Microsoft Active Directory Certificate Service

Now a days most Corporates use Microsoft Active Directory Services. To encrypt their data they use SSL/TLS Certificates on Servers, use Certificate based Authentication for Applications, use Digital Signature Certificates (DSC) to  sign & encrypt documents and Emails from Public Certifying authorities like DigiCert, GlobalSign, EnTrust and Let’s Encrypt. Here underlying technology is Private Key Infrastructure (PKI)  Services.

Many are not aware that using Microsoft Active Directory Certificate Services corporate can setup their own  Certifying Authority (CA).

It leads to questions like – Is it easy or difficult? Is it cost effective? Is it sustainable? What all hardware and resources (including PKI experts) are required to set it up?

In general, out view is that though it is part of the Microsoft Active Directory framework, hence free, it is not for the faint hearted. We have some done research on the subject and have hit upon useful articles that starts from the beginning and goes to explain the difficulties faced by users. Let’s get going.

  1. Is Active Directory Certificate Services (AD CS) a PKI? 

    “AD CS isn’t technically a PKI, it provides a platform to build and implement a PKI. AD CS is linked to Active Directory, a Windows server that acts as a database. AD CS gives you the ability to build a PKI to push out certificates to devices on the network.

    Getting AD CS to issue certificates onto every device sounds like an arduous task, which it can be if done manually….”Article discusses topics like – Article discusses topics like – Can I use AD CS with my Mobile Device Management (MDM) Software? Downsides with AD CS. Migrating from AD CS to the Cloud. Can I still Use AD CS After Migrating to Azure AD?

  2. How to setup Microsoft Active Directory Certificate Services [AD CS]

    “Microsoft Active Directory Certificate Services [AD CS] provides a platform for issuing and managing public key infrastructure [PKI] certificates. On top of securing application and HTTP traffic the certificates that AD CS provides can be used for authentication of computer, user, or device accounts on a network.

    In this post I will be setting up a single AD CS server on my domain and configuring group policy to auto enroll my servers. For an enterprise environment you will deploy subordinate CA’s and shut down your root CA for security…”

  3. Using the Microsoft Certificate Authority to get rid of those self-signed certs

    “Most every application we run in our datacenters today provides some sort of web-based interface.  The push to move to HTML5, API driven GUIs is a good one – we can access things from anywhere, using any device or browser.  The problem being we are also seeing a push for security, more specifically ensuring that all our web accessible interfaces are running through SSL and only accessed through https.  With this we are seeing a lot of applications providing users the ability to generate self-signed certificates to get the job done.  While this is ok, you may be thrown off and annoyed by the constant nagging from modern browsers such and Chrome, Firefox, and Edge – having to accept the self-signed cert bypassing some scary messages.  To get around this administrators can go out and purchase a certificate from a trusted authority, however this could get pretty expensive if you start adding up all of the self-signed certificates within your environment.  Another answer – the Microsoft Certificate Server.

    Microsoft Certificate Server is just a role that we add to a server within our Active Directory environment.  What it does is allows us to essentially turn that server into a trusted authority for our domain – meaning we can request and issue certificates from it, install them on our member servers, and we will no longer be nagged by warnings and messages.  Instead, we can browse with the assurance that our environment is truly secure.  So, with that, let’s dive in to how to get the Certificate Server installed, as well as how to request and install a certificate issued from it on one of our IIS instances.”

    Article discusses – Installing and Configuring the Microsoft Certificate Server and Requesting and Generating Certificates.

  4. Report: Active Directory Certificate Services a big security blind spot on enterprise networks

    “Microsoft’s Active Directory PKI component commonly have configuration mistakes that allow attackers to gain account and domain-level privileges.

    As the core of Windows enterprise networks, Active Directory, the service that handles user and computer authentication and authorization, has been well studied and probed by security researchers for decades. Its public key infrastructure (PKI) component, however, has not received the same level of scrutiny and, according to a team of researchers, deployments are rife with serious configuration mistakes that can lead to account and domain-level privilege escalation and compromise…”

    Article discusses – How AD CS works, Abusing AD CS misconfigurations, Theft of existing certificates, Account persistence through certificates, Domain escalation and persistence.


For additional information please visit “Windows Certificate Authority


How good is Microsoft Active Directory Certificate Service (AD CS) as Enterprise CA?
Tagged on:                             

Leave a Reply

Your email address will not be published. Required fields are marked *