Deploying Windows Server Environment from Scratch (Part 3)

Setting up a Windows Certificate Authority, configuring certificate templates, setting up auto-enroll.

Hello everyone,

we continue our series, on how to set up a Windows Server Environment. Last time we configured our DHCP server, a file server and created a group policy to automatically assign a network drive to specific users.

Today, we are deploying a Windows CA, and auto-enroll our users and clients to distribute certificates automatically. We mainly use this for Wi-Fi authentication in combination with radius.

Let’s begin.

System Information

TEST-DC01192.168.152.200/24Domain Controller / Active Directory / DNS / DHCP
TEST-FILE192.168.152.201/24File Services
TEST-CA192.168.152.202/24Certificate Authority

Network Information


Windows Certificate Authority Deployment

Active Directory Certificate Services Installation

I deployed another Windows Server VM for this, calling it “TEST-CA“. I won’t go through the installation and base configuration, since we already did this in the previous posts.

We go through the same steps. Install the agent, rename the server, give it a static IP and join it into the domain.

Once the system is up and running, log in, open the “Server Manager“, click on “Add Roles and Features” and select “Next” until you reach the “Server Roles” tab. Here we select the “Active Directory Certificate Services” and add the Features.

Keep clicking on Next until you reach the “Role Services” tab. Make sure “Certificate Authority” is selected and click on Next.

Select “Install” and wait for the installation process to finish.

Active Directory Certificate Service Configuration

Once done, select “Configure Active Directory Certificate Services on the destination server“.

Now, to the actual configuration.

Verify that the credentials are correct and click on “Next”.

Select the “Certificate Authority” and select “Next”.

We choose the “Enterprise CA” for the type. “Standalone CA” would be used, if we wanted a Certificate Authority without a Domain Controller.

This will be our “Root CA“, so select this and click on “Next“.

Create a new private key

In the next step, I will choose a key length of 4096 and leave the has algorithm at SHA256. Choose what would be best for your use case.

I will change the common name for the CA to “TEST-CA” and leave the rest at its defaults.

Here we can specify the validity period. I will leave it at its default of 5 years.

Specify the database location. I will leave the defaults.

Last step. Verify the configuration and click on “configure“.

Once the process is finished, select “close“.

Certificate Templates

Alright. We have our CA, now we can configure our templates. For this, select “tools” in the “Server Manager” and click on “Certification Authority“.

In here, we right-click on “Certificate Templates” and select “manage”.

This will open a new window with all the certificate templates. We will use 2 of those as our template.

Right-click on the “Computer” template and click on “Duplicate Template”.

In the screenshots below, you can see the settings I will change.

Important is the “Subject Name” configuration. Make sure to set the “Subject name format”. Otherwise, we will get an error message when trying to deploy the certificates.

Alright. Click on OK and right-click on the “User” template. Again, click on “Duplicate Template”.

The settings are more or less the same. If you have users with e-mails already created, than you could include the “e-mail name” in the “Subject Name“.

Once done, click on “OK”.

Close the “Certificate Templates Console” and switch back to the “Certficate Authority”. Right-click on the “Certificate Teplates” -> “New” -> “Certificate Teplate to Issue“.

Select the newly created Templates “TEST Users” and “TEST Computer” and click on OK.

The two templates should now show up in the “Certificate Templates“.

Group Policy for Certificate auto-enrollment

Create the group policy

We log back into the TEST-DC01 server, where we create a new group policy. For a step by step on how to create a policy, check the previous post.

Now, create a new policy, I will name it “certificate – enroll – user“. Edit the policy and enable the “Auto-Enrollment“.

User-Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies | Certificate Services Client – Auto-Enrollment.

Close the window and create another policy. This time we will create one for the computer.

The steps are almost identical, with the key difference that we use the “computer configuration“.

Close the window and assign the policies to the correct OUs, by either drag and dropping the policy or right-clicking the OU and selecting “Link an existing GPO“.

For the user policy.

For the computer policy

Next, we test the policies on our client, we joined to the domain last time.

Testing the certificate auto-enrollment

Now we want to check if the policy works. We can either restart the client or execute a policy update through the command prompt. I will show you the latter.

Log into your Windows 11 client.

Once logged in, open the command prompt by typing “cmd” into the search.

Type in the following command, to force a policy update.

PS \home\user> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Alright. Let’s check the local certificate store for the certificates.

Type in the following to open the user certificate store.

PS \home\user> certmgr.msc

Navigate to the “Personal” -> “Certificates” folder in the new window.

Here we should see our new certificate.

Next we should check the computer certificate. Go back up to command prompt and type in the following.

PS \home\user> certlm.msc

This will open the certificate store for the local computer. Again, navigate to “Personal” -> “Certificates” and verify that the certificate has been created.