Active Directory Certificate Services (AD CS) provides the public key infrastructure (PKI) functionality that underpins identities and other security functionality on the Windows domain (i.e. file encryption, email encryption, and network traffic encryption). It can create, validate and revoke public key certificates for internal uses of an organization.
This is a quick deployment and ready-to-run image.
Simple and rapid installation. Easy to maintain.
The guide on how to work with the AD Certificate Services on Windows Server 2016
- Once logged in, open up “Server Manager“. First task is to decide if this will be an Enterprise CA or Standalone CA. If it will be an Enterprise CA then you will need to add this VM to your Active Directory domain otherwise you can leave as a member server and run as a Standalone CA.
- Next is to run the setup wizard from the notification alert in Server Manager
- On the Credentials page, you can see the Administrator is displayed in the Credentials box.
- Click Next.
- On the Role Services page, select the Certification Authority check box Click Next.
- On the Setup Type page, select Enterprise CA as the CA type to allow integration with your AD Or Standalone CA if you want to run this as a member server in a workgroup.
- On the CA Type page, Select Root CA if this is the first CA in your environment or Subordinate CA if you have an established PKI already, Click Next.
- On the Private Key page, choose between Create a new private key or Use existing private key. Click Next.
- On the Cryptography for CA page:
- Select the default cryptographic provider as RSA#Microsoft Software Key Storage Provider.
- Select Key length as 2048 or above.
- Select SHA1 as the hash algorithm and click Next.
- On the CA Name page, specify the name of your CA in the Common name for this CA text box.
- On the Validity Period page, select the number of years for the certificate to be valid.
- On the CA Database page, specify the locations for the database and database log files. Click Next.
- On the Confirmation page, click Configure. Results screen appears after configuration is complete.
If you have a network security group or firewall appliance in front of your new AD CS virtual machine you’ll need to check you have the following firewall ports open:
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment
To setup Azure firewall rules refer to – Azure Network Security Groups
Once you have your CA setup, you’re now ready to start deploying certificates. The following article has a great tutorial on this: