Installing and configuring an Enterprise PKI(ADCS) environment.

In this blogpost I describe the installation and configuration of Active Directory Certificate Service (ADCS) role. This is based on an Enterprise PKI. Enterprise PKI is an environment with a RootCA and a Subordinate CA. With this configuration the RootCA goes offline for security propose and goes online when issuing a subordinate CA certificate. Just follow the screenshots and you have in no time an Enterprise PKI in place. The servers are based on Windows Server 2012 R2 update 1 and you will need 2 servers (I assume you have the domain controller in place). This environment can be used for ADFS, Microsoft Azure, Windows Server 2012 R2 Workplace or for SCCM/SCOM 2012 R2 client communications.

Note: the RootCA is a standalone CA and the subordinate is an Enterprise CA. The RootCA is not domain joined.


Let’s begin!

If asked: Add all features. Next..



Click on the link for configuring the ADCS.

You have configured the ADCS into a RootCA. You have to change some settings for the subordinate CA. In Server Manager go to Tools – Certification Authority (CA). Right click on the your CA server/name and choose for Properties. Open the tab Extensions.

Add this url (http://<YOUR SUBCA FQDN>/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed.crl>.crt) in CDP.

Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates. See the example above.

Add this url in AIA (by select extension)

http://<YOUR SUBCA FQDN>/certdata/<ServerDNSName><CaName><CertificateName>.crt

Select Include in the AIA extension of issued certificates. Click on Ok and restart the service.

Now, we have to publish the revocation list.

Export certificate without a private key for the subordinate CA server.

MMC and add the certificate snapin for local computer. Create also a share for the content. This will be used for later if we are configuring the subordinate CA server.

Copy the content of c:\windows\system32\certsrv\certenroll to your shared folder.

RootCA is in place and we go further with the subordinate CA server. This process is the same with different options. So I have only made a screenshots of the different choices, especially for the subordinate CA.


Add all features

Add all features


Now we have to install the certificate into the subordinate CA server. Go to your share and right click on the exported certificate for installing the certificate into the local machine’s trusted root CA.

Copy the request file on the root of C: to your shared folder.

Go to your root CA and submit a new request.

We have to issue the new request.

We need to export the certificate into a p7b.

Open the exported file to verify it.

Go back to the subordinate CA server and stop the CA service.

After that install the p7b certificate.

Final step before we have the subordinate CA in place.. Open GPO and import the RootCA certificate for distributing at domain level.


Deploying Certificate Templates:

Go to your subordinate CA and right click on Certificate Templates -> Manage

Right click on Web Server and choose Duplicate Template

Open the tab General. Change the name and select Publish certificate in Active Directory

Open the tab Request handling and select Allow private key to be exported:

Edit the security for the computer. If you know the hostname add this name in the security list. The computer does need Read, Enroll and Autoenroll.


Click apply. You see your templates in the list:

The next is to publish the created template for issuing certificates. Go back to your CA console and right click on Certificate Templates -> New -> Certificate Template to Issue

At this time the newly created templates are published. You could test this templates via IIS to request a web server certificate.


This certificate is working and ready to bind with a port for SSL.

You are finished. The RootCA and a Subordinate CA are in place.






7 thoughts on “Installing and configuring an Enterprise PKI(ADCS) environment.

  1. Good Guide ,you say,Root CA will not be domain Join but you have installed in the Root CA on domain joined server ?

    1. Hi, thanks for your comment. Yes you are right. I have used the wrong screenshot. First I have added the RootCA server in a domain, but later, as the best practice, I removed the RootCA from the domain.

  2. Ravinderjit

    Nice article. I got stuck at this point “Export certificate without a private key for the subordinate CA server.”, can you please let me know how to get that window for export certificate ?

    1. Hello Ravinderjit, Thanks for your reply.. I think I need more information about your problem. You are trying to export the certificate from local machine\personal on the RootCA? Is the option ‘export without private key’ grayed out/disabled?

      1. Ravinderjit

        Yes, I am doing this on my local machine. I am done till this step.
        Revoked Certificates > All Tasks > Publish

        After that you talk about export certificate, I didn’t get where we will see this option.

      2. Ok, did you create a new mmc with the certificate snap-in?

        start menu – run -> type mmc -> file -> add or remove snap-ins -> add certificates –> choose for local machine (not user) -> Click twice Ok -> Go to the node Personel -> certificates.. You see on the right side the certificate. Now you can go further with the steps about exporting the certificate.

        Please let me know… 🙂

  3. Ravinderjit

    Thanks for your help, I am able to export the certificate.
    If possible can you provide the steps to bind the same certificate to domain ?
    Because the certificate already bind to the domain is not accepted while creating forest in ADFS.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: