M13: Certificate Services (PKI)

Active Directory Certificate Services (AD CS) provides a Public Key Infrastructure for issuing and managing digital certificates.

What You'll Learn

  • PKI fundamentals and trust models
  • CA hierarchy (Root, Intermediate, Issuing)
  • Certificate templates
  • Certificate enrollment methods
  • Revocation and CRL management

Prerequisites

  • Windows Server fundamentals
  • Active Directory (M02)
  • Group Policy basics (M10)
  • Basic cryptography concepts
Enterprise Reality: PKI is the foundation of enterprise security - enabling SSL/TLS, smart card authentication, code signing, email encryption, and secure WiFi.
PKI: chain of trust + asymmetric cryptoRoot CAtrust anchorIssuing CAweb.corp.localuser smartcardRADIUS serverTrust Root, trust its children. Verify signatures up the chain.

PKI Fundamentals

Public Key Infrastructure uses asymmetric cryptography to establish trust.

Key Concepts

  • Public Key: Shared openly for encryption/verification
  • Private Key: Secret key for decryption/signing
  • Certificate: Binds identity to public key
  • CA: Trusted authority that issues certificates

Certificate Uses

  • SSL/TLS (web server security)
  • Code signing
  • Email encryption (S/MIME)
  • Smart card authentication
  • IPsec / VPN
# View certificate details Get-ChildItem Cert:\LocalMachine\My | Format-List Subject, Issuer, NotAfter, Thumbprint
Asymmetric keys + signed certs + CRLPKI Fundamentals

How Certificates Work

Understanding the trust chain and certificate validation process.

Certificate Contents

  • Subject: Identity being certified (CN, O, OU)
  • Issuer: CA that signed the certificate
  • Serial Number: Unique identifier from CA
  • Validity Period: Not Before / Not After dates
  • Public Key: Subject's public key
  • Extensions: Key Usage, EKU, SAN, CDP, AIA

Certificate Validation

  • Build certificate chain to trusted root
  • Verify each signature in the chain
  • Check validity dates (not expired)
  • Check revocation status (CRL/OCSP)
  • Verify name matches (subject/SAN)
  • Verify key usage is appropriate
Key Insight: A certificate is only as trustworthy as the CA that issued it. If any CA in the chain is compromised, all certificates it issued become untrustworthy.
Cert = public key + identity + CA signatureCertificate (X.509)Subject: CN=web.corp.local, O=Corp Inc, C=USIssuer: CN=Corp Issuing CAValid: 2024-01-01 → 2025-01-01Public Key: RSA 2048 (key for encryption)Extensions: KeyUsage=DigSig,KeyEnc EKU=ServerAuthCA Signature: 3a:f9:c2:4b:7d:e8:... (proof of issuance)Client verifies the signature against the CA's known public key

Certificate Purposes

Certificates serve different purposes, controlled by their Key Usage and Enhanced Key Usage (EKU) extensions.

Key Usage

  • Digital Signature: Sign data, authenticate
  • Key Encipherment: Encrypt symmetric keys
  • Data Encipherment: Encrypt data directly
  • Certificate Signing: Sign other certificates (CA only)
  • CRL Signing: Sign revocation lists

Enhanced Key Usage (EKU)

  • Server Authentication: SSL/TLS web server
  • Client Authentication: User/machine auth
  • Code Signing: Software integrity
  • Secure Email: S/MIME encryption/signing
  • Smart Card Logon: Certificate-based auth
  • OCSP Signing: Revocation response signing
Security Principle: Always issue certificates with the minimum required key usage. A certificate with too many EKUs is a broader security risk if compromised.
TLS, code sign, smartcard, S/MIMECertificate purposes

CA Hierarchy

Enterprise PKI uses a tiered Certificate Authority structure for security and scalability.

Three-Tier Model

  • Root CA - Offline, self-signed, issues to subordinates only
  • Policy CA - Optional, defines certificate policies
  • Issuing CA - Online, issues certificates to end entities

Root CA Best Practices

  • Keep offline (air-gapped)
  • Long validity (10-20 years)
  • HSM for key protection
  • Standalone (not domain-joined)

Issuing CA Best Practices

  • Enterprise CA (AD-integrated)
  • Shorter validity (5 years)
  • Multiple for redundancy
  • Automatic enrollment
Security Note: If the Root CA private key is compromised, the entire PKI must be rebuilt. Protect it accordingly.
Two-tier hierarchy: Root + IssuingRoot CAoffline, locked in vaultIssuing CAonline, domain-joinedweb certsuser certsdevice certs

Enterprise CA vs Standalone CA

The CA type determines how it integrates with Active Directory and handles enrollment.

Enterprise CA

  • Requires Active Directory domain
  • Publishes certificates and CRLs to AD
  • Uses certificate templates
  • Supports autoenrollment
  • Automatic certificate approval
  • Best for: Issuing CAs in domain environments

Standalone CA

  • No Active Directory required
  • Manual certificate approval
  • No template support
  • No autoenrollment
  • Can be offline (air-gapped)
  • Best for: Offline Root CAs
Architecture Pattern: The most common enterprise PKI uses a Standalone Root CA (offline) with one or more Enterprise Subordinate/Issuing CAs (online, domain-joined).
Root + Policy + Issuing CAsThree-tier

Installing AD CS

Active Directory Certificate Services can be installed as multiple role services.

Role Services

  • CA: Core service for issuing certificates
  • CA Web Enrollment: Web interface for certificate requests
  • Online Responder: OCSP for real-time revocation checks
  • NDES: Network Device Enrollment Service (SCEP)
  • CES/CEP: Certificate Enrollment Policy/Service

Install the AD CS role first, then configure the CA type in a second step.

# Install the Certificate Authority role with management tools PS C:\> Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools
# Expected output: # ───────────────────────────────────────── Success Restart Needed Exit Code Feature Result ─────── ────────────── ───────── ────────────── True No Success {Active Directory Certificate Services}

Configure this server as an Enterprise Subordinate CA with a 4096-bit key and SHA-256 hashing.

# Configure as Enterprise Subordinate CA with strong crypto PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "Hexworth Issuing CA" -KeyLength 4096 -HashAlgorithmName SHA256
Enterprise CA vs Standalone CAStandalone CAnot joined to AD✓ runs on workgroup✓ ideal for offline Root✗ manual templates✗ no autoenrollmentBest for: offline Root CAEnterprise CAdomain-joined✓ uses AD for ACL✓ certificate templates✓ autoenrollment✓ publishes to ADBest for: Issuing CA

Certificate Templates

Templates define certificate properties and who can enroll.

Template Properties

  • Key usage (signing, encryption)
  • Validity period
  • Key size and algorithm
  • Subject name format
  • Application policies (EKU)

Common Templates

  • User - Email and client auth
  • Computer - Machine authentication
  • Web Server - SSL/TLS
  • Domain Controller - DC auth
  • Code Signing - Software signing

List all certificate templates currently published on the CA.

# List templates available for enrollment on this CA PS C:\> Get-CATemplate | Select-Object Name, DisplayName
# Expected output: # ───────────────────────────────────────── Name DisplayName User User Machine Computer DomainController Domain Controller WebServer Web Server CodeSigning Code Signing

Publish a template on the CA so users and computers can enroll for that certificate type.

# Publish the WebServer template on this CA PS C:\> Add-CATemplate -Name "WebServer" -Force
Install-WindowsFeature ADCS-Cert-AuthorityInstall AD CS

Custom Certificate Templates

Create custom templates by duplicating and modifying existing ones to meet specific organizational needs.

Template Versions

  • Version 1: Legacy, cannot be modified
  • Version 2: Introduced autoenrollment, key archival
  • Version 3: Added CNG key support (Server 2008+)
  • Version 4: Added renewal with same key (Server 2012+)

Key Template Settings

  • Subject Name: Supply in request vs build from AD
  • Issuance Requirements: CA manager approval, signatures
  • Security: Read, Enroll, Autoenroll permissions
  • Superseded Templates: Replace older versions
# Duplicate a template via GUI (Certificate Templates Console): # 1. Open certtmpl.msc # 2. Right-click "Web Server" > Duplicate Template # 3. Configure: Name, Validity, Key Size, Subject Name, Security # 4. Set Enroll and Autoenroll permissions for target groups

After creating the custom template in the GUI, publish it on the CA so it becomes available.

# Publish the custom template to the CA PS C:\> Add-CATemplate -Name "HexworthWebServer" -Force
Important: When using "Supply in the request" for Subject Name, be very careful with Enroll permissions. Any user with Enroll rights can request a certificate for any identity.
CA + Web Enroll + NDES + OCSPRole services

Certificate Enrollment

Multiple methods exist for obtaining certificates from the CA.

Enrollment Methods

  • Autoenrollment: GPO-driven, automatic
  • MMC: Certificate snap-in request
  • Web Enrollment: Browser-based
  • certreq.exe: Command-line tool
  • PowerShell: Get-Certificate

Autoenrollment GPO

  • Computer Configuration > Policies
  • Windows Settings > Security Settings
  • Public Key Policies
  • Certificate Services Client - Auto-Enrollment
# Request certificate using PowerShell Get-Certificate -Template "WebServer" ` -SubjectName "CN=portal.hexworth.local" ` -DnsName "portal.hexworth.local", "www.portal.hexworth.local" ` -CertStoreLocation Cert:\LocalMachine\My
Templates: cert blueprints stored in ADUserEFS, email signingComputerclient auth, IPsecWeb Serverserver auth (HTTPS)Smartcard Logonuser auth + EKUDC Authdomain controller certCode SigningPowerShell scriptsTemplate settings• Subject name format• Validity (1y, 2y, 5y)• Key size + algorithm• EKUs (ServerAuth...)• Permissions (enroll)• Autoenroll allowed?• Key archivalDuplicate, edit, publish

Autoenrollment Deep Dive

Autoenrollment is the most efficient way to distribute certificates at scale in an enterprise.

How Autoenrollment Works

  • GPO enables autoenrollment policy
  • Client checks AD for available templates
  • If user/computer has Autoenroll permission, request is submitted
  • CA issues certificate automatically
  • Certificate installed in local store
  • Renewal happens automatically before expiry

GPO Configuration

  • Enrollment Policy: Enabled
  • Renew expired: Check this option
  • Update pending: Check this option
  • Remove revoked: Check this option
  • Applies at Computer and User level

Trigger certificate autoenrollment immediately instead of waiting for the next policy cycle.

# Force autoenrollment processing right now PS C:\> certutil -pulse

Alternatively, refresh Group Policy which also triggers autoenrollment processing.

# Trigger Group Policy refresh (also processes autoenrollment) PS C:\> gpupdate /force

Verify which enrollment server URLs are configured on this machine.

# Check the configured enrollment server URLs PS C:\> certutil -enrollmentServerURL
Best Practice: Configure separate GPOs for Computer autoenrollment and User autoenrollment. Link them to the appropriate OUs.
Copy + modify + publishCustom templates

Web Enrollment

The Certificate Authority Web Enrollment role provides a browser-based interface for certificate requests.

Web Enrollment Features

  • Request Certificate - Submit new certificate requests via web form
  • Check Pending - Check status of pending requests
  • Download CA Certificate - Retrieve the CA's certificate chain
  • Download CRL - Retrieve current Certificate Revocation List

Install the Web Enrollment role service and configure it in one sequence.

# Install and configure CA Web Enrollment PS C:\> Install-WindowsFeature -Name ADCS-Web-Enrollment -IncludeManagementTools PS C:\> Install-AdcsWebEnrollment -Force
# Web enrollment URL (access via browser): # https://ca-server.hexworth.local/certsrv

Submit a certificate request file directly to the CA from the command line.

# Submit a certificate signing request (CSR) to the CA PS C:\> certreq -submit -config "CA01.hexworth.local\Hexworth Issuing CA" request.req cert.cer
Security: Always use HTTPS for web enrollment. The default HTTP site exposes certificate requests to network interception.
Enrollment: how a client gets a certClientgenerates keypairCSREnterprise CAchecks template ACLsigned certstoredin client cert storeThree ways to enroll:1. ManualMMC certmgr → Request New Certificate2. AutoenrollmentGPO-driven, silent, renews on schedule3. Web Enrollmenthttps://ca/certsrv (advanced cases)4. NDES/SCEPnon-domain devices (phones, routers)

Certificate Revocation

Revoked certificates must be checked before trusting them.

CRL (Certificate Revocation List)

  • Periodic list of revoked certs
  • Published to CRL Distribution Points
  • Base CRL + Delta CRL
  • Can become large in enterprise

OCSP (Online Responder)

  • Real-time revocation check
  • Smaller response size
  • Requires Online Responder role
  • Better for web scenarios

Revoke a compromised certificate by its serial number with an appropriate reason code.

# Revoke a certificate due to key compromise PS C:\> Revoke-Certificate -SerialNumber "61001234AB" -Reason KeyCompromise

Publish a new base CRL immediately so clients learn the certificate is revoked.

# Publish a fresh base CRL to all distribution points PS C:\> Publish-CRL -UpdateType Base
GPO + template ACL + scheduled refreshAutoenrollment

CRL Distribution Points & AIA

Clients need to know where to find CRLs and CA certificates to validate the chain.

CDP (CRL Distribution Points)

  • URLs where CRLs can be downloaded
  • HTTP, LDAP, or file share locations
  • Embedded in each issued certificate
  • Multiple CDPs for redundancy
  • Order matters: first reachable wins

AIA (Authority Information Access)

  • URLs to download CA certificates
  • OCSP responder location
  • Needed to build the certificate chain
  • HTTP preferred over LDAP for external
  • Configure before issuing certificates

View the configured CRL Distribution Point and Authority Information Access URLs on the CA.

# View the configured CRL publication URLs (CDP) PS C:\> certutil -getreg CA\CRLPublicationURLs
# View the configured CA certificate publication URLs (AIA) PS C:\> certutil -getreg CA\CACertPublicationURLs

Test whether a CRL URL is reachable and the CRL can be downloaded.

# Verify a CRL URL is accessible (opens URL testing tool) PS C:\> certutil -URL "http://pki.hexworth.local/cdp/HexworthIssuingCA.crl"

Validate the full chain for a certificate, including fetching CRLs and OCSP responses.

# Verify certificate chain and fetch revocation data PS C:\> certutil -verify -urlfetch certificate.cer
Critical: Configure CDP and AIA URLs BEFORE issuing any certificates. These URLs are embedded permanently in issued certificates and cannot be changed retroactively.
https://ca/certsrv portalWeb Enrollment

OCSP Online Responder

The Online Certificate Status Protocol provides real-time certificate revocation checking.

OCSP Advantages over CRL

  • Real-time status (not periodic)
  • Smaller response size (single cert)
  • Lower bandwidth requirements
  • Better for web/internet scenarios
  • Clients cache OCSP responses

OCSP Configuration

  • Install Online Responder role service
  • Issue OCSP Response Signing certificate
  • Create revocation configuration
  • Add OCSP URL to AIA extension
  • Can cluster for high availability

Install the OCSP Online Responder role and configure it in one sequence.

# Install and configure the Online Responder (OCSP) PS C:\> Install-WindowsFeature -Name ADCS-Online-Cert -IncludeManagementTools PS C:\> Install-AdcsOnlineResponder -Force

Test that OCSP responses work by verifying a certificate with URL fetching enabled.

# Verify a certificate and check for OCSP entries in the output PS C:\> certutil -verify -urlfetch certificate.cer
CSR upload, advanced requestsWeb Enrollment Features

Certificate Stores

Windows organizes certificates in logical and physical stores for different purposes.

Common Stores

  • Personal (My): User/computer certificates with private keys
  • Trusted Root CAs: Trusted root certificates
  • Intermediate CAs: Subordinate CA certificates
  • Trusted Publishers: Code signing publishers
  • Untrusted: Explicitly distrusted certificates

Store Locations

  • Current User: Per-user certificates
  • Local Machine: Computer-wide certificates
  • Group Policy: Deployed via GPO
  • Active Directory: Published to AD
  • Access via certmgr.msc or certlm.msc

Browse certificate stores using the Cert: PSDrive, just like navigating a file system.

# List certificates in the computer's personal store PS C:\> Get-ChildItem Cert:\LocalMachine\My
# Expected output: # ───────────────────────────────────────── PSParentPath : Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ────────── ─────── A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2 CN=dc01.hexworth.local B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1 CN=portal.hexworth.local
# Browse other common stores PS C:\> Get-ChildItem Cert:\CurrentUser\My # User personal certs PS C:\> Get-ChildItem Cert:\LocalMachine\Root # Trusted Root CAs PS C:\> Get-ChildItem Cert:\LocalMachine\CA # Intermediate CAs

Find certificates expiring within 30 days so you can renew them proactively.

# Find certificates expiring within 30 days PS C:\> Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.NotAfter -lt (Get-Date).AddDays(30) } | Select-Object Subject, NotAfter
CRL: list of revoked certsCApublishes new CRL dailyCRL distribution point: http://crl.corp.local/issuing.crlRevoked certificates:Serial 3a:f9... Revoked 2024-02-15 Reason: Key CompromiseSerial 4c:21... Revoked 2024-03-02 Reason: SupersededSerial 5b:88... Revoked 2024-03-14 Reason: Cessation of OperationNext update: 2024-03-15 02:00 UTC

Key Archival and Recovery

Encryption certificates may need key recovery if users lose access.

Key Recovery Process

  • Enable key archival on CA
  • Configure Key Recovery Agent (KRA) certificates
  • Template must allow private key export
  • Archived keys stored encrypted in CA database

Enable the Key Recovery Agent on the CA so archived keys can be retrieved.

# Enable foreign KRA certificates on the CA PS C:\> certutil -setreg CA\KRAFlags +KRAF_ENABLEFOREIGN

Recover an archived private key in two steps: extract the encrypted blob, then decrypt it.

# Extract the encrypted key blob from the CA database PS C:\> certutil -getkey "SearchToken" outputblob
# Decrypt the blob into a usable PFX file PS C:\> certutil -recoverkey outputblob recovered.pfx
Important: Key archival should only be enabled for encryption certificates, never for signature-only certificates.
CRL Distribution Point + Authority Info AccessCDP + AIA

certutil Commands

The certutil command-line tool is essential for PKI administration and troubleshooting.

CA Management

  • certutil -ca: Display CA info
  • certutil -catemplates: List published templates
  • certutil -CRL: Publish new CRL
  • certutil -shutdown: Stop CA service
  • certutil -backup: Backup CA database

Certificate Operations

  • certutil -dump cert.cer: View cert details
  • certutil -verify: Validate certificate chain
  • certutil -store: List certificates in store
  • certutil -pulse: Trigger autoenrollment
  • certutil -URL: Test CDP/AIA URLs

Display the CA's configuration summary including name, type, and key info.

# Display CA configuration and status PS C:\> certutil -ca

Verify a certificate's entire chain and fetch CRL/OCSP data to check revocation.

# Verify certificate chain with revocation checking PS C:\> certutil -verify -urlfetch server.cer

List all certificates stored in the local machine's Personal store.

# View certificates in the Personal (My) store PS C:\> certutil -store My

Convert a Base64-encoded certificate to DER binary format, or export a certificate with its private key.

# Decode a Base64-encoded certificate to DER format PS C:\> certutil -decode encoded.b64 decoded.cer
# Export a certificate and private key as a PFX file PS C:\> certutil -exportPFX My "SerialNumber" export.pfx
Online status check, no full CRL downloadOCSP

Group Policy for Certificate Deployment

Group Policy distributes trusted root certificates and configures autoenrollment across the domain.

Certificate Distribution via GPO

  • Trusted Root CAs: Push root CA cert to all machines
  • Intermediate CAs: Distribute subordinate CA certs
  • Trusted Publishers: Code signing trust
  • Untrusted Certificates: Block specific certs

GPO Path

  • Computer Config > Windows Settings
  • Security Settings > Public Key Policies
  • Trusted Root Certification Authorities
  • Right-click > Import certificate
  • Applies to all computers in GPO scope

Publish the Root CA certificate to Active Directory so all domain machines trust it automatically.

# Publish the Root CA certificate to AD (for Standalone Root CAs) PS C:\> certutil -dspublish -f RootCA.cer RootCA

Publish the Subordinate CA certificate so clients can build the full certificate chain.

# Publish the Subordinate CA certificate to AD PS C:\> certutil -dspublish -f SubCA.cer SubCA

Verify that the CA certificates were successfully published to the AD configuration partition.

# View certificates published in the AD Public Key Services container PS C:\> certutil -viewstore "ldap:///CN=Public Key Services,CN=Services,CN=Configuration,DC=hexworth,DC=local"
Note: Enterprise CAs automatically publish their CA certificate and CRL to Active Directory. Standalone CAs require manual publication using certutil -dspublish.
Personal, Trusted Root, Intermediate, OthersCert stores

CA Backup and Recovery

The CA database and private key must be protected and backed up.

What to Backup

  • CA private key and certificate
  • CA database (issued certs, CRLs)
  • Registry configuration
  • CAPolicy.inf file

Backup Methods

  • certsrv.msc GUI backup
  • certutil -backup command
  • Windows Server Backup
  • System State backup

Back up the CA database, private key, and logs using the PowerShell cmdlet.

# Backup CA database and private key with password protection PS C:\> Backup-CARoleService -Path "C:\CABackup" -Password (Read-Host -AsSecureString) -KeepLog

Alternatively, use certutil for the same backup operation from the command line.

# Backup CA using the certutil command-line tool PS C:\> certutil -backup "C:\CABackup"
Private key escrow + KRA agentKey archival

CA Disaster Recovery

Restoring a CA from backup requires careful execution to maintain PKI integrity.

Recovery Steps

  • Install Windows Server (same version)
  • Join domain (if Enterprise CA)
  • Install AD CS role
  • Use existing CA certificate option
  • Import backed-up key and database
  • Verify CRL and AIA configuration

Critical Considerations

  • Server name must match original
  • CA name must be identical
  • Publish updated CRL immediately
  • Verify all templates are available
  • Test certificate enrollment
  • Update CDP/AIA if server changed

Restore the CA database and private key from a backup on the new server.

# Restore CA from PowerShell backup PS C:\> Restore-CARoleService -Path "C:\CABackup" -Password (Read-Host -AsSecureString) -Force

Alternatively, restore using certutil if the backup was made with that tool.

# Restore CA using certutil PS C:\> certutil -restore "C:\CABackup"

Immediately publish a new CRL after restore so clients stop using the expired one.

# Publish a new CRL immediately after restoration PS C:\> certutil -CRL

Verify the CA is online and responding to requests after the restore completes.

# Ping the CA to verify it is operational PS C:\> certutil -ping
# Expected output: # ───────────────────────────────────────── Connecting to CA01.hexworth.local\Hexworth Issuing CA ... Server "Hexworth Issuing CA" ICertRequest2 interface is alive CertUtil: -ping command completed successfully.
Critical: After CA restoration, immediately publish a new CRL. Clients may be caching an expired CRL which will cause all certificate validations to fail.
CA admin retrieves via certutil -getkeyKey recovery

Lab Preview

Practice AD CS configuration through both interfaces.

GUI Lab Tasks

  • Explore Certificate Authority MMC
  • Create custom certificate template
  • Issue a certificate
  • Configure CRL settings
  • Revoke a certificate
  • Configure autoenrollment GPO
  • Explore certificate stores

PowerShell Lab Tasks

  • List CA templates and issued certs
  • Request certificates
  • View certificate stores
  • Publish CRL
  • Backup CA
  • Use certutil for troubleshooting
  • Find expiring certificates
Start GUI Lab Start PowerShell Lab
Swiss-army CLI for AD CS operationscertutil
Course Home