Post

Active Directory Certificate Services (ADCS)

Posted
By Sena Perdiana 2 min read


What is Active Directory Certificate Services?

Active Directory Certificate Services (AD CS) is a Microsoft Windows Server role that manages digital certificates for secure network communications, encryption, user/device authentication, and trust establishment. It includes a Certificate Authority (CA) for issuing and managing certificates and builds the Public Key Infrastructure (PKI) framework.



Adding ADCS Roles

Add the role Active Directory Certificate Services

x


On role, select Certiticate Authority and Certiticate Authority Web Enrollment

x

CA Web Enrollment is a web-based interface that allows users to request and manage digital certificates from a Certificate Authority (CA)


For role services, leave it as it is and proceed with install

x


After it finishes, select Configure Active Directory Certificate Services on Desination Server

x



Configuring ADCS

First, select the admin account to manage the CA

x


Select both roles

x


Select Enterprise CA

x

  • Enterprise CA is centralized system integrated with Active Directory, offering advanced features like hierarchical structures and certificate templates.
  • Standalone CA is isolated, simpler instance without Active Directory integration.


Select Root CA

x

  • Root CA is the top-level authorities in a PKI hierarchy.
  • Subordinate CA is intermediary entitiy that inherits from existing Root CA.


Select create New Private Key

x


For cryptographic option, leave it as default and next

x


Specify the CA’s name

x


Confirm and configure

x


Now the CA is up and running

x


And if we access the CA’s IP on web browser, we should see the CA Web Enrollment page

x

Now we can use the CA to sign cerfificates



Creating Custom Templates

By default, the CA only offers 5 certificate templates, which is enough if all we need is this CA to only sign normal web servers.

x

But some app requires different kind of template, for example Cisco Expressway and Cisco Meeting Server (CMS) require certificate that allow both Server Authentication and Client Authentication, so lets create the template for that case.


Open Certificate Authority » Certificate Templates » Manage

x


On Web Server, right click and choose duplicate

x


On General, give it a name

x


On Extensions, select Application Policies, edit

x


Add Client Authentication on top of the existing Server Authentication

x

  • Server Authentication confirms the identity of the server or service that the client is connecting to.
  • Client Authentication confirms the identity of the client (user or device) trying to access a service or server.


Now we have the new template, exit from this window

x


On the main CA page, select New » Certificate Template to issue

x


Select the new template

x


Now we can see the new template listed here as well

x


And now it is also available to be used to sign CSRs on Web Enrollment page

x


Windows Server, Certificate Authority
This post is licensed under CC BY 4.0 by the author.