About AD CS:
In order to configure AD FS in windows 2016, we require SSL Certificate and Certificate Authority (CA) to connect Federation services and trusted vendors over the Web based access. Active Directory certificate services (AD CS) play a very important role in managing certificate services in windows 2016 server. SSL certificate services are crucial in authenticating users to access web based applications from the trusted vendors.
To enable Certificate Authority(CA) in windows 2016 server it is needed to install Active Directory Certificate Services on Domain Controller.
In this blog, we can see how to install and configure AD CS and SSL certificate. SSL certificate allows a secure connection between web server and your browser.
For AD CS installation, go to Server Manager and click Roles and features where you should select Active Directory Certificate Service and click the install tab. Once AD CS basic installation is completed, reboot the server. Now AD CS is ready to be configured.
When you open the server manager you can see a notification on the top right side, for post deployment task. Click on that tab and for reference you can check the image below.
Once you click the post deployment task, the following screen will appear where you will have to provide the credentials and click Next.
Select the Role you want to configure. Here I have selected two services, one is Certificate Authority and the other one for Certificate Authority Web Enrollment.
Next, select the Certificate Authority(CA) Enterprise or Standalone CA.
Select the CA Types either as Root CA or Subordinate CA. Its related to Public Key Infrastructure (PKI) hierarchy.
Specify the key type.
Cryptography details for private key.
Mention CA Name:
Mention Certificate Validity Period:
CA Database location:
Verify the details and then click configure.
Finally, you will get the required details once the configuration is successful. Windows Active Directory Certificate Services is now Configured successfully.
To download private key details for Certificate Authority, type the below given path in your web browser. → localhost/certsrv
Now you can download the CA certificate.
ADCS installation and configuration is completed and further we can move to install the SSL certificate.
Installing SSL Certificate: When you click Run and type MMC, the Microsoft Management Console opens.
In the MMC console, go to file and select add/remove snap in and click.
Select Certificate template and click the add button and then press ok.
Console screen displays the Certificate template. On the right-hand side of the screen right click on the web Server and select duplicate template.
The properties of the new template will appear. Go to security tab and add domain details and provide read, write and enroll option.
In Request Handling tab select and allow private key to be exported. And click apply.
The Template names can be changed based on your requirement. Here I have changed the template name as Vembuadfs.
SSL certificate installation is now completed.
Before ADFS configuration, you must complete the AD CS and SSL installation. At the time of ADFS configuration SSL Certificate is taken automatically by configuration wizard. Refer the below screenshot.
For ADFS installation we require third party Public CA certificate, since the users from the organization accessing the Azure Applications (cloud) through outside Network like mobile or personal devices(Home PC). Mobiles and personal devices(Home PC) will not trust the Service communication certificate like self-signed or internal CA for accessing this application need to get the third party Public CA.
And this blog does not covers the configuration part of third party Public CA.
Export SSL Certificate:
Open MMC console in run and go to file → Add/Remove Snap in → and double click the Certificates → and select computer account click next → and select Local computer → and click finish
Go to Console root → and expand Certificates → and expand personal → and click Certificates.
Select the correct domain and right click all tasks → and click Export.
And click next → and select Yes, export the private key → and next
Select personal information Exchange – PKCS #12 (.PFX) and click Next.
Click next and enter the password for private key.
Click Next and provide the name of you PFX file.
Once you click next the certificate is successfully exported.
Import SSL Certificate:
The SSL certificate you want to export is selected. Right click on the certificate and click on install certificate and proceed by clicking next.
Select the store location to import the SSL certificate and click next once the store location details are displayed and click finish. After few seconds you will get a pop up from certificate import wizard stating import was successful.
Active Directory Certificate Service is very important for ADFS configuration. Certificate services provides authentication for External trusted Vendors over web based application. This document will help you with installation and configuration of AD CS. Download the private key for Certificate Authority and Import and Export the SSL Certificate.