Generating and Installing Domain Controller Certificate

Accurate as of 3/17/2017 using Microsoft 2012 Server Standard Edition for Certification Authority and Domain
Controller servers.

Use Case: Would like to use a local Enterprise Microsoft Certification Authority (CA) to issue a Domain Controller
(DC) certificate to the DC server. The DC server must have a certificate installed with the appropriate fields/values
as a pre-requisite to enabling PIV credential login for domain connected devices.

*Pre-requisite: Server hosting the CA must be on the domain

Install CA Role
1. Log on to the CA server as a member of the Enterprise Administrators group.
2. Open Server Manager
3. Click Manage, and then click Add Roles and Features.
4. Proceed through the Add Roles and Features Wizard, choosing the following options:
a. Server Roles: Active Directory Certificate Services
b. AD CS Roles Services: Certification Authority
5. On the Results page, click Configure Active Directory Certificate Services on the destination server.
6. Proceed through the AD CS Configuration, choosing the following options as necessary:
a. Role Service: Certification Authority
b. Setup Type: Enterprise CA
c. CA Type: Root CA
d. Private Key: Create a new private key
e. Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256
f. CA Name:
i. Recommended naming convention
1. dc=[AD suffix], dc=[AD domain], cn=[certification authority name]
a. e.g. dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1
g. Validity Period: 6 years
h. Certificate Database: <your preference>

Configure CA Template for Domain Controller

* Certificate templates are only available on Enterprise CAs

7. Log on to the CA server as a member of the Enterprise Administrators group

8. Open the certificate templates MMC snap-in (i.e. certtmpl.msc)
9. Right-click the Domain Controller Authentication template and click Duplicate Template
10. Under the Compatibility Tab, modify the Compatibility Settings for both the CA and certificate
recipients to as high as possible (e.g.Windows Server 2012 R2, Windows 7 / 2008 R2)
11. Under the General tab:
a. Recommend renaming template to:
i. <Your organization> - Domain Controller Authentication
b. Recommend modifying validity period to:
i. 3 years
c. Recommend modifying Renewal period to:
i. 6 weeks
12. Under the Cryptography tab:
a. Set minimum key size to 2048
b. If possible, set Request hash to SHA256
13. Open the CA console (i.e. certsrv.msc)
14. In the console tree, click the name of the CA
15. In the details pane, double-click Certificate Templates
 16. In the console tree, right-click Certificate Templates, click New, and then click Certificate Template To
Issue
17. Select and enable the certificate template that were created in step 9 above, and then click OK

Auto-enroll Domain Controller Certificate Using Group Policy Object (GPO)

18. Log on to the Domain Controller server as a member of the Enterprise Administrators group
19. Open the GPMC (i.e. gpmc.msc)
20. Within the appropriate GPO, navigate to Computer Configuration\Policies\Windows Settings\Security
Settings\Public Key Policies\
21. Configure Certificate Services Client – Auto-Enrollment with the following options:
a. Configuration Model: Enabled
b. Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check
c. Update Certificates That Use Certificate Templates: Check
22. You can now force the group policy to update via command-line: gpupdate /force or wait for the group
policy to update on its own
23. If successful, you should see a new DC cert in the Certificate (Local Computer) -> Personal -> Certificates
folder. (i.e. open MMC.exe -> File -> Add/Remove Snap-in ->Certificates ->Computer account ->Local
computer). If you look at the furthest tab called “Certificate Template” you should see a cert generated with
the custom template you created in step 9.