How to Configure Windows Server 2016 Active Directory Certificate Services
Active Directory Certificate Services (AD CS) provides the infrastructure for creating, managing, and distributing digital certificates within an Active Directory environment. Certificates issued by an AD CS certificate authority (CA) are used for a wide range of security scenarios including smart card authentication, SSL/TLS for internal websites, email encryption with S/MIME, EFS file encryption, VPN authentication, and Wi-Fi authentication with 802.1X. Windows Server 2016 includes a fully featured enterprise CA that integrates deeply with Active Directory for automated certificate enrollment and management.
Understanding CA Hierarchy
A well-designed PKI uses a two-tier hierarchy. The Root CA sits at the top of the trust hierarchy and should be kept offline after initial setup to protect the root private key. Subordinate (Issuing) CAs are online and issue certificates to end entities such as users, computers, and services. The root CA only signs the issuing CA certificate and CRL. For small environments, a single-tier (standalone root CA as enterprise CA) may be acceptable, though it is less secure.
Step 1: Install AD CS Role
Install the Certificate Authority role service and management tools:
Install-WindowsFeature AD-Certificate -IncludeManagementTools
Install-WindowsFeature ADCS-Cert-Authority, ADCS-Web-Enrollment, ADCS-Online-Cert, ADCS-Enroll-Web-Svc -IncludeManagementToolsVerify installation:
Get-WindowsFeature | Where-Object { $_.Name -like "ADCS*" } | Select Name, InstallStateStep 2: Configure an Enterprise Root CA
Configure the Certificate Authority role using the Install-AdcsCertificationAuthority cmdlet. An Enterprise CA requires the server to be domain-joined and have access to Active Directory:
Install-AdcsCertificationAuthority `
-CAType EnterpriseRootCA `
-CACommonName "Contoso Root CA" `
-CADistinguishedNameSuffix "DC=corp,DC=local" `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA256 `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-ForceVerify the CA service started successfully:
Get-Service CertSvc | Select Status, StartType
certutil -pingStep 3: Configure an Enterprise Subordinate CA
In a two-tier PKI, first install the subordinate CA role, generate a certificate signing request (CSR), submit it to the root CA, and then complete the installation:
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "Contoso Issuing CA" `
-CADistinguishedNameSuffix "DC=corp,DC=local" `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-OutputCertRequestFile "C:CARequestsubca.req" `
-ForceSubmit the CSR to the root CA and approve the certificate:
certreq -submit -config "ROOTCAContoso Root CA" C:CARequestsubca.req C:CARequestsubca.cer
certutil -installcert C:CARequestsubca.cerStep 4: Configure Certificate Templates
Certificate templates define the properties of certificates that can be issued. Duplicate built-in templates to create custom ones without modifying defaults:
# List available templates
certutil -CATemplates
# Enable a template for issuance on the CA
Add-CATemplate -Name "WebServer"
Add-CATemplate -Name "Computer"
Add-CATemplate -Name "User"To create a custom template with auto-enrollment, use the Certificate Templates MMC or via ADSI:
# Duplicate a template using certutil
certutil -setcatemplates +WebServer
# Grant auto-enrollment permissions on a template via PowerShell
$template = [ADSI]"LDAP://CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.NTAccount]"Domain Computers", "ExtendedRight", "Allow", [GUID]"a05b8cc2-17bc-4802-a710-e7c15ab866a2")
$template.ObjectSecurity.AddAccessRule($ace)
$template.CommitChanges()Step 5: Configure Certificate Revocation
The Certificate Revocation List (CRL) allows clients to check whether a certificate has been revoked. Configure CRL distribution points (CDPs):
# View current CRL configuration
certutil -getreg CACRLPublicationURLs
# Set CRL publication URLs
certutil -setreg CACRLPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%3%8%9.crln2:http://pki.corp.local/CertEnroll/%3%8%9.crl"
# Set Authority Information Access (AIA) URLs
certutil -setreg CACACertPublicationURLs "1:C:WindowsSystem32CertSrvCertEnroll%1_%3%4.crtn2:http://pki.corp.local/CertEnroll/%1_%3%4.crt"
# Restart the CA service to apply changes
Restart-Service CertSvcStep 6: Configure Web Enrollment
The Web Enrollment role service provides a web interface for manual certificate requests, useful for non-domain devices or when autoenrollment is not suitable:
Install-AdcsWebEnrollment -Force
# Configure IIS for certificate enrollment
# Access the enrollment page at: https://servername/certsrvStep 7: Configure Auto-Enrollment via Group Policy
Configure Group Policy to enable automatic certificate enrollment for users and computers:
# Create or edit a GPO for auto-enrollment
# Navigate to: Computer Configuration > Windows Settings > Security Settings > Public Key Policies
# Enable "Certificate Services Client - Auto-Enrollment"
# Via PowerShell, verify auto-enrollment settings
Get-GPO -Name "Default Domain Policy" | Get-GPOReport -ReportType XML | Out-File C:GPOReport.xml
# Force group policy update to trigger certificate enrollment
gpupdate /force
certutil -pulseStep 8: Manage and Monitor the CA
View issued certificates, pending requests, and CA health:
# View all issued certificates
certutil -view -out "Request ID, Requester Name, Certificate Expiration Date, Certificate Template"
# Revoke a certificate by serial number
certutil -revoke 1A2B3C4D CRLReason_KeyCompromise
# Publish a new CRL immediately
certutil -crl
# Check CA health
certutil -CAInfoAD CS is the backbone of enterprise PKI on Windows. A properly configured certificate authority enables strong authentication, encrypted communications, and trusted digital identities throughout the organization, forming a critical component of a defense-in-depth security strategy.
