Installing and configuring an Enterprise PKI(ADCS) environment.

In this blogpost I describe the installation and configuration of Active Directory Certificate Service (ADCS) role. This is based on an Enterprise PKI. Enterprise PKI is an environment with a RootCA and a Subordinate CA. With this configuration the RootCA goes offline for security propose and goes online when issuing a subordinate CA certificate. Just follow the screenshots and you have in no time an Enterprise PKI in place. The servers are based on Windows Server 2012 R2 update 1 and you will need 2 servers (I assume you have the domain controller in place). This environment can be used for ADFS, Microsoft Azure, Windows Server 2012 R2 Workplace or for SCCM/SCOM 2012 R2 client communications.

Note: the RootCA is a standalone CA and the subordinate is an Enterprise CA. The RootCA is not domain joined.


Let’s begin!

If asked: Add all features. Next..



Click on the link for configuring the ADCS.

You have configured the ADCS into a RootCA. You have to change some settings for the subordinate CA. In Server Manager go to Tools – Certification Authority (CA). Right click on the your CA server/name and choose for Properties. Open the tab Extensions.

Add this url (http://<YOUR SUBCA FQDN>/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed.crl>.crt) in CDP.

Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates. See the example above.

Add this url in AIA (by select extension)

http://<YOUR SUBCA FQDN>/certdata/<ServerDNSName><CaName><CertificateName>.crt

Select Include in the AIA extension of issued certificates. Click on Ok and restart the service.

Now, we have to publish the revocation list.

Export certificate without a private key for the subordinate CA server.

MMC and add the certificate snapin for local computer. Create also a share for the content. This will be used for later if we are configuring the subordinate CA server.

Copy the content of c:\windows\system32\certsrv\certenroll to your shared folder.

RootCA is in place and we go further with the subordinate CA server. This process is the same with different options. So I have only made a screenshots of the different choices, especially for the subordinate CA.


Add all features

Add all features


Now we have to install the certificate into the subordinate CA server. Go to your share and right click on the exported certificate for installing the certificate into the local machine’s trusted root CA.

Copy the request file on the root of C: to your shared folder.

Go to your root CA and submit a new request.

We have to issue the new request.

We need to export the certificate into a p7b.

Open the exported file to verify it.

Go back to the subordinate CA server and stop the CA service.

After that install the p7b certificate.

Final step before we have the subordinate CA in place.. Open GPO and import the RootCA certificate for distributing at domain level.


Deploying Certificate Templates:

Go to your subordinate CA and right click on Certificate Templates -> Manage

Right click on Web Server and choose Duplicate Template

Open the tab General. Change the name and select Publish certificate in Active Directory

Open the tab Request handling and select Allow private key to be exported:

Edit the security for the computer. If you know the hostname add this name in the security list. The computer does need Read, Enroll and Autoenroll.


Click apply. You see your templates in the list:

The next is to publish the created template for issuing certificates. Go back to your CA console and right click on Certificate Templates -> New -> Certificate Template to Issue

At this time the newly created templates are published. You could test this templates via IIS to request a web server certificate.


This certificate is working and ready to bind with a port for SSL.

You are finished. The RootCA and a Subordinate CA are in place.