Managing Active Directory Certificate Services in Server 2022

Posted on 19th June 2023

Overview

Active Directory Certificate Services (AD CS) is a server role in Active Directory Domain Services (AD DS) that allows an enterprise to issue and manage digital certificates. These digital certificates can be used to authenticate users, encrypt communication, and digitally sign code. AD CS provides a platform for implementing public key cryptography, enabling organizations to rely on a strong cryptographic foundation to help protect information.

Installing Active Directory Certificate Services

To install Active Directory Certificate Services (AD CS), use the Add Roles and Features Wizard. This wizard guides you through the steps to install AD CS and its required dependencies.

Before you begin

To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group. If the computer on which you plan to install AD CS is not a domain controller, you must have administrative credentials on the local computer.

To install AD CS

1. Open Server Manager.

2. To open Server Manager, click the Server Manager icon on the desktop, or click Start, click Administrative Tools, and then click Server Manager.

3. In the left pane of Server Manager, click Manage, and then click Add Roles and Features.

4. On the Before you begin page, click Next.

5. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

6. On the Select destination server page, select the server on which you want to install AD CS, and then click Next.

7. On the Select server roles page, select the Active Directory Certificate Services check box, and then click Next.

8. If you are prompted to install additional features that are required for AD CS, click Add Features, and then click Next.

9. On the Select features page, click Next.

10. On the Active Directory Certificate Services page, click Next.

11. On the Confirm installation selections page, review your choices, and then click Install.

12. On the Results page, click Close.

Configuring Active Directory Certificate Services

After you install AD CS, you can use the Certification Authority (CA) Web Enrollment pages to configure many CA settings. You can use Web Enrollment to perform the following tasks:

  • Request certificates
  • Renew certificates
  • View certificate revocation lists (CRLs)
  • Publish CRLs
  • Configure CA settings
  • View pending certificate requests
  • View and manage issued certificates

To configure CA Web Enrollment

1. Open the Certification Authority console.

2. In the left pane of the console, expand the node for the CA, and then click Certificate Templates.

3. In the right pane of the console, right-click the Web Server template, and then click Duplicate Template.

4. In the Duplicate Template dialog box, click General.

5. In the Value text box, type a name for the new template, such as Web Server Autoenroll, and then click OK.

6. In the Extensions tab, click Application Policies, and then click Edit.

7. In the Application Policies dialog box, click Server Authentication, and then click Remove.

8. Click OK.

9. In the Certificate Templates console, right-click the new template, and then click Manage.

10. In the Certificate Templates Management dialog box, click Duplicate Template, and then click Active Directory Domain Services.

11. In the Duplicate Template dialog box, click Security.

12. In the Permissions tab, click Authenticated Users, and then click Read.

13. Click OK.

14. In the Certificate Templates Management dialog box, click Close.

15. In the Certification Authority console, in the left pane, click Certificate Templates.

16. In the right pane, right-click the new template, and then click New Certificate Template to Issue.

17. In the Enable Certificate Templates dialog box, click Web Server Autoenroll, and then click OK.

18. In the left pane, click Certificate Authorities.

19. In the right pane, right-click the CA, and then click Properties.

20. In the CA Properties dialog box, click the Policy Module tab.

21. In the Policy Module list, click Certificate Enrollment Policy, and then click Properties.

22. In the Certificate Enrollment Policy dialog box, click the Policy Module tab.

23. In the Policy Module list, click Certificate Enrollment Policy, and then click Properties.

24. In the Certificate Enrollment Policy dialog box, click the Certificate Enrollment Policy tab.

25. In the Certificate Enrollment Policy list, click Web Server Autoenroll, and then click OK.

26. In the CA Properties dialog box, click OK.

27. Close the Certification Authority console.

Using Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides a platform for implementing public key cryptography by using digital certificates. AD CS enables you to create and manage certificates that can be used to authenticate users and secure communication. This section provides an overview of how to use AD CS in your organization.

Requesting Certificates

You can use the Certification Authority (CA) Web Enrollment pages to request certificates. To request a certificate, you must have a valid user account and be a member of a group that has been granted permission to request certificates.

Renewing Certificates

You can use the CA Web Enrollment pages to renew certificates. To renew a certificate, you must have a valid user account and be a member of a group that has been granted permission to request certificates.

Viewing Certificate Revocation Lists

You can use the CA Web Enrollment pages to view certificate revocation lists (CRLs). CRLs are lists of certificates that have been revoked by the CA. You can use CRLs to determine whether a certificate is valid.

Publishing Certificate Revocation Lists

You can use the CA Web Enrollment pages to publish CRLs. CRLs are lists of certificates that have been revoked by the CA. You can use CRLs to determine whether a certificate is valid.

Configuring Certificate Settings

You can use the CA Web Enrollment pages to configure CA settings. You can use the CA Web Enrollment pages to configure the following CA settings:

  • Certificate validity period
  • CRL publication interval
  • OCSP responder URL
  • Certificate database location
  • Certificate database backup location
  • CRL distribution point
  • Certificate renewal period
  • Certificate revocation list (CRL) delta distribution point

Viewing Pending Certificate Requests

You can use the CA Web Enrollment pages to view pending certificate requests. Pending certificate requests are requests for certificates that have not yet been issued by the CA.

Viewing and Managing Issued Certificates

You can use the CA Web Enrollment pages to view and manage issued certificates. Issued certificates are certificates that have been issued by the CA. You can use the CA Web Enrollment pages to view the following information about issued certificates:

  • Certificate status
  • Certificate expiration date
  • Certificate revocation date
  • Certificate template
  • Certificate issuer
  • Certificate subject

Copyright © 2024 The Gadget Gazette