How to Configure AD Certificate Server

by | Nov 23, 2022 | How-To

Last updated on December 22nd, 2023 at 12:06 pm

This step-by-step guide will show you how to configure AD certificate server. Active Directory (AD) Certificate Services acronym is either ADCS or AD CS. You should also note that many people will call it a cert server or just certs. This article assume that you have ready install ADCS, if you have not done this step, make sure that you see How to Install AD Certificate Services.

A Microsoft Endpoint Configuration Manager (SCCM / ConfigMgr / MCM) administrator wears many hats. Working with AD Certificate Service is just one of the hats!


Before we get started, this guide set will install a simple AD CS environment that, can be used within a Lab environment. Although 100% correct, this setup will like NOT pass a proper security review. As such if you plan to use this within production, I recommend that you talk to your security team first. They might already have AD CS for you to use. Before you ask, why will this not pass a security audit, the simple reason is that you first (Root) Certificate Service server should NEVER be attached to any network. Without going to the complete details, the Root CS server should be a Standalone server. Which in turns issue a cert to another CS server to allow them to issue certs. But for lab environments this guide is in my option good enough.

How to Configure AD Certificate Services

Before getting started make sure that you logon with an Enterprise Admin account. Within the video, I have upgraded my account be a member Enterprise Admin.

Starting the Configuration of AD Certificate Server

After logon the easiest way to configure AD Certificate Services, is to select the post deployment option within Server Manager. Start by clicking the link.

Ensure that you are using Enterprise Admins account, change account if needed

On the Credentials Node, ensure that the account you are using has Enterprise Admins right. Click Change… to use a different account otherwise click Next.

Configure AD Certificate Server

Select Certification Authority before clicking Next.

Select Enterprise CA for Configure AD Certificate Server

For this lab keep the Enterprise CA option and click Next.

Select Root CA for Configure AD Certificate Server

We are installing a Root CA so keep that selected and click Next.

Create a new private key

Keep the option to Create a new private key and click Next.

Select your cryptographic options

For my lab I’m going to use a SHA512 algorithm with a Key length of 2048.

Keep your Common and Distinguished names,

We will keep the Common and Distinguished names for this CA. Click Next.

What Validity period do you want?

I change the validity period to 10 years for Certs on this server. Click Next.

Where do you install the Cert database when Configure AD Certificate Server

Again, because this for a lab, I will access the defaults, and click Next.

Review your Configure AD Certificate Server options.

Now that we have selected everything, review the settings before click Configure.

Configure AD Certificate Server is completed.

Wait for the configuration to complete and then click Close. With that last step completed you are done Configure AD Certificate Server. I personally, like to reboot to ensure that we are at a clean point before doing anything else.

So, what is next in this set? There are many things that I want to document but everything how to create a code signing Certificate which you can then use to code sign you PowerShell scripts. To other such as fixing RDP to use your CA certs.

How to Configure AD Certificate Services Video

Finally, don’t forget that you can subscribe to my RRS feed to stay on top of the latest trips and tricks. Additionally, if you have any questions, please feel free to touch base @Garthmj.