What is Active Directory Certificate Services (AD CS)?

Microsoft AD CS is part of the larger set of Active Directory tools.

AD CS provides an infrastructure for securely issuing and managing your Public Key Infrastructure (PKI).

Active Directory Certificate Services can also be leveraged to authenticate the computer, user, or devices found on corporate networks, which are based on infrastructure security requirements.

AD CS supplies the PKI functionality, which carries identities and other security purposes, on the Windows domain.

For instance, AD CS examples include email, file, and network traffic encryption.

It allows for the creation, validation, and revocation of public-key certificates, for an organization’s internal uses.

According to Microsoft, AD CS is a “Server Role that allows you to build a Public Key Infrastructure, and provide public-key cryptography, digital certificates, and digital signature capabilities for your organization.”

What are the benefits of using AD CS?

AD CS provides an organization with the PKI needed for certificate administration, certificate-based authentication, securing web servers, encrypting emails, and digital signatures.

Without AD CS, an organization would need to use a third-party resource to perform these services or waive deploying certificates.

You can configure a Group Policy in AD, which is role or attribute based control, and essentially rules created for a group of users.

For example, all employees who work in the Marketing department are allowed a specific type of certificate.

Lifecycle Management and Automated Certification Provisioning in AD can be programmed to renew on a timely basis, allowing for zero gaps in certification coverage

Does running an Active Directory Certificate Service require running my own CA?

The short answer is yes, “sort of” but there is good news ahead.

AD CS is sort of like your local grocery delivery service in the certificate world, taking orders from one endpoint or device, and then delivering the correct certificate response back. 

The usual hesitation comes from being required to use Microsoft CA, which can be a bit of a pain at times.

The good news is you don’t have to use your own CA.  Today there are lots of public SaaS certs that can be used to take off some of the burdens of managing your own certificate.