wasnt nate

Win2k12: How to Use Active Directory Certificate Services

Success! I was able to get Active Directory Certificate Services (AD CS) to work and now it even makes sense. After reading many articles and posts I found this one on TechNet; which was very clear and easy to follow.

Create Certificates
After installed, launch mmc and add snap-ins for Certificate Templates (CT) and Certification Authority (CA).

  1. Under CT find a template that is similar to your purpose
  2. Right click duplicate
  3. Navigate to the security tab and grant access to accounts that will access the certificate. For many common scenarios this means the { read, enroll, and auto enroll } permissions.
  4. In Certificate Authority Snap-in right click on “Certificate Templates” and “New Template to Issue”

Verify the Target
To verify this worked use the Certificates snap-in connecting to the remote machine/user that should receive the cert. Right click personal -> Request new cert to view it in the list.

Note: If requesting a certificate for a web site, the Common Name needs to match the hostname exactly or there will be a certificate warning.

Trusting the CA For Non Domain Scenarios
In the standard case, AD CS extends the domain schema and pushes down the root chains and trusts for the newly added CA. If you have a work group machine or device then this import step has to be done manually.

1. Use https://my.ca.name.here.com/certsrv/ to export the CA Certificate
2. Open mmc and load the snap-in for Certificates scoped to Local Machine
3. Expand out Trusted Root Certificate Authorities and Right click Import the file from step #1

Leave a Reply