How to Set Up a PKI Infrastructure with AD CS on Windows Server 2016

May 1, 2026
Tutorials
Comment off

Introduction

Active Directory Certificate Services (AD CS) on Windows Server 2016 provides a complete Public Key Infrastructure (PKI) platform for issuing and managing digital certificates used by SSL/TLS, smart card authentication, email signing, IPsec, code signing, and more. A two-tier PKI hierarchy — an offline Root CA and an online Issuing CA — is the industry-standard design for enterprise deployments. This guide covers building a production-ready two-tier PKI using AD CS on Windows Server 2016.

PKI Architecture Overview

A two-tier PKI hierarchy consists of: (1) an Offline Root CA — a standalone CA that issues only the Issuing CA certificate, kept powered off when not in use; and (2) an Online Issuing CA — an enterprise CA domain-joined to Active Directory that issues end-entity certificates to computers, users, and services. The root CA certificate is distributed to all domain members automatically via Group Policy.

Setting Up the Offline Root CA

Install AD CS on a standalone server (never domain-joined) to create the Root CA:

# On the offline standalone Root CA server
Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

# Install as Standalone Root CA (not Enterprise — no AD required)
Install-AdcsCertificationAuthority `
    -CAType StandaloneRootCa `
    -CACommonName 'Contoso Root CA' `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 20 `
    -CryptoProviderName 'RSA#Microsoft Software Key Storage Provider' `
    -Force

# Configure the CRL distribution and AIA paths (add HTTP for online validation)
$crlPath = 'http://pki.contoso.com/crl'
$aiaPath = 'http://pki.contoso.com/aia'

Add-CACRLDistributionPoint -Uri "$crlPath/RootCA.crl" -AddToCertificateCDP $true -Force
Add-CAAuthorityInformationAccess -Uri "$aiaPath/RootCA.crt" -AddToCertificateAia $true -Force

# Set CRL validity period
certutil -setreg CACRLPeriod "Years"
certutil -setreg CACRLPeriodUnits 1
Restart-Service CertSvc

Publishing the Root CA Certificate and CRL

Export the Root CA certificate and CRL so they can be published to Active Directory and a web server:

# Export Root CA certificate
certutil -ca.cert C:PKIRootCA.cer

# Publish new CRL
certutil -crl

# Copy files to the PKI web server (or USB drive for air-gapped root)
# RootCA.cer → upload to http://pki.contoso.com/aia/RootCA.cer
# RootCA.crl → upload to http://pki.contoso.com/crl/RootCA.crl

# On a domain controller, publish the Root CA cert to AD
certutil -f -dspublish C:PKIRootCA.cer RootCA
certutil -f -dspublish C:PKIRootCA.crl

Setting Up the Enterprise Issuing CA

Install the Issuing (Subordinate) CA on a domain-joined Windows Server 2016 member server:

# On the domain-joined Issuing CA server
Install-WindowsFeature ADCS-Cert-Authority,ADCS-Web-Enrollment,ADCS-Online-Cert `
    -IncludeManagementTools

# Generate a Certificate Signing Request (CSR) for the Issuing CA
Install-AdcsCertificationAuthority `
    -CAType EnterpriseSubordinateCa `
    -CACommonName 'Contoso Issuing CA 01' `
    -KeyLength 2048 `
    -HashAlgorithmName SHA256 `
    -OutputCertRequestFile 'C:IssuingCA.req' `
    -Force

# Transfer IssuingCA.req to the Root CA, sign it there:
# On Root CA:
certreq -submit -attrib "CertificateTemplate:SubCA" C:IssuingCA.req C:IssuedCA.cer

# Back on Issuing CA — install the signed certificate
certutil -installcert C:IssuedCA.cer
Start-Service CertSvc

Creating Certificate Templates

Create custom certificate templates for different use cases:

# Open Certificate Templates console
mmc.exe
# Add snap-in: Certificate Templates → duplicate an existing template

# Via PowerShell: create a web server template based on WebServer template
$template = [ADSI]"LDAP://CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)"
$newTemplate = $template.PSObject.Copy()
# Adjust OID, validity, key usage, application policy via the MMC UI

# Publish the new template on the Issuing CA
Add-CATemplate -Name 'ContosoWebServer' -Force
Get-CATemplate | Where-Object {$_.Name -like '*Contoso*'}

Auto-Enrollment via Group Policy

Configure auto-enrollment so domain computers and users receive certificates automatically:

# Create/edit a GPO linked to the domain or OU
$gpo = New-GPO -Name 'PKI-Auto-Enrollment'
New-GPLink -Name 'PKI-Auto-Enrollment' -Target 'DC=contoso,DC=com'

# In Group Policy Management Editor:
# Computer Configuration > Policies > Windows Settings > Security Settings >
#   Public Key Policies > Certificate Services Client — Auto-Enrollment
# Set: Enabled, renew expired certs, update certs that use cert templates

# Trigger auto-enrollment manually to test
certutil -pulse
gpupdate /force

Setting Up the PKI Web Enrollment Portal

Configure the AD CS Web Enrollment interface for manual certificate requests:

Install-AdcsWebEnrollment -Force

# Configure IIS for the enrollment portal
Import-Module WebAdministration
Set-WebConfigurationProperty -PSPath IIS: -Filter system.webServer/security/authentication/windowsAuthentication `
    -Name enabled -Value $true
Set-WebConfigurationProperty -PSPath IIS: -Filter system.webServer/security/authentication/anonymousAuthentication `
    -Name enabled -Value $false

# Access the portal at: https://IssuingCA01/certsrv

Monitoring Certificate Health

Monitor certificate expiry, CA health, and CRL validity:

# Check all issued certificates expiring in the next 60 days
$threshold = (Get-Date).AddDays(60)
Get-CACertificate | Where-Object {$_.NotAfter -lt $threshold -and $_.Disposition -eq 'Issued'} |
    Select-Object CommonName,NotAfter,SerialNumber

# Check CRL validity
certutil -CRL
certutil -verify -urlfetch C:PKIRootCA.cer

# View CA event logs
Get-EventLog -LogName Application -Source 'Microsoft-Windows-CertificationAuthority' -Newest 20 |
    Select-Object TimeGenerated,EntryType,Message | Format-List

Summary

Building a two-tier PKI with AD CS on Windows Server 2016 provides a robust certificate infrastructure for your entire organisation. The offline Root CA protects the trust anchor, while the online Issuing CA automatically delivers certificates to domain members via Group Policy auto-enrollment. Combined with web enrollment for manual requests and regular CRL monitoring, this PKI design scales from small businesses to enterprise environments and underpins all certificate-dependent services including LDAPS, TLS, IPsec, and smart card authentication.