Deploy a PKI on Windows Server 2016 (Part 5)

This is the fifth part of a seven-part series explaining and setting up a two-tier PKI with Windows Server 2016 in an enterprise SMB setting.

*Note* (16 May 2017): This page is currently in progress, is unfinished, and likely contains errors.  I published it in this state due to time constraints, and will be working on it over the next week until it’s finished.

Because of the long time period between part 4 and part 5, I had to recreate my demonstration lab.  Everything is functionally the same, but you may notice some different IPs or other minor changes.

Part 1 (Informational)
Part 2 (Getting Started & IIS Web Server Configuration)
Part 3 (Standalone Offline Root CA Configuration)
Part 4 (Enterprise CA Configuration)
>>> Part 5 (Distributing Certificates & AutoEnrollment) <<<
Part 6 (Additional Configuration)
Part 7 (Troubleshooting & Clean-up)

To help with the layout and navigation of these longer pages, use the Table of Contents below:

Certificate Templates

Now that you have the IIS, Root CA, and Enterprise CA servers basically set up, it’s time to create or distribute certificates to users and devices.  But, before we can do that, we must create the templates from which the certificates will be made.

There’s a ton of reasons you would want to distribute user and computer certificates, and a ton of certificate templates you could configure.  To name a few popular examples, you could have a template for the following purposes:

  • Web Server SSL certificates
  • Email S/MIME certificates for digital signatures and encryption
    • One for digital signatures
    • One for encryption
  • Smartcards
  • IPSec
  • File encryption
  • …etc

If you are a small or even medium size business, require a simple PKI, and don’t want to deal with the extra administration of multiple certificates, you could combine them a little if you are using strong encryption algorithms.  This of course depends on a number of factors, so don’t just go ahead and do it…

For example, lets say that due to new email security concerns, you need to require that all emails from company users are digitally signed and encrypted.  You could do that with a single certificate.  Best practice may suggest that you use separate certificates; one for digital signatures, and one for email encryption.  You don’t have to.  Will it matter?  Not likely, but it can.

However, your company may have legal reasons to do so, and may be required to separate them!  You may also be high-risk.  Always find out first!  The main reason for separating them is to spread risk.  If your encryption key was compromised, not only could the attacker decrypt your emails, but they could also impersonate you by using the same key to digitally sign emails as you!  The same idea goes for whatever else the certificate is used for.  Another two reasons, are that you may also want to set certain certificates to expire sooner or later than others… or for archival (escrow) purposes.  There are definitely other reasons, but for now you get my point.

For the purpose of keeping this guide simple and still useful, I’ll guide you through creating a single template for email (digital signatures and encryption) certificates, and a template for one-off Web Server SSL certificates.  Once you can do these, you can easily make and distribute certificates for any purpose, such as those listed a bit above.

Creating your (S/MIME) Certificate Template

On the server issuingCA, we will duplicate a preexisting user certificate template and configure it to our needs for digitally signing and encrypting email.

Duplicate a user certificate template

  1. Open up Certification Authority manager.
  2. Right-click on Certificate Templates and select Manage.
  3. Right-click on the User template and click Duplicate Template.
  4. In the Compatibility tab, select your appropriate compatibility levels.
    1. In my testing and lab environment, nothing is running below Windows 10 or Windows Server 2016, so I selected appropriately.  Your environment may be different, choose your settings intelligently.
  5. In the General tab:
    1. Type a display name for your new template.
    2. Set a validity periodTwo years is a good standard that meets most usage requirements.
    3. Renewal period sets the amount of time before the validity period expires in which the certificate will be renewed.  Six weeks is sufficient for a two year validity period.
    4. CHECK Publish certificates in Active Directory.
    5. CHECK Do not automatically reenroll if a duplicate certificate exists in Active Directory.
      1. Some reasons you want this enabled is in the case users will log on to more than a single computer, and if you don’t want users to keep getting multiple certificates via auto-enrollment.
      2. If the certificates are stored in AD, we’ll be setting a Group Policy to have their certificates automatically “follow” the user no matter which computer they log on to in the domain.
  6. In the Request Handling tab:
    1. CHECK Archive subject’s encryption private key.
      1. We’ll be enabling key archiving later, before we start distributing certificates with this template.  You may or may not want to do this in your production environment due to policies or legal reasons.  Check first!  Generally, it should be okay, and is nice to be able to recover a users private key in the case it is lost.
  7. In the Cryptography tab:
    1. Provider Category, select Key Storage Provider.
    2. Algorithm name, verify RSA is selected.
    3. Minimum key size, change it to 4096.
    4. Select Requests must use one of the following providers:
      1. Select Microsoft Software Key Storage Provider
    5. Request hash, select SHA256.  Legacy clients may not work with SHA256 and may require updates, or your environment may need CSP.  Check first.
    6. Note that this area may be greyed out.  You should be using Key Storage Provider.  You can check what is used in the CA Properties here:
  8. In the Subject Name tab:
    1. Subject name format:  Common name
    2. Check:  Include e-mail name in subject name
    3. Verify checked:
      1. E-mail name
      2. User principal name (UPN)
  9. In the Extensions tab:
    1. Select “Key Usage“, and then click the Edit button
      1. Check the box that says “Allow encryption of user data“.
  10. In the Security tab:
    1. Select each user/group at the top and verify the following are checked:
      1. Authenticated Users:  Read, Enroll, Autoenroll
      2. Domain Users:  Read, Enroll, Autoenroll
    2. If there are any users in the domain you do not want to have autoenrolled, you can create a group in Active Directory, add the user(s) to it, then add that group in the Security tab above, checking the Deny box for Autoenroll for that group.
  11. Click Apply, then click OK.

Publishing your (S/MIME) Certificate Template

Publishing a certificate template makes it available for use.  To publish your above S/MIME certificate template (or any other certificate template), follow the below steps.

  1. In Certificate Authority manager, click on Certificate Templates.
  2. Then right-click Certificate Template, go to New, and click Certificate Template to Issue.
  3. Scroll down to find the template you created:  User Email AutoEnroll, and click OK.
  4. asdf

Autoenrollment will not automatically hand out certificates to users until we create and configure a GPO that is distributed to all domain computers.  But before we do that, we need to enable private key archiving.



… article in progress …


  1. Dmitriy Shtyrkov

    Thank you.

  2. Just wanted to say thanks for the excellent walk through. I know this took time to do, and it’s an incredible help for building a CA environment on Server 2016, for which there is little updated documentation.

  3. Thank you for posting such detailed directions! It has been a great help in rebuilding my PKI.

  4. Demetrius Cassidy

    Where’s the rest of part 5? The first 4 parts were great and very detailed.

  5. Hi Timothy
    is there any reason the certificate enrollment service is not installed on the web server? could you list what other task should be done (no detail im sure you are very busy.


  6. Looking forward to the info on deployment – there seems to be nothing out there for 2016 that is complete.

  7. Great Post!! Would you mind sharing your references so we can attempt to complete the configuration on our own?

    Appreciate the time and work it takes to document the process with lots of explnations on why it was configured this way.

  8. Hi Timothy, great content!

    I am setting up in a home lab to learn this myself and have enjoyed the guide thus far.

    Any chance you may have time/motivation to continue please 🙂
    Looking forward to it.

    Cheers again,

  9. Hi Thomas ,

    Thanks so.much although I now have a root ca and and enterprise issuing server . I am a bit stumped on setting up ocsp . And on where that should sit ? I initially started this to do WiFi and VPN securely . With a pretence of implementing Azure AD in the near future. Hoping you are able to finish this soon . Thanks for the help so far

  10. This has been a GREAT guide. I’ve been putting this project off for years and now have implemented a proper CA in my network. Any chance you could post a quick and dirty outline of the next steps. I’ve deployed as far as you’ve posted and its working so far I just want to make sure the parts that I’ve filled in aren’t completely wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *