๐ช Windows Certificate Authority (AD CS) Complete Deployment Guide: Enterprise PKI, Auto-Enrollment, HTTPS/SMB/EAP Practical Implementation
Public Key Infrastructure (PKI) is one of the most critical foundations of enterprise security. Whether it’s HTTPS, SMB signing, Wi-Fi 802.1X EAP-TLS, VPN, RDP, LDAP over SSL, SQL Server, or device identity, digital certificates are everywhere.
In a Windows enterprise environment, the most powerful and integrated PKI solution is Active Directory Certificate Services (AD CS). This guide walks you through: PKI Architecture → Installing AD CS → Certificate Templates → Auto-Enrollment → Service Deployment → CRL/OCSP → Troubleshooting.
๐ Table of Contents
- 1. AD CS & PKI Concepts
- 2. PKI Roles: Root CA, Sub CA, Issuing CA
- 3. Installing AD CS: Enterprise Root CA
- 4. Designing Certificate Templates
- 5. Auto-Enrollment via Group Policy
- 6. Applying Certificates: HTTPS, RDP, SMB, EAP-TLS
- 7. CRL & OCSP: Revocation Infrastructure
- 8. Maintaining Your PKI
- 9. Troubleshooting
- ๐ Related Articles
1. AD CS & PKI Concepts
AD CS provides:
- Certificate issuance
- Certificate revocation (CRL)
- Certificate templates & permissions
- Auto-enrollment integrated with Active Directory
Common enterprise certificate usages:
- HTTPS (IIS / Web Servers)
- RDP Authentication
- SMB Signing / LDAP over SSL
- 802.1X Wi-Fi (EAP-TLS)
- VPN (SSTP / OpenVPN / IPsec / FortiGate)
- SQL Server, Exchange, MDM/Intune enrollment
Typical PKI Architecture:
Offline Root CA
│
▼
Online Issuing CA
│
┌─────────┼─────────┐
│ │ │
User Certs Device Certs Server Certs
(EAP, (Computer) (HTTPS/RDP)
SmartCard)
2. PKI Roles: Root CA, Sub CA, Issuing CA
Root CA (Offline)
- Issues Sub CA certificates
- Stays offline (highest security)
- Long-term validity (10–20 years)
Issuing CA (Online)
- Issues certificates for all users, computers, servers
- Integrated with AD & GPO
- Daily operational CA
For small/medium environments, a single Enterprise Root CA is acceptable (used in this guide).
3. Installing AD CS: Enterprise Root CA
1. Install AD CS Role
Server Manager →
Add Roles and Features →
Active Directory Certificate Services →
Select:
✓ Certification Authority
✓ Certification Authority Web Enrollment (optional)
2. Configure AD CS
- CA Type: Enterprise CA
- Hierarchy: Root CA
- Key Length: 4096 bits (recommended)
- Hash Algorithm: SHA-256
- CA Validity: 10–20 years
3. Verify CA Health
certsrv.msc →
Check:
✓ CA is running
✓ No errors
✓ CRL has been published4. Designing Certificate Templates
Certificate templates define rules: key size, EKU, renewal, permissions, enrollment methods. They are the core of enterprise PKI automation.
Common templates:- Computer
- User
- Web Server
- Smart Card / EAP-TLS
1. Create a Template (Example: Computer Cert)
certtmpl.msc →
Duplicate Template →
Select "Computer" →
Create: "Corp-Computer-Cert"
2. Security Permissions
- Domain Computers → Enroll + Autoenroll
3. Publish Template
certsrv.msc →
Certificate Templates →
New →
Certificate Template to Issue →
✓ Corp-Computer-Cert5. Auto-Enrollment via Group Policy
1. Create GPO
gpmc.msc →
Create GPO: "PKI Auto Enrollment"2. Enable Auto-Enrollment
Computer Configuration →
Policies →
Windows Settings →
Security Settings →
Public Key Policies →
Certificate Services Client – Auto-Enrollment →
✓ Enabled
✓ Renew expired certs
✓ Update certificates
✓ Auto-enroll3. Apply GPO to OU
Apply to:
OU = Workstations
OU = Servers4. Test
gpupdate /force
certmgr.msc → Certificates → Check if issued6. Applying Certificates: HTTPS, RDP, SMB, EAP-TLS
1. HTTPS (IIS)
IIS Manager →
Server Certificates →
Create Domain Certificate →
Select CA →
Bind to port 4432. RDP Certificate
gpedit.msc →
Computer Configuration →
Administrative Templates →
Windows Components →
Remote Desktop Services →
Remote Desktop Session Host →
Security →
Select: Corp-Computer-Cert3. SMB Signing / LDAP over SSL
Applies to File Servers and Domain Controllers.
4. Wi-Fi 802.1X (EAP-TLS)
NPS → Add RADIUS Server
Install Server Certificate (Web Server type)
Clients auto-enroll device/user certificates
Access Points → WPA2-Enterprise (EAP-TLS)
7. CRL & OCSP: Revocation Infrastructure
1. Revoke Certificate
certsrv.msc →
Issued Certificates →
Right-click → Revoke2. Publish CRL
Ensure CRL Distribution Point is reachable (HTTP preferred).
3. Enable OCSP (Optional)
Server Manager →
Add Roles →
✓ Online Responder8. Maintaining Your PKI
1. Backup CA Key & Database
certutil -backupkey C:\CA-Backup
certutil -backupdb C:\CA-Backup2. Monitor Certificate Expiry
Critical for web servers, SQL, NPS, VPN appliances.
3. Disaster Recovery
You only need:
- CA private key
- CA database
- CA configuration
9. Troubleshooting
1. Auto-Enrollment Not Working
- GPO not applied
- Template not published
- Permission missing (Autoenroll)
2. HTTPS Certificate Not Bindable
- Certificate missing private key
- Missing Server Authentication EKU
3. EAP-TLS Wi-Fi Failure
- No client certificate
- NPS missing server certificate
- Template EKU incorrect
๐ Related Articles
- Windows AD Domain Controller Deployment Guide
- Windows DNS Server Complete Guide
- Windows DHCP Server Setup Guide
- Linux Nginx HTTPS Reverse Proxy Guide
— WWFandy・Windows PKI Notes
ๆฒๆ็่จ:
ๅผต่ฒผ็่จ