Share via


New Active Directory Certificate Services (PKI) Features in Windows Server 2012

New Features

Below are a list of several new features available in Active Directory Certificate Services in Windows Server 2012.  Additional information on new features in ADCS can be found here: https://technet.microsoft.com/en-us/library/hh831373.aspx

Deployment with Server Manager:

Active Directory Certificate Services (ADCS) as well as all other roles are deployed through Server Manager.  I covered the install of Certificate Services on a Root CA with Server Manager in this blog posting:  Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part II, Installing a Root Certification Authority with the GUI

Deployment with PowerShell:

One of the greatest improvements in my point of view is the ability to deploy Certificate Services with PowerShell.  This feature enables the capability to have a well tested, repeatable implementation process that increases the likelihood of a successful deployment.  In my blog series (Installing a Two Tier PKI Hierarchy in Windows Server 2012 Wrap Up) I covered installing ADCS with PowerShell.  The two particular blog posting where I performed the installation with PowerShell were: Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part I, Installing a Root Certification Authority with PowerShell and Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part V, Installing an Enterprise Subordinate Certification Authority and Web Enrollment with PowerShell

Additionally, here are links to the deployment cmdlets for ADCS: https://technet.microsoft.com/en-us/library/hh848390.aspx

Server Core:

You can now install all ADCS Roles on Server Core.  These roles of course include:

  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder
  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service

Server Edition:

All six roles mentioned above can be installed on any edition of the OS in Windows Server 2012. 

Enhanced RPC Security:

Enhanced RPC Security has been introduced in Windows Server 2012.  To support enrollment for down-level clients the additional security must be disabled.  More information is available here: https://social.technet.microsoft.com/wiki/contents/articles/6289.certification-authority-authentication-level-incompatible-with-windows-xp.aspx 

Active Directory Site Awareness:

ADCS in Windows Server 2012 supports site awareness for enrollment.  Requirements are that CAs be Windows Server 2012 and Clients be at Windows 8 version level.  Additional information for deploying site awareness is available here: https://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx

Certificate Template Compatibility:

When duplicating a template you can select the OS Version of your CA and OS version of your “Clients” and then only features supported by both the CA and the “Client” will be accessible when modifying a template.  More information is available here: https://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

Group Protected PFX:

Allows securing a PFX file with Active Directory credentials to ease deployment of PFX files, especially in a server farm environment.  Additional information available here:  https://blogs.technet.com/b/pki/archive/2012/10/08/group-protected-pfx.aspx

Certificate Lifecycle Notification:

See: https://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

Key Based Renewal:

Key Based Renewal allows for non-domain joined computers to automatically re-enroll for certificates.  In order to allow non-domain joined computers to enroll and re-enroll for a certificate, Certificate Enrollment Web Services is leveraged.  Additional information on Certificate Enrollment Web Services and Key Based Renewal is available here: https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Key-based_renewal

Same Key Renewal:

You can force renewal of a certificate to use the same key pair.  This setting is defined in the certificate template.  Among other things, it enables the same key to be maintained if you are using a TPM to protect certificate keys.

TPM Support:

In Windows Server 2012 and Windows 8 a Trusted Platform Module (TPM) can be used to secure a certificate’s private key.  In order to support the TPM the Microsoft Platform Crypto Provider (Key Storage Provider) is used.  Here is an article on: “Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM” which is located here: https://social.technet.microsoft.com/wiki/contents/articles/13964.creating-a-certificate-template-that-includes-the-microsoft-platform-crypto-provider-on-a-ca-with-no-tpm.aspx