5 Ways in Which We Can Easily Set Up Microsoft PKI


A public key infrastructure (PKI) is responsible for creating, managing, distributing, storing, and revoking digital certificates. Digital certificates are used in Windows settings to secure various types of connections.

Lookups for Microsoft Active Directory LDAPS (Lightweight Directory Access Protocol over Secure Sockets Layer), Internet Information Services (IIS) HTTPS connections, Exchange Server communications, and Windows Server Update Services are among the connection types.

microsoft pki

You can, however, manage your certificates with a Windows-hosted PKI in an Amazon Web Services (AWS) account. This feature assists you in reducing unsecure, unsigned network traffic. Install and configure certification authority (CA) roles on one or more Windows servers to implement a PKI environment.

Microsoft PKI Quick Start installs a root CA and a subordinate CA. The primary certification authority for an Active Directory Forest is the root CA. This root CA's certificates sign the server and application certificates issued by the subordinate CA.

The Quick Start generates an initial root certificate and terminates the root CA's Amazon Elastic Compute Cloud (Amazon EC2) instance. This instance remains offline except when a new root certificate is required, assisting in the integrity of the root certificate.

Here are five ways in which you can easily set up Microsoft PKI.

1. After Windows 2000 Server base setup has been completed

Double-click Add/Remove Programs in Control Panel to install Certificate Services on a server that already has Windows 2000 Server installed. The Certificate Services Installation wizard then walks you through the installation procedure after you pick Certificate Services for installation.

2. As part of the Windows 2000 Server base setup

Although Certificate Services is a Windows 2000 service with Windows 2000 Server, Microsoft PKI is not installed by default during the Windows 2000 Server installation process. You can learn more about Microsoft PKI here.

Certificate Services must be installed during the initial base installation of Windows 2000 Server by selecting it from the optional components list provided during setup. Certificate Services will not be installed until you log on to the server once Windows 2000 installation is complete. Then, a notification will prompt you to finish configuring the CA.

3. Enabling computer certificate auto-enrollment

  • From the Start screen on 3-DC1, select Group Policy Management.
  • Open Forest: Forest: corp.contoso.com\Domains\corp.contoso.com in the console tree.
  • Right-click Default Domain Policy in the console tree, then select Edit.
  • In the Group Policy Management Editor console tree, navigate to Computer Configuration\ Policies\ Windows Settings\ Security Settings\ Public Key Policies.
  • Double-click Certificate Services Client - Auto-Enrollment in the information pane. Select Enabled from the Configuration Model drop-down menu.
  • Check the boxes for renewing expired certificates, updating pending certificates, deleting revoked certificates, and updating certificates that employ certificate templates. Select OK.
  • Next, create a unique client-server authentication template.

4. To install the Certification Services server role on 3-DC1

pki server

  • On the Server Manager Dashboard, select Add roles and features under Configure this local server.
  • To proceed to the server role selection screen, click Next three times.
  • On the Select Server Roles page, choose Active Directory Certificate Services, then click Add Features when requested.
  • Accept the default settings by clicking Next three times, then click Install.
  • Wait for the installation to finish.
  • In the Installation Progress window, click the Configure Active Directory Certificate Services link on the target server.
  • On the Credentials screen, press the Next button.
  • On the Role Services page, click Next after selecting Certification Authority.
  • Click Next seven times to accept the Enterprise Root CA's default configuration parameters.
  • Click Configure on the confirmation screen.
  • Confirm that the setup was successful, then click Close.
  • After that, in the Add Roles and Features Wizard, click Close.

5. To configure the client-server authentication template

pki implementation

  • From the Start screen of 3-DC1, select Certification Authority.
  • Expand corp-3-DC1-CA in the details pane.
  • Select Manage from the Certificate Templates menu.
  • Right-click Workstation Authentication in the Certificate Templates interface and select Duplicate Template.
  • Change the Template display name to Client-Server Authentication and select Publish certificate in Active Directory on the General tab.
  • Click Application Policies, then Edit, on the Extensions tab. Select Server Authentication after clicking Add. Select OK. Select IP security IKE intermediate and click Add.
  • Click OK after selecting Client-Server Authentication.
  • Log out of the Certification Authority console.

Why Microsoft Enterprise PKI?

Passwords are insecure because they can be lost or stolen; hence networks that use credential-based authentication are always vulnerable to over-the-air credential theft. Furthermore, credential-based authentication systems necessitate password reset rules, which are inconvenient for network administrators and end users.

windows pki

Because digital certificates may be locked onto devices and act as the device or user's identity in the digital landscape, they allow improved identification. Administrators can quickly configure devices for certificate-based 802.1X authentication or EAP-TLS using certificates. PKIs serve as the foundation for administrators to construct a certificate-based network.


We've provided you with some fast guidelines and best practice guidance on effectively setting up a PKI that includes offline standalone CAs and enterprise-based online issuing CAs in this article. If you employ a 3-level hierarchy, the script to publish the root CA's certificate and CRL file to the issuing, CA's local store and Active Directory must be modified. This is because the policy CA must be issued to our enterprise-based issuing CA's local certificate store and Active Directory.