An Overview of Active Directory Certificate Services (AD CS)

Certificate services provide public key infrastructure (PKI) for organization. There are lot of benefits to have a PKI infrastructure in Active Directory infrastructure. One of the biggest advantage of deploying certificate is to identify requestor requesting information a server. This can be a web server, exchange web mail or an windows client requesting authentication from an active directory. The server holding the role of approving certificate and delivering certificate called certificate authority in short CA. Microsoft CA provides heaps of options for diverse customer to deploy certificate from security point of view, organizational structure and  also geographical location. That is certificate can be deployed in hierarchical manner. Top of Certificate hierarchy is called Enterprise root CA. There can be more than one subordinate CA depending your need. Certificate Authority can be standalone or Enterprise CA. Standalone offline Root CA can be used to provide PKI infrastructure for internal users. Standalone root CA is put offline to provide an extra layer of security to authentication. A subordinate CA placed under standalone root can work as usual. In this case, your root CA aren’t compromised. when you request a certificate from subordinate CA, you have to approve this request manually. Again this type of deployment provide extra layer of security  as you can see who’s requesting for a certificate. 

Installation of Root CA:

To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.

To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.

Segregating CA Management Role:

To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.



https or secure Certificate Enrollment using :

before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.

Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan. 





Click Finish to complete request.

Click on Sites>click Bindings


Click Add>Select SSL>Select IP & Port 443


Select Certificate you just created.

Now Create a CNAME in DNS server such as

Open IE browser to test SSL certificate request.


Managing Templates:

There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users. 

Installation of Subordinate CA:

Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.

Setup Type: Standalone or Enterprise

CA Type: Subordinate

Private key: Create a New Private Key


On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.


Click Next and Finish installation.


Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as


Click on Request a certificate, Click on Advanced certificate request.


Click on submit a certificate request..


Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.


Now download requested certificate and save it on subordinate CA.



Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.


Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.

If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.


To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.


To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.


To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.



Restart AD CS services.

Requesting Certificate from standalone CA:

Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents


Signature=”$Windows NT$
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID= ; this is for Server Authentication





Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”










Here, CN= FQDN of server where requested certificate will be installed.

Now type following command, and then press ENTER:

CertReq –New –f  NewRequest.inf NewCert.req

To submit new request type the following command, and then press ENTER:

certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer

Now approve the certificate from CA management console and retrieve certificate using following command

certreq -retrieve RequestID certnew.cer

type the following command to accept certificate, and then press ENTER:

certreq -accept newcert.cer

Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt

certutil.exe -dsdel CAName and press ENTER

Dealing with Event ID 100, 7024, 48 :

Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.

Type certutil.exe -setreg CALogLevel 2  and press enter to change log level registry.

Disable revocation list checkup type following from command prompt and press enter.