When developing internal web applications in a Windows domain environment, we frequently encounter SSL certificate warnings for test domains like www.mysite.com.test. While self-signed certificates via OpenSSL work, they require manual trust configuration on each client machine.
Active Directory Certificate Services (AD CS) provides the perfect infrastructure solution. By deploying an enterprise root CA, you can:
- Automatically distribute trusted root certificates via Group Policy
- Issue certificates with your internal domain names
- Enable SSL for internal test sites without security warnings
First, install the AD CS role with these PowerShell commands:
Install-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -ValidityPeriod Years -ValidityPeriodUnits 10 -Force
Configure a custom certificate template in the Certification Authority MMC:
- Duplicate the Web Server template
- Set validity period (e.g., 2 years for test environments)
- Enable "Common Name" in Subject Name settings
- Grant Domain Computers auto-enrollment permissions
For IIS, use this PowerShell script to request and bind the certificate:
$cert = Get-Certificate -Template "WebServerTest" -DnsName "www.mysite.com.test" -CertStoreLocation Cert:\LocalMachine\My
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443
$thumbprint = $cert.Certificate.Thumbprint
Get-Item cert:\LocalMachine\My\$thumbprint | New-Item IIS:\SslBindings\0.0.0.0!443
Configure Group Policy to distribute the root CA certificate:
- Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies
- Right-click "Trusted Root Certification Authorities" and import your AD CS root certificate
For complex environments, consider:
- Setting up certificate auto-renewal with task scheduler
- Using SAN certificates for multiple test domains
- Configuring certificate revocation checking for enhanced security
Active Directory Certificate Services (AD CS) provides exactly what you need for internal testing environments. When properly configured, it allows domain-joined machines to automatically trust certificates issued by your enterprise CA, eliminating those pesky security warnings.
First, you'll need to install the AD CS role on a domain controller or member server:
# PowerShell command to install AD CS Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Navigate to the Certification Authority console and duplicate the Web Server template:
- Right-click Certificate Templates → Manage
- Duplicate the Web Server template
- On the Subject Name tab, select "Supply in the request"
- Add DNS Name (www.mysite.com.test) to Subject Alternative Names
- Set validity period appropriate for testing
In IIS Manager:
1. Open Server Certificates 2. Select "Create Domain Certificate" 3. Fill in the details matching your test domain 4. Choose your AD CS server when prompted 5. Complete the certificate request
For larger test environments, you might want to automate this process:
# PowerShell script to request and bind certificate
$cert = Get-Certificate -Template WebServer -SubjectName "CN=www.mysite.com.test"
-DnsName "www.mysite.com.test" -CertStoreLocation Cert:\LocalMachine\My
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
$cert | New-Item -Path IIS:\SslBindings\0.0.0.0!443
After implementation:
- All domain-joined machines will automatically trust the certificate
- No manual certificate installation required
- Security warnings are eliminated while maintaining proper encryption
- Certificate revocation is managed through Active Directory
For non-domain joined test devices, you might need to:
# Export and distribute the root CA certificate
Export-Certificate -Cert (Get-ChildItem -Path Cert:\LocalMachine\Root |
Where-Object {$_.Subject -match "Your CA Name"}) -FilePath C:\CA.cer