How To Deploy Certificates using Active Directory Certificate Services

In this guide we will explain the steps to deploy certificates using Active Directory Certificate Services (AD CS).  AD Certificate Services is a Microsoft product that performs public key infrastructure (PKI) functionality, supports personalities, and provides other security functionality in a Windows environment. It creates, approves, and rejects public key endorsements for inward tasks of an association.

According to Microsoft, Active Directory Certificate Services is a “Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.”

Active Directory Certificate Services (AD CS) provides the Public Key Infrastructure (PKI) functionality that underpins identities and other security functionality on the Windows domain (i.e. file encryption, email encryption, and network traffic encryption).

In this article, we will walk through the steps to deploy certificates using Active Directory Certificate Services.

Table of Contents

Getting Started with Active Directory Certificate Services

Install Active Directory Certificate Services (AD CS)

Go to Server Manager, click Add roles and features.

Click on the Next button.

  • Select Role-based and feature-based installation, click on Next.
  • Leave default Server Selection, click on Next.
  • In Server Roles, check Active Directory Certificate Services.
  • Click Add Features on the Server Roles section.
  • Click on Next in the Server Roles section.
  • Click on Next in the Features section.
  • Click on Next in the AD CS section.
  • Check Certification Authority and Certification Authority Web Enrollment in the Role Services section.
  • Click Add Features
  • Click on Next in the Role Services section.
  • Click on Next in the Server Role section.
  • Click on Next in the Role Services section.
  • Check the Restart the destination server automatically if required, in the Confirmation section.
  • Click on Yes.
  • Click on Install on Confirmation. It will take some time to install the role.

Configuring AD CS

Click on Configure Active Directory Certificate Services on the destination server.

  • Click on Next in the Credentials section.
  • Select Certification Authority and Certification Authority Web Enrollment in the Role Services section. Click on Next.
  • Select Standalone CA in the Setup Type section. Click on Next.
  • Select Root CA in the CA Type section. Click on Next.
  • Select Create a new private key in the Private Key section. Click on Next.
  • Leave the default setting and Click on Next in the Cryptography section.
  • Fill the Common name for this CA in the CA Name section. Click on Next.
  • It is advised leaving Validity Protocols as defaults. Click on Next.
  • Click on Next in the Certificate Database section.
  • Click on Configure in the Confirmation section.
  • Click on Close in the Results section after seeing that configuration is successful.
  • After installation, click on Close to close the Add Roles and Features Wizard.

Create Certificates

The Creation of Certificates

  1. Go to Server Manager, go to tools on the top right, select Internet Information Services (IIS) Manager.
  2. Expand server name, double-click on Server Certificates.

Click Create Self-Signed Certificate that is in the right panel.

  • Fill a friendly name for the certificate, click on OK.
  • Click Create Certificate Request on the right.
  • Fill distinguished name properties, click on Next.
  • In the Cryptographic Service Provider Properties, click on Next.
  • Click on the browse button.
  • Create a new directory named Certificate and save the certificate request in this directory/folder.
  • Click on the Finish button.
  • To check the certificate request in this directory. Go to the folder and open the certificate request.
  • After checking certificate requests, go to Server Manager Dashboard, go to tools select Certification Authority.
  • A window will be opened. Expand server name, right click on server, select All Tasks, select Submit new request.
  • Go to the Certificate folder and choose certificate request txt file.
  • Click on Pending Requests. If the certificate is not there, right-click and click refresh.
  • Right click on the certificate and select Issue.
  • Click on the issued certificate and the issued certificates will show. Close this window.

How to Import and Export Certificates

  1. Go to run, type MMC then press Enter.
  2. Click on File, click on Add/Remove Snap-in.
  • Select certificate, click on Add.
  • Select Computer account radio button, click on Next.
  • Click on Finish.
  • Click on OK.
  • Expand certificate, expand personal, select Certificates.
  • Select certificate, right click on certificate. Click on All Tasks, click on Export.
  • Certificate Export Wizard will open, click on Next.
  • Select the Yes, export the private key radio button. Click on Next.
  • Select Personal Information Exchange radio button, check the Include all certificates in the certification path if possible and Enable certificate privacy option, then click on Next.
  • Check the Password option, fill it, click on Next.
  • Click on the browse button and save the certificate in the Certificate folder.
  • Click on Next to export the certificate.
  • Click on the Finish button once done and then click on OK. Close this window and click on Yes.
  • Enter the file name certificate and click Save.
  • Open the certificate folder and check the saved certificate.

Certificate Binding using IIS

  • Go to Server Manager. Go to tools, select Internet Information Services (IIS) Manager.
  • A window will open. Expand server name, expand sites, click on bindings on the right side.
  • Click on the Add button.
  • Select HTTPS from the dropdown, select your SSL certificate, click on OK.
  • Click on the Close button.

Enabling SSL

Double click on SSL.

Check Require SSL, click on Accept, click on Apply and then close the window.

Request Browser Protection Certificates from Client

Go to the client machine and login as a user. Open Internet Explorer, type HTTPs colon, double forward slash, server name, domain name, forward slash certsrv. Press Enter.

  • Click on Continue to this website.
  • Click on Request a certificate.
  • Click on Web Browser Certificate and then click on Yes.
  • Fill in the web-browser certificate identifying information then submit.
  • Request ID is generated.

Request Email Protection Certificates from Client

  • Click Home.
  • Click Request a certificate.
  • Click on Email Protection Certificate.
  • Click on Yes.
  • Fill in the email protection certificate identifying information and then submit.
  • Request ID is generated, click Home.
  • Click View the status of pending certificate requests.
  • Check certificate pendency, click Home.

Deploy Certificates

Issue Certificates

Go to Server Manager, go to Tools, click Certification Authority.

Expand server name, click on Pending Requests, check if these are the same certificate requests from the client machine.

Right-click on the certificate and select Issue.

Click on Issued Certificate.

Installing Certificates on Client Machine

Go to the client machine and login as a user. Open Internet Explorer, type HTTPs colon, double forward slash, server name, domain name, forward slash certsrv. Press Enter. 

 

Microsoft has the following guide on deploying certificates using Group Policy:

 

  • Click on View the status of pending certificate requests.
  • Click on Web Browser Certificate and then click on Yes button.
  • Click Install this certificate.

Certificate installed successfully, click home. Similarly, follow the same steps for the Email Protection Certificate, namely:

 

  • Click View the status of pending certificate request.
  • Click on Email Protection Certificate and then Click on Yes button.
  • Click Install this certificate.

 

Certificate installed successfully. Your Active Directory Certificate Service will work successfully.  Now try deploying your certificates to users via Active Directory Group Policy.

In this article, we learned how to install and configure Active Directory Certificate Services. Then we saw how to create certificates, import & export them, bind them with an IIS, enable SSL, to request browser protection certificates and request email protection certificates. In the end, we learned to issue the certificates and install them on the client machine.

Avatar for Emad Bin Abid
Emad Bin Abid

I'm a software engineer who has a bright vision and a strong interest in designing and engineering software solutions. I readily understand that in today's agile world the development process has to be rapid, reusable, and scalable; hence it is extremely important to develop solutions that are well-designed and embody a well-thought-of architecture as the baseline. Apart from designing and developing business solutions, I'm a content writer who loves to document technical learnings and experiences so that peers in the same industry can also benefit from them.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x