Forum Discussion
Active Directory as certificate authority
Is it possible to generate SSL certificates with Active Directory?
If so, how do I configure this?
If this configuration exists, is it possible to generate certificates for devices on my network (for example, a printer)?
1 Reply
Hi EduardoAlves,
Active Directory - as in Domain Services - does not generate certificates.
However, you can install the supplemental Windows Server role named "Active Directory Certificate Services" (AD CS) which does.
I'm not going to attempt to provide a step-by-step guide as there's a lot of steps, and even before that, there's a lot of important decisions you need to make prior to installing AD CS.
One of those important planning considerations is how you're going to configure your devices to trust the new AD CS authority, since they won't know anything about it out-of-the-box.
AD CS is quite mature and there's a significant amount of documentation around that can guide you through the relevant steps once you've planned your deployment.
Here's two "entry points" to some of Microsoft's documentation on AD CS generally and Network Device Enrolment Services (NDES) more specifically - which is the process you'd look to leverage for your network device automatic enrolment (noting that for domain-joined computers and users, you'd utilise Group Policy-based certificate management instead). That said, if your network device (such as your example printer) doesn't support NDES, you can always manually issue and install a certificate on it - if it supports certificates at all.
- What is Active Directory Certificate Services? | Microsoft Learn
- Configure Network Device Enrollment Service to use a domain user account for Active Directory Certificate Services | Microsoft Learn
Cheers,
Lain
