroll/%1_%3%4.crt"

# Set the CRL validity period
certutil -setreg CACRLPeriodUnits 1
certutil -setreg CACRLPeriod "Weeks"
certutil -setreg CACRLDeltaPeriodUnits 1
certutil -setreg CACRLDeltaPeriod "Days"

# Restart the CA service to apply changes
Restart-Service CertSvc

# Publish a new CRL immediately
certutil -CRL

Step 4: Manage Certificate Templates

Enterprise CAs use certificate templates stored in Active Directory to define what certificates can be issued and to whom. Windows Server 2025 ships with several built-in templates. Best practice is to duplicate a built-in template rather than modifying it directly:

# List all certificate templates available in the domain
Get-CATemplate | Select-Object Name, oid

# Using certutil to view templates configured on this CA
certutil -CATemplates

# Duplicate and configure a template via the MMC (Certification Authority):
# 1. Open certsrv.msc
# 2. Expand the CA, right-click "Certificate Templates" > "Manage"
# 3. Right-click "Workstation Authentication" > "Duplicate Template"
# 4. On the General tab: rename to "Corp-Workstation-Auth"
# 5. On the Security tab: add "Domain Computers" with Read, Enroll, Autoenroll
# 6. On the Subject Name tab: select "Build from Active Directory information"

# After creating the template in the MMC, add it to the CA's issuance list:
Add-CATemplate -Name "Corp-Workstation-Auth"

# Verify it is listed
Get-CATemplate | Where-Object { $_.Name -eq "Corp-Workstation-Auth" }

Step 5: Configure Autoenrollment via Group Policy

Autoenrollment allows machines and users to automatically request, receive, and renew certificates without manual intervention — the cornerstone of a scalable enterprise PKI:

# Open Group Policy Management and edit the Default Domain Policy
# (or create a dedicated PKI GPO)

# Computer Configuration > Windows Settings > Security Settings >
# Public Key Policies > Certificate Services Client - Auto-Enrollment

# Configure via PowerShell using the Registry (for GPO-equivalent settings):
# Machine autoenrollment settings are in:
# HKLM:SOFTWAREPoliciesMicrosoftCryptographyAutoEnrollment
Set-ItemProperty `
    -Path "HKLM:SOFTWAREPoliciesMicrosoftCryptographyAutoEnrollment" `
    -Name "AEPolicy" `
    -Value 7  # 7 = Enabled + Update Certs + Remove Expired Certs

# Force a Group Policy update and trigger autoenrollment
gpupdate /force
certutil -pulse

In Group Policy Management, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment. Set the configuration model to Enabled and check both Renew expired certificates and Update certificates that use certificate templates.

Step 6: Request Certificates via PowerShell

Users and administrators can request certificates programmatically using Get-Certificate:

# Request a certificate from a specific template
$result = Get-Certificate `
    -Template "Corp-Workstation-Auth" `
    -CertStoreLocation "Cert:LocalMachineMy" `
    -DnsName "workstation01.corp.local"

Write-Host "Status: $($result.Status)"
Write-Host "Thumbprint: $($result.Certificate.Thumbprint)"
Write-Host "Expires: $($result.Certificate.NotAfter)"

# Request a user certificate (for smart card or email signing)
$userCert = Get-Certificate `
    -Template "User" `
    -CertStoreLocation "Cert:CurrentUserMy"

# View all certificates in the machine store
Get-ChildItem Cert:LocalMachineMy | 
    Select-Object Subject, Thumbprint, NotBefore, NotAfter, Issuer |
    Format-Table -AutoSize

# Check certificate chain validity
$cert = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Subject -match "workstation01" } | 
    Select-Object -First 1

$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)
$chain.ChainStatus

Step 7: Issue Certificates via Web Enrollment

The AD CS Web Enrollment pages (http://CA01.corp.local/certsrv) provide a browser-based interface for users who cannot use autoenrollment. After installing the ADCS-Web-Enrollment feature:

# Configure web enrollment (run on the CA server)
Install-AdcsWebEnrollment -Force

# Ensure IIS is running
Get-Service W3SVC | Start-Service

# Test connectivity to the enrollment page
Invoke-WebRequest -Uri "http://localhost/certsrv" -UseDefaultCredentials | 
    Select-Object StatusCode, StatusDescription

Users browse to http://CA01.corp.local/certsrv, select Request a certificate, choose a template, and submit the request. Pending requests appear in the Certification Authority MMC under Pending Requests where an administrator can approve or deny them.

Conclusion

Active Directory Certificate Services on Windows Server 2025 provides a robust, AD-integrated PKI that scales from small departments to enterprise-wide certificate infrastructure. By deploying an Enterprise Root CA with properly configured CRL distribution points and AIA extensions, creating custom certificate templates based on duplicated built-in templates, and enabling Group Policy autoenrollment, you give every machine and user in the domain access to trusted certificates without manual intervention. The result is a foundation for LDAPS, secure Wi-Fi with 802.1X, code signing, and encrypted communications — all managed centrally through Active Directory and Group Policy.