Client Certificates from Active Directory

TL;DR

Yes, a Certificate Authority (CA) integrated with Active Directory can publish client certificates to browsers. This involves issuing the certificate via AD CS, configuring auto-enrollment policies, and ensuring the browser trusts the root CA.

How to Publish Client Certificates from Active Directory

1. Install and Configure Active Directory Certificate Services (AD CS)
   • If you haven’t already, install the AD CS role on a server joined to your domain. Choose the ‘Certificate Authority’ role service.
   • During configuration, select ‘Enterprise CA’ if you want to issue certificates across the forest. Otherwise choose ‘Stand-alone CA’.
   • Configure the CA name and validity period appropriately.
2. Create a Certificate Template for Client Authentication
   • Open the Certification Authority console (certsrv.msc).
   • Right-click on ‘Certificate Templates’ and select ‘Manage’.
   • Duplicate an existing template, such as ‘User’, or create a new one from scratch. A good starting point is the ‘User’ template.
   • On the ‘General’ tab, give the template a descriptive name (e.g., ‘Client Authentication’).
   • On the ‘Request Handling’ tab, select ‘Allow private key to be exported’. Important: This increases security risk and should only be done if absolutely necessary. Consider using auto-enrollment instead of exporting keys.
   • On the ‘Cryptography’ tab, configure the minimum key length (e.g., 2048 bits).
   • On the ‘Subject Name’ tab, choose how user names will be added to the certificate. Typically ‘Supply in the request’ is used with auto-enrollment.
   • Close the Certificate Templates console and restart the AD CS service.
3. Issue the Certificate Template
   • In the Certification Authority console, right-click on ‘Certificate Templates’ and select ‘New Certificate Template to Issue’.
   • Select the template you created in step 2.
4. Configure Auto-Enrollment
   • Open Group Policy Management (gpmc.msc).
   • Edit the Group Policy Object (GPO) that applies to the users who need client certificates.
   • Navigate to: Computer Configuration > Policies > Windows Settings > Public Key Policies > Certificate Services Client Autoenrollment.
   • Enable ‘Configure auto-enrollment for certificate services’.
   • Click ‘Add Template’ and select the template you created in step 2.
   • On the ‘Certificate Enrollment Policy’ tab, configure the enrollment options. Ensure that the correct CA is selected.
5. Install the Root Certificate on Client Machines
   • The root certificate of your AD CS CA needs to be trusted by client machines. This is often done automatically if the clients are joined to the same domain.
   • If not, export the root certificate from the Certification Authority console (certsrv.msc). Right-click on the CA name and select ‘All Tasks > Export Certificate’.
   • Import the certificate into the Trusted Root Certification Authorities store on each client machine using

     mmc

     . Add the Snap-in for Certificates, selecting the Computer Account and then the Trusted Root Certification Authorities Store.

6. Verify Certificate Enrollment
   • On a client machine, open the Certificate Manager (certmgr.msc).
   • Check under ‘Personal > Certificates’ to see if the certificate has been issued successfully. It may take some time for auto-enrollment to complete. You can force enrollment by running

     gpupdate /force

     .

7. Configure Browser to Use Client Certificate
   • The exact steps vary depending on the browser (Chrome, Firefox, Edge). Generally, you’ll need to configure the browser to present the certificate when connecting to specific websites.
   • In Chrome/Edge: Settings > Privacy and security > Manage certificates. Find your certificate in the ‘Personal’ tab and ensure it is enabled.