Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Local Certification Authority

This page provides some tips for using a local certification authority (CA) to issue a domain controller certificate. This is for local Microsoft CAs. Other platforms may be used and have different procedures.

These procedures are accurate for using Microsoft 2012 Server, Standard Edition, for CA and domain controller servers as of March 2017.


  • The server that hosts the CA must be joined to the domain.
  • The CA should never reside on the same server(s) that are acting as domain controller(s).
  • You must be an Enterprise Administrator in the domain to perform these steps.

Install CA Role

  1. Log into the CA server as a member of the Enterprise Administrators group.
  2. Open the Server Manager and click on Manage -> Add Roles and Features.
  3. Proceed through the Add Roles and Features Wizard options. Choose the following:
    Server Roles: Active Directory Certificate Services
    AD CS Roles Services: Certification Authority
  4. On the Results page, click on Configure Active Directory Certificate Services on the destination server.
  5. Proceed through the AD CS Configuration options. Choose the following values, as required:
    Role Service: Certification Authority
    Setup Type: Enterprise CA
    CA Type: Root CA
    Private Key: Create a new private key
    Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e
    CA Name: Use the naming convention: dc=[AD suffix], dc=[AD domain], cn=[certification authority name]
    (e.g., dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1)
    Validity Period: 6 years
    Certificate Database: <your preference>

Configure Certificate Template for Domain Controller

The domain controller(s) certificate must contain valid information. These steps provide recommended options and settings.

  1. Log into the CA server as a member of the Enterprise Administrators group.
  2. Open the certificate template’s MMC snap-in (i.e., certtmpl.msc).
  3. Right-click on the Domain Controller Authentication template. Then, click on Duplicate Template.
  4. Under the Compatibility tab, modify the Compatibility Settings for both the CA and certificate recipients to the highest compatible version (e.g., Windows Server 2012 R2 or Windows 2008 R2).
  5. Under the General tab, use these recommended settings:
    Template Name: <Your organization> - Domain Controller Authentication.
    Validity Period: 3 years.
    Renewal Period: 6 weeks.
  6. Under the Cryptography tab, set these values:
    Minimum Key Size: 2048.
    Request Hash: SHA256
  7. Open the CA console (i.e., certsrv.msc).
  8. In the console tree, click on the [CA’s name].
  9. In the details pane, double-click on Certificate Templates.
  10. In the console tree, right-click on Certificate Templates. Then, click on New > Certificate Template To Issue.
  11. Select and enable the certificate template that was created. Click on OK.

Auto-Enroll Domain Controllers Using Group Policy Object (GPO)

  1. Log into a Domain Controller server as a member of the Enterprise Administrators group.
  2. Open the GPMC: gpmc.msc
  3. Within the appropriate GPO applied to the Domain Controllers, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\
  4. Configure Certificate Services Client – Auto-Enrollment with the following options:
    Configuration Model: Enabled.
    Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check_all checkboxes.
    Update Certificates That Use Certificate Templates: Check the checkbox.
  5. Replicate the group policy. Use the command: gpupdate /force at the command line, or wait for the group policy to replicate based on your replication time and settings.
  6. Open MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer.

If successful, you will see a new domain controller certificate in the Certificate (Local Computer) -> Personal -> Certificates folder. At the Certificate Template tab, you will also see a certificate generated with the custom certificate template.

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit Edit this page