Step by Step Active Directory Certificate Service – Part 1


Microsoft Active Directory Certificate Service (AD CS) provides an infrastructure for securely issuing and managing your public key infrastructure. Active Directory Certificate Services can also be leverage to authenticate the computer, user or devices on corporate network based on Infrastructure security requirements.

In this blog series, we will setup a single server AD CS on a domain joined machine and configure active directory group policy to auto enroll the certificate on one OU. Please note that it’s a single server deployment and enterprise deployments of Active Directory Certificate Service requires a detailed planning and designing of the solution.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Active Directory Certificate Service design options are discussed on TechNet. AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Active Directory Certificate Service service architecture is defined here that helps customizing AD CS.

Step by Step Active Directory Certificate Service Role Installation

Below is a step by step active directory certificate service role installation guide to deploy the services.

  • Login to Active Directory Certificate Service server and launch Server Manager
  • On Server Manager, Click on Add Roles and Feature

Step by Step Active Directory Certificate Service - Part 1


  • Click Next on the following screen

Step by Step Active Directory Certificate Service - Part 1

  • By default, Role based or feature based installation is selected, click next

Step by Step Active Directory Certificate Service - Part 1

  • Select the server you want to install this role and click Next

Step by Step Active Directory Certificate Service - Part 1


  • Select Active Directory Certificate Service. Click on Add Features in the pop up window and click on Next


  • Click on Next as we don’t need to install any additional feature for AD CS

Step by Step Active Directory Certificate Service - Part 1


  • Click Next on AD CS Page


  • On Role Services page, Select Certificate Authority and Click Next


  • Click Install to start the installation process


  • Once the installation is completed, Click on Close to exit the wizard.

Configure Active Directory Certificate Service

As of now, We have our Active Directory Certificate Service server role installed. Next step is to perform post installation steps and configure active directory certificate service. To configure active directory certificate service, perform the following steps.

  • Click on Configure Active Directory Certificate Services on target computer. This will open a configuration wizard for certificate authority

  • Provide the credential of a user account that has Enterprise Admin and Local Admin rights and click next

  • Select the Role Service to configure, We’re setting up on Certificate Authority


  • As we are using a domain joined machine and setting up for Domain infrastructure, select Enterprise CA and click Next

  • As it’s our first Active Directory Certificate Services server, select Root CA and Click next

  • Select “Create a new private key” and click next

  • Select your cryptography options and Click next

We are using SHA256 as SHA1 is depreciated by all browsers and Microsoft Server Authentication.

  • CA Name will be automatically pop up and click next

  • Define validity period and click Next


  • Specify the database location for certificate and click Next


  • Review the configurations and Click Configure


  • Once the configuration is completed, click on Close to exit the configuration wizard.


In this blog article of Active Directory Certificate Services series, we have successfully installed and completed post installation tasks Active Directory Certificate services. In part 2 of this series we will Configure the certificate template and group policy for Certificate authority auto enrollment.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *