Local Certification Authority

This page provides some tips for using a local certification authority (CA) to issue a domain controller certificate. This is for local Microsoft CAs. Other platforms may be used and have different procedures.

Prerequisites

• The server that hosts the CA must be joined to the domain.
• The CA should never reside on the same server(s) that are acting as domain controller(s).
• You must be an Enterprise Administrator in the domain to perform these steps.

Install CA Role

1. Log into the CA server as a member of the Enterprise Administrators group.
2. Open the Server Manager and click on Manage -> Add Roles and Features.
3. Proceed through the Add Roles and Features Wizard options. Choose the following:
   Server Roles: Active Directory Certificate Services
   AD CS Roles Services: Certification Authority
   
4. On the Results page, click on Configure Active Directory Certificate Services on the destination server.
5. Proceed through the AD CS Configuration options. Choose the following values, as required:
   Role Service: Certification Authority
   Setup Type: Enterprise CA
   CA Type: Root CA
   Private Key: Create a new private key
   Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e
   CA Name: Use the naming convention: dc=[AD suffix], dc=[AD domain], cn=[certification authority name]
   (e.g., dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1)
   Validity Period: 6 years
   Certificate Database: <your preference>
   

Configure Certificate Template for Domain Controller

The domain controller(s) certificate must contain valid information. These steps provide recommended options and settings.

1. Log into the CA server as a member of the Enterprise Administrators group.
2. Open the certificate template’s MMC snap-in (i.e., certtmpl.msc).
3. Right-click on the Domain Controller Authentication template. Then, click on Duplicate Template.
4. Under the Compatibility tab, modify the Compatibility Settings for both the CA and certificate recipients to the highest compatible version (e.g., Windows Server 2012 R2 or Windows 2008 R2).
5. Under the General tab, use these recommended settings:
   Template Name: <Your organization> - Domain Controller Authentication.
   Validity Period: 3 years.
   Renewal Period: 6 weeks.
   
6. Under the Cryptography tab, set these values:
   Minimum Key Size: 2048.
   Request Hash: SHA256
   
7. Open the CA console (i.e., certsrv.msc).
8. In the console tree, click on the [CA’s name].
9. In the details pane, double-click on Certificate Templates.
10. In the console tree, right-click on Certificate Templates. Then, click on New > Certificate Template To Issue.
11. Select and enable the certificate template that was created. Click on OK.

Auto-Enroll Domain Controllers Using Group Policy Object (GPO)

1. Log into a Domain Controller server as a member of the Enterprise Administrators group.
2. Open the GPMC: gpmc.msc
3. Within the appropriate GPO applied to the Domain Controllers, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\
4. Configure Certificate Services Client – Auto-Enrollment with the following options:
   Configuration Model: Enabled.
   Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check_all checkboxes.
   Update Certificates That Use Certificate Templates: Check the checkbox.
   
5. Replicate the group policy. Use the command: gpupdate /force at the command line, or wait for the group policy to replicate based on your replication time and settings.
6. Open MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer.

If successful, you will see a new domain controller certificate in the Certificate (Local Computer) -> Personal -> Certificates folder. At the Certificate Template tab, you will also see a certificate generated with the custom certificate template.