Docs / Windows Server / Set Up Active Directory Certificate Services

Set Up Active Directory Certificate Services

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 285 views · 3 min read

Active Directory Certificate Services (AD CS) provides a public key infrastructure (PKI) for issuing and managing digital certificates within your organization. You can issue SSL/TLS certificates for internal servers, user authentication certificates, code signing certificates, and more — all managed centrally. This guide covers deploying an enterprise CA on your Windows Server VPS.

Install AD CS Role

# Install Certification Authority and Web Enrollment
Install-WindowsFeature -Name AD-Certificate, ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools

# Configure as Enterprise Root CA
Install-AdcsCertificationAuthority `
    -CAType EnterpriseRootCA `
    -CACommonName "Corp Enterprise Root CA" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10 `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -Force

# Install Web Enrollment
Install-AdcsWebEnrollment -Force

# Verify CA is running
Get-Service CertSvc
certutil -ca

Create Certificate Templates

# Duplicate and customize the Web Server template
# This is typically done via the Certificate Templates Console (certtmpl.msc)
# But can be scripted:

# List available templates
certutil -template | Select-String "TemplatePropCommonName"

# Publish a template to the CA
certutil -dstemplate "WebServer" | Out-Null
Add-CATemplate -Name "CustomWebServer" -Force

# Configure auto-enrollment via GPO
# Computer Config > Windows Settings > Security Settings > Public Key Policies
# > Certificate Services Client - Auto-Enrollment
# Set to Enabled, check "Renew expired certificates" and "Update certificates"

Issue Certificates

# Request a certificate via PowerShell
$cert = Get-Certificate -Template "WebServer" `
    -DnsName "intranet.corp.example.com", "www.corp.example.com" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -Url "ldap:"

# Or create a request file manually
$inf = @"
[NewRequest]
Subject = "CN=intranet.corp.example.com, O=Corp, L=New York, S=NY, C=US"
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = TRUE
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=intranet.corp.example.com&"
_continue_ = "dns=www.corp.example.com&"
"@

$inf | Set-Content "C:\temp\cert-request.inf"
certreq -new "C:\temp\cert-request.inf" "C:\temp\cert-request.req"

# Submit the request
certreq -submit -config "dc1.corp.example.com\Corp Enterprise Root CA" "C:\temp\cert-request.req" "C:\temp\cert.cer"

# Install the issued certificate
certreq -accept "C:\temp\cert.cer"

Manage Issued Certificates

# List all issued certificates
Get-CACrlDistributionPoint
Get-IssuedRequest -CertificationAuthority "dc1.corp.example.com\Corp Enterprise Root CA"

# Or via certutil
certutil -view -restrict "disposition=20" -out "RequestID,CommonName,NotAfter" csv

# Revoke a certificate
certutil -revoke  0  # 0=Unspecified, 1=KeyCompromise, etc.

# Publish updated CRL
certutil -CRL

Certificate Revocation

# Configure CRL distribution
$crlDistPoint = "http://pki.corp.example.com/CertEnroll/.crl"
$aiaPath = "http://pki.corp.example.com/CertEnroll/_.crt"

# Set CRL publication interval
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLDeltaPeriodUnits 1

# Restart CA service
Restart-Service CertSvc

# Enable OCSP (Online Certificate Status Protocol)
Install-WindowsFeature -Name ADCS-Online-Cert
Install-AdcsOnlineResponder -Force

Backup and Recovery

# Backup the CA
$backupDir = "D:\CABackup\$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path $backupDir -Force

# Backup CA database and key
Backup-CARoleService -Path $backupDir -KeepLog -Password (ConvertTo-SecureString "BackupP@ss!" -AsPlainText -Force)

# Export CA certificate
certutil -ca.cert "$backupDir\CA-cert.cer"

# Restore CA (disaster recovery)
# Restore-CARoleService -Path $backupDir -Password (ConvertTo-SecureString "BackupP@ss!" -AsPlainText -Force)

Best Practices

  • Use a two-tier PKI for production: offline root CA and online issuing CA
  • Set key length to 4096-bit RSA or ECC P-384 for the root CA
  • Configure auto-enrollment via GPO to automate certificate deployment
  • Publish CRL and AIA to HTTP locations accessible by all clients
  • Enable OCSP for real-time certificate status checking
  • Back up the CA regularly — losing the CA private key is catastrophic
  • Monitor certificate expiration and set up alerts for upcoming expirations
  • Secure CA private keys — consider HSMs for production root CAs

Was this article helpful?

Related Articles