PKI Reading Time: 7 minutes

Your Guide To Understanding Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is one of the server roles introduced in Windows Server 2008 that provides users with customizable services for creating and managing Public Key Infrastructure (PKI) certificates, which can be used for encrypting and digitally signing electronic documents, emails, and messages.

The applications supported by AD CS are secure wireless networks, Virtual Private Networks (VPN), Internet Protocol Security (IPSec), Network Access Protection (NAP), Encrypting File Systems (EFS), smart card logon, and more.


There are many features of AD CS, including:

  • Certificate Authority (CA):

     The Certificate Authority in AD CS is mainly concerned with managing and issuing public-key certificates. Multiple CAs can be linked to form a PKI. A typical PKI is a combination of software, hardware, standards, services, and policies to manage the digital certificates used in a PKI. A CA can be of two types:

    • Enterprise CA
    • Stand-alone CA

    The enterprise CA must be a domain member and can issue certificates for digital signatures, authentication to access protected web browsers, and can secure e-mail transactions. A stand-alone CA does not require Active Directory Domain Services, it can function offline. As a matter of fact, it should not even be connected to a network at all.

  • Certification Authority Web Enrollment

    The CA Web Enrollment in AD CS permits external clients, who are not part of the domain network, to connect to the CA via an Internet browser. CA Web Enrollment only supports interactive requests that the requester makes and uploads manually through the site. The certificate can be downloaded from the browser after the issuance of the certificate by the CA. This can also be used to request the Certificate Revocation List (CRL), which includes all the certificates expired or revoked within the PKI.

    In the case of users who are a part of the domain, the trust relationship allows the CA to issue certificates securely. Web enrollment allows the external clients to request certificates and revoke certificates from the CA. The enrollment could also be done across forests, which means the clients in one forest can obtain certificates from a CA in another forest. In order to use enrollment across forests, you must establish trust between all the involved forests, and the forest trust and forest level must be set to Windows Server 2008 R2, or other concerned versions.

  • Online Responder

    The Online Responder is a Microsoft Windows Service that runs on the OCSP server with Network service privileges. In AD CS, the online responder receives and processes requests regarding the status of the certificates. The validity of the certificate and digital signature is verified in order to identify whether the certificate is genuine or not. In addition to this, the certificate is checked to identify if it is a part of the Certificate Revocation List (CRL).

    Due to various reasons, the certificates can be revoked temporarily or can be stripped of their rights permanently before the certificate’s expiry period by the CA and such certificates are listed in the CRL. Apart from the CRL, revocation checking can also be done by the Online Certificate Status Protocol (OCSP) response. The OCSP checks the status of the website in question by sending the URL to the Certificate Authority. The Certificate Authority gives a signed response containing the requested certificate’s status.

  • Network Device Enrollment Service

    The Network Device Enrollment Service (NDES) is a function of AD CS that has the ability to issue certificates to network devices managing traffic such as routers, firewalls, and switches. These devices are not Active Directory domain members and therefore don’t possess exclusive Active Directory credentials. NDES enables one-time enrollment passwords for these network devices. These password requests are then sent to the CA for processing and the certificates obtained from the CA are forwarded to the device. Thus, NDES is used by the administrators for authentication of such networking devices.

  • Certificate Enrollment Web Service

    The Certificate Enrollment Web Service in AD CS permits users and computers to enroll and renew certificates using the HTTPS protocol. A non-enterprise member/user who is outside the security boundary of the domain can avail this service. The Certificate Enrollment Web Service focuses mainly on automated client requests and processes certificate requests with the help of a native client.

  • Certificate Enrollment Policy Web Service

    The Certificate Enrollment Policy Web Service in AD CS enables computers and users to retrieve information about their certificate enrollment policy. The certificate enrollment policy gives the precise location of the CAs and the types of certificates requested from them. Along with the Certificate Enrollment Web Service, this service will allow policy-based web enrollment to a non-enterprise client or member outside the domain. The enrollment policy can be enabled both by using group policy settings or by applying it individually to client computers. Thus, AD CS proves to be an efficient method for managing certificate infrastructure for any entity in a Windows domain network.

Benefits of Active Directory Certificate Services

AD CS can be used by organisations to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS also gives enterprises a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

AD CS provides an organization with the PKI required for using digital certificates to secure web servers (SSL/TLS), certificate-based authentication, digital signatures for documents, encrypting emails (S/MIME), etc. Without AD CS, an organization would have to rely on a third party to provide these services or forgo deploying certificates.

Downsides of Active Directory Certificate Services

  • It’s not an easy task deploying and dealing with a Microsoft CA. You will need a dedicated team with PKI experience in order for the implementation to go smoothly. After the setup, your team needs to stay updated with best PKI practices to maintain uptime and reliability.
  • It can be expensive with the overhead cost of hardware, deployment and maintenance by a team of experts.
  • AD CS has a binding issue with MAC OS devices.
  • XSS or Cross-site scripting attacks can happen in AD CS because the Web Enrollment does not properly sanitize user input, which means nothing checks the user input before it’s stored in a database. Unsanitized user input can also lead to SQL injections.


Active Directory Certificate Services or AD CS is used to establish an on-premises Public Key Infrastructure (PKI). It has the ability to create, validate and revoke public key certificates. These certificates have various uses such as encrypting files, emails, network traffic.

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.


About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo