Skip to main content

Introduction to ADCS

ADCS is made of these main components

  • CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA
  • Certificate Templates: these templates define settings for a certificate and dictate who can enroll in one, with which permissions and all the other critical information used to successfully push out a valid certificate
  • CES: Certificate Enrollment Server, its main role is allowing end users to renew certificates via HTTPS requests by setting up web endpoints for certificate enrollment
  • Certificate Enrollment Policy Web Server: allows users to view information about the enrollment policy of a specific certificate
  • CA Web Enrollment: empowers hosts that are not domain-joined or running other OSs to renew certificates
  • NDES: Network Device Enrollment Service, allows offline network devices to obtain certificates

ADCS uses X.509 certificates with the following formats

  • PEM: this is the equivalent of a base64-encoded DER certificate, it can store multiple keys with no password protection
  • DER: raw PEM certificate
  • PFX / P12 (PKCS#12): can store a number of private keys with password protection
  • P7B (PKCS#7): used to store multiple chain certificates but not private keys

Each certificate (and certificate template) has some main attributes"

  • Subject: the entity to which the certificate is issued
  • Issuer: usually the CA
  • SAN: Subject Alternative Name
  • Validity Period
  • EKU: Extended Key Use, defines where the certificate can be used
  • OID: Object Identifier, indicates the purpose / usage scenarios of a certificate
OIDCertificate use
1.3.6.1.5.5.7.3.1Server Authentication
1.3.6.1.5.5.7.3.2Client Authentication
1.3.6.1.5.5.7.3.3Code Signing
1.3.6.1.5.5.7.3.4Secure Email

Once a client initiates a CSR (Certificate Signing Request), the CA determines if the client has the right permissions to enroll in the requested certificate, if the permissions match a certificate is generated and signed using the CA's private key before being returned to the user.