Active Directory Certificate Services (AD CS) enables use of Public Key Infrastructure (PKI) in Active Directory forest.

AD CS helps in authenticating users and machines, encrypting and signing documents, filesystem, emails and more. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

Terminology

• CA: ****The certification authority that issues certificates. The server with AD CS role (DC or separate) is the CA.
• Certificate: Issued to a user or machine and can be used for authentication, encryption, signing etc.
• CSR: Certificate Signing Request made by a client to the CA to request a certificate.
• Certificate Template: Defines settings for a certificate. Contains information like enrollment permissions, EKUs, expiry etc.
• EKU OIDs: Extended Key Usages Object Identifiers. These dictate the use of a certificate template (Client/Server authentication, Smart Card Logon, Encrypting File System, SubCA etc.)

Certificate Enrollment

Parts of certificate and templates

• Subject: The owner of the certificate.

• Public Key: Associates the Subject with a private key stored separately.

• NotBefore and NotAfter dates: Define the duration that the certificate is valid.

• Serial Number: An identifier for the certificate assigned by the CA.

• Issuer: Identifies who issued the certificate (commonly a CA).

• SubjectAlternativeName: Defines one or more alternate names that the Subject may go by. In the case of public certificates they are tied to the FQDN while in the case of Active Directory they indicate alternative user names. Can be dangerous when combined with certificates that allow domain authentication and are misconfigured like in this example:

  

  With this misconfiguration we can impersonate the Administrator user