About AD CS:

In order to configure AD FS in windows 2016, we require SSL Certificate and Certificate Authority (CA) to connect Federation services and trusted vendors over the Web based access. Active Directory certificate services (AD CS) play a very important role in managing certificate services in windows 2016 server. SSL certificate services are crucial in authenticating users to access web based applications from the trusted vendors.
To enable Certificate Authority(CA) in windows 2016 server it is needed to install Active Directory Certificate Services on Domain Controller.

In this blog, we can see how to install and configure AD CS and SSL certificate. SSL certificate allows a secure connection between web server and your browser.

For AD CS installation, go to Server Manager and click Roles and features where you should select Active Directory Certificate Service and click the install tab. Once AD CS basic installation is completed, reboot the server. Now AD CS is ready to be configured.

When you open the server manager you can see a notification on the top right side, for post deployment task. Click on that tab and for reference you can check the image below.

Download Banner

Active Directory Certificate Services

Once you click the post deployment task, the following screen will appear where you will have to provide the credentials and click Next.

Active Directory Certificate Services

Select the Role you want to configure. Here I have selected two services, one is Certificate Authority and the other one for Certificate Authority Web Enrollment.

Active Directory Certificate Services

Next, select the Certificate Authority(CA) Enterprise or Standalone CA.

Active Directory Certificate Services

Select the CA Types either as Root CA or Subordinate CA. Its related to Public Key Infrastructure (PKI) hierarchy.

Active Directory Certificate Services

Specify the key type.

Active Directory Certificate Services

Cryptography details for private key.

Active Directory Certificate Services

Mention CA Name:

Active Directory Certificate Services

Mention Certificate Validity Period:

Active Directory Certificate Services

CA Database location:

Active Directory Certificate Services

Verify the details and then click configure.

Active Directory Certificate Services

Installation starts.

Active Directory Certificate Services

Finally, you will get the required details once the configuration is successful. Windows Active Directory Certificate Services is now Configured successfully.

Active Directory Certificate Services

To download private key details for Certificate Authority, type the below given path in your web browser. → localhost/certsrv

Active Directory Certificate Services

Now you can download the CA certificate.

ADCS installation and configuration is completed and further we can move to install the SSL certificate.
Installing SSL Certificate: When you click Run and type MMC, the Microsoft Management Console opens.

Active Directory Certificate Services

Active Directory Certificate Services

In the MMC console, go to file and select add/remove snap in and click.

Active Directory Certificate Services

Select Certificate template and click the add button and then press ok.

Active Directory Certificate Services

Console screen displays the Certificate template. On the right-hand side of the screen right click on the web Server and select duplicate template.

Active Directory Certificate Services

The properties of the new template will appear. Go to security tab and add domain details and provide read, write and enroll option.

Active Directory Certificate Services

In Request Handling tab select and allow private key to be exported. And click apply.

Active Directory Certificate Services

The Template names can be changed based on your requirement. Here I have changed the template name as Vembuadfs.

Active Directory Certificate Services

SSL certificate installation is now completed.

Before ADFS configuration, you must complete the AD CS and SSL installation. At the time of ADFS configuration SSL Certificate is taken automatically by configuration wizard. Refer the below screenshot.

Active Directory Certificate Services

Note:

For ADFS installation we require third party Public CA certificate, since the users from the organization accessing the Azure Applications (cloud) through outside Network like mobile or personal devices(Home PC). Mobiles and personal devices(Home PC) will not trust the Service communication certificate like self-signed or internal CA for accessing this application need to get the third party Public CA.
And this blog does not covers the configuration part of third party Public CA.

Export SSL Certificate:

Open MMC console in run and go to file → Add/Remove Snap in → and double click the Certificates → and select computer account click next → and select Local computer → and click finish
Go to Console root → and expand Certificates → and expand personal → and click Certificates.

Select the correct domain and right click all tasks → and click Export.

Active Directory Certificate Services

And click next → and select Yes, export the private key → and next
Select personal information Exchange – PKCS #12 (.PFX) and click Next.

Active Directory Certificate Services

Click next and enter the password for private key.

Click Next and provide the name of you PFX file.
Once you click next the certificate is successfully exported.

Active Directory Certificate Services

Import SSL Certificate:

The SSL certificate you want to export is selected. Right click on the certificate and click on install certificate and proceed by clicking next.

Select the store location to import the SSL certificate and click next once the store location details are displayed and click finish. After few seconds you will get a pop up from certificate import wizard stating import was successful.

Conclusion:

Active Directory Certificate Service is very important for ADFS configuration. Certificate services provides authentication for External trusted Vendors over web based application. This document will help you with installation and configuration of AD CS. Download the private key for Certificate Authority and Import and Export the SSL Certificate.

Like what you read? Rate us