ADCS – Active Directory Certificate Services

Active Directory Certificate Services (ADCS)

Active Directory Certificate Services (ADCS) is an Active directory role. When installed, a PKI is generated and any computers or users can request certificates.

Domain controllers

When the smart card logon is setup, even when an external PKI is imported, each domain controllers performing the authentication MUST have a “domain controller certificate”. That means that if ADCS is not installed, the smart card logon won’t work. Root certificate are automatically deployed by a GPO. Running “gpupate” do not upgrade the root CA. “gpupdate /force” must be run for that.

Smart card logon

By default, the “smart card logon template” is restricted to administrators. Extended permissions on the template has to be granted to enable common users to request certificates. The job of registering certificates on smart card can be done using a GPO or manually with certmgr.msc.

Enrollment certificate (request certificate on behalf other users)

Registering certificate on behalf users (typically when an administrator prepare all the cards) can be done if an “enrollment agent certificate” has been delivered to the administrator. By default, the template is not active and restricted to domain administrators.

You can  request one with certmgr.msc after the template has been activated.

enrollment agent

Here is how to activate the template:

launch the certificate authority console

ADCS console
ADCS console

Right click on “certificate templates” and press new -> certificate template to issue

enrollment agent 2

Select Enrollment Agent and press OK.

enrollment agent 3

Note : if the Enrollment Agent is not showed or if with the “Show all templates” checkbox the template is Unavailable that means that the template is not available or that the user do not have the authorization to make the request. Indeed, by default the template is limited to Domain Administrators or Enterprise Administrators.

enrollment agent template security

Revoke a certificate

Open folder Issued Certificates of the Certification Authority console.

Locate the certificate to revoke (using the serial number or the requester name).

Right click on the certificate and press All Tasks -> Revoke Certificate.

revoke certificate