The following Certificate Templates will need to be created in the Certification Authority console on the TFS-CA01 server:

These Certificate Templates will be used for issues Certificates to the organization. Some will be issued automatically, and the others can be requested by users or devices. The procedure for creating these Certificate Templates is mostly the same.

The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of private keys that are generated by the Certificate Authority. This is very important if a certificate is deleted and needs to be restored.

This entire section is optional. Not implementing private key archive and recovery will have no impact on the functionality of your Certificate Authority, nor will it interfere with any later steps. This functionality can be added at any time in the future if needed.

1. In the Certification Authority console on the TFS-CA01 server, ensure that the TFS Labs Enterprise CA server is expanded in the console tree.
2. Right-click on Certificate Templates and then click Manage. The Certificate Templates Console will open and display the Certificate Templates stored in Active Directory.
3. In the details pane, right-click on the Key Recovery Agent Certificate Template and then click Duplicate Template.
4. On the Properties of New Template window, click on the General tab. Change the name of the template to TFS Labs Key Recovery Agent. Ensure that the Validity Period is set to 1 year.
5. On the Issuance Requirements tab, uncheck the option for CA certificate manager approval.
6. On the Security tab verify that Authenticated Users do not have the Enroll or Autoenroll permissions enabled.
7. On the Security tab select Domain Admins and Enterprise Admins and enable the Enroll permission. Click OK to close the window.
8. Close the Certificate Templates Console window.
9. In Certification Authority console, right-click on Certificate Templates, then select New and then select Certificate Template to Issue.
10. In the Enable Certificate Templates dialog box, click TFS Labs Key Recovery Agent and then click OK.

Once the Certificate Template has been created it can now be requested for the Domain Administrator account.

Enabling the auto-enrollment feature in Group Policy will allow users and workstations within the organization the ability to automatically receive a certificate from the Active Directory Certificate Authority server. This level of automation is helpful for large organizations that need to quickly deploy certificates for users or workstations.

To enable certificate auto-enrollment for user accounts in the TFS Labs domain, perform the following steps on the TFS-DC01 server:

The following Certificate Templates will need to be created in the Certification Authority console on the TFS-CA01 server:

These Certificate Templates will be used for issues Certificates to the organization. Some will be issued automatically, and the others can be requested by users or devices. The procedure for creating these Certificate Templates is mostly the same.

Once the Certificate Authority has been successfully implemented and completed, there are a few files that should be deleted and a few tasks that will need to be performed now and in the future.

Delete the following files on the TFS-CA01 server:

Enabling the auto-enrollment feature in Group Policy will allow users and workstations within the organization the ability to automatically receive a certificate from the Active Directory Certificate Authority server. This level of automation is helpful for large organizations that need to quickly deploy certificates for users or workstations.

Certificate Auto-Enrollment
This entire section is optional. Not implementing certificate auto-enrollment will have no impact on the functionality of your Certificate Authority, nor will it interfere with any later steps. This functionality can be added at any time in the future if needed.

To enable certificate auto-enrollment for user accounts in the TFS Labs domain, perform the following steps on the TFS-DC01 server:

This guide is archived and will no longer be updated. It has been superseded with the AD CS on Windows Server 2022 guide.

This guide was originally posted on the https://mjcb.ca website in March 2020. This guide has received updates to fix minor errors and to improve readability.

The goal of this guide is to deploy an internal Two-Tier Certificate Authority and a Public Key Infrastructure (PKI) using Active Directory Certificate Services in Windows Server 2019. This provides multiple benefits to an organization, including features like:

This is an updated version of the AD CS on Windows Server 2019 guide that is already available on this website. This guide reflects any changes that are present in Active Directory Certificate Services, Windows Server 2022, and Windows 11.

The goal of this guide is to deploy an internal Two-Tier Certificate Authority (CA) and a Public Key Infrastructure (PKI) using Active Directory Certificate Services (AD CS) in Windows Server 2022.