Microsoft Active Directory Certificate Services (ADCS) offers two fundamentally distinct CA architectures:
- Enterprise CA:
// Sample PowerShell check for Enterprise CA Get-CAAuthorityInformationAccess | Where-Object {$_.IsEnterprise -eq $true} - Standalone CA:
# Registry check for Standalone CA Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration" | Select-Object IsEnterprise
Enterprise CAs leverage AD for automatic certificate template distribution:
// Auto-enrollment via GPO
certmgr.msc /s /r:My /c /s /r:RootStandalone CAs require manual request submission:
# Manual request via certreq
certreq -submit -attrib "CertificateTemplate:WebServer" request.req cert.cerKey integration points differ significantly:
| Feature | Enterprise CA | Standalone CA |
|---|---|---|
| AD Schema Extension | Required | Not required |
| Certificate Templates | AD-published | Local only |
| Authentication | Kerberos/NTLM | Certificate-based |
Enterprise CA security relies on AD permissions:
// Viewing CA permissions
certutil -v -getreg CA\SecurityStandalone CA uses local security:
# Managing standalone CA admin roles
certutil -setreg CA\RoleRestrictionsFlags {value}Enterprise CA is ideal for:
- Auto-enrolled user certificates
- Domain-joined device authentication
- Smart card logins
Standalone CA is better for:
- Public-facing web servers
- Cross-forest scenarios
- HSM-backed offline root CAs
Sample conversion script (Enterprise to Standalone):
# Backup existing CA configuration
certutil -backupDB C:\CAbackup
certutil -backupKey C:\CAbackup
# Convert CA type
certutil -setreg CA\IsEnterprise 0
net stop certsvc
net start certsvcMicrosoft Active Directory Certificate Services (ADCS) offers two fundamentally distinct CA deployment models:
// Standalone CA Configuration Example
certutil -installcert -config "StandaloneCA\MyStandaloneCA" -p "StrongPassword" -csp "Microsoft Enhanced RSA and AES Cryptographic Provider"
// Enterprise CA Configuration Example
certutil -installcert -config "EnterpriseCA\MyEnterpriseCA" -p "DomainPassword" -template "WebServer"
| Feature | Enterprise CA | Standalone CA |
|---|---|---|
| Active Directory Integration | Full integration with AD for auto-enrollment and authentication | No AD dependency, manual certificate management |
| Certificate Templates | Supports customizable AD-based templates | Basic certificate types only |
| Validation Process | Automatic through AD permissions | Manual administrator approval |
Enterprise CA is optimal when:
- Deploying certificates to domain-joined machines at scale
- Needing automatic certificate renewal (e.g., for 802.1X authentication)
- Requiring custom certificate templates with specific EKUs
Standalone CA makes sense for:
- Issuing certificates to non-domain devices (IoT, external partners)
- High-security root CA implementations (typically offline)
- Regulatory requirements mandating manual issuance approval
Automating certificate requests with PowerShell:
# Enterprise CA enrollment example
Get-Certificate -Template "SmartcardLogon" -Url ldap: -CertStoreLocation cert:\CurrentUser\My
# Standalone CA request example
$request = @"
[NewRequest]
Subject = "CN=webserver.contoso.com,O=Contoso,L=Redmond,S=WA,C=US"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
"@
$request | Out-File request.inf
certreq -new request.inf request.req
certreq -submit -config "StandaloneCA\MyCA" request.req cert.cer
Tiered PKI Architecture:
# Typical three-tier hierarchy:
# Offline Root CA (Standalone)
# │
# └── Issuing CA (Enterprise) - Domain-joined issuing CAs
# │
# └── Subordinate CAs (Enterprise) - Role-specific CAs
Certificate Autoenrollment GPO Settings:
# Sample registry settings for autoenrollment
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
-Name "AEPolicy" -Value 7
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
-Name "OfflineExpirationPercent" -Value 10