Below is a comprehensive checklist of prerequisites and permissions required for implementing and automating Active Directory Certificate Services (AD CS).
This guide ensures your environment is properly configured for enterprise-grade PKI automation, enrollment, and lifecycle management
Environment and Infrastructure Prerequisites
Category | Requirement | Purpose |
Operating System | Windows Server 2019, 2022, or 2025 | Required to host AD CS Role Services |
Active Directory Integration | Functional AD DS environment with at least one domain controller | AD CS depends on AD for certificate publishing, user mapping, and template authentication |
Network Configuration | Static IP address assigned | Ensures stable Certificate Authority (CA) communication and reliability |
DNS and Time Sync | Reliable DNS records and NTP synchronization | Required for certificate validation, CRL distribution, and chain trust accuracy |
System Resources | Minimum of 8 GB RAM, 2 vCPUs, and 50 GB storage | Provides sufficient capacity for certificate database and logs in production CAs |
Backup and Recovery Plan | Regular CA database and private key backups | Enables disaster recovery for critical CA entities and issued certificates |
Firewall Ports | Open ports TCP 80, 135, 139, 445, and 1025–65535 (DCOM and RPC) | Required for AD CS communication and certificate enrollment services |
Active Directory and PKI Permissions
Role / Object | Minimum Permission | Description |
Enterprise Admins | Full control over Configuration Container | Required for forest-wide CA installation and certificate publishing |
Domain Admins | Local administrator on the CA host | Needed for local service configuration and certificate distribution |
CA Computer Account | Membership in the Cert Publishers group | Allows publishing issued certificates to user and computer objects in AD. |
Enrollment Agent Account | “Enroll” and “Issue and Manage Certificates” permissions | Facilitates delegated certificate enrollment on behalf of users/devices |
NDES or SCEP Service Account | “Request Certificates” and “Read” on CA templates | Allows automated enrollment for network and IoT devices via SCEP or Intune |
Group Policy Management Delegates | Modify GPOs under “Public Key Policies” | Needed to enable auto-enrollment configurations and renewal policies |
Role Service Dependencies (For Automation)
Service | Description | Required for |
Certificate Authority (CA) | Core AD CS service issuing certificates | All AD CS deployments |
Network Device Enrollment Service (NDES) | Supports SCEP for non-domain devices | Device and MDM integrations |
Certificate Enrollment Web Service (CES) | Provides enrollment via HTTPS | Secure remote certificate request automation |
Certificate Enrollment Policy Web Service (CEP) | Handles certificate enrollment policies | Enables AD CS automation through REST or external identity providers |
Online Responder (OCSP) | Responds to revocation status queries | Certificate revocation automation and validation |
Certificates and Template Configuration Prerequisites
Configuration Item | Requirement | Notes |
Certificate Templates | Published and linked to AD CS | Must include “Autoenroll” permission for target users and computers |
Enrollment Permissions | Assign “Enroll” or “Autoenroll” rights on templates | Required for Group Policy–based automation |
Cryptographic Settings | Minimum RSA 2048 or ECC P-256 | Prevents weak key usage and complies with modern standards |
Enrollment Agent Template | Configured with “Enroll” permissions for service accounts | Enables delegated certificate requests across systems |
Service Accounts and Security Controls
- Create Dedicated Service Accounts for automated enrollment services (e.g., SCEP, API agents) with the following:
- Logon as a service permission.
- Read access to CA database and Certificate Templates.
- No interactive logon rights (hardened per least-privilege principle).]
- Implement Role-Based Access Control (RBAC) on CA management:
- Separate issuing roles (operators vs. admins).
- Deny “Issue and Manage Certificates” to non-trusted personnel.
Final Validation Checklist Before Automation
Action | Validation Criteria |
Verify CA installation and health | certutil –cahealth returns no errors. |
Confirm Service Accounts and Templates | Accounts visible in Security tabs with correct permissions. |
Check Domain Auto-Enrollment Policy | GPOs under “Public Key Policies → Autoenrollment” are set to Enabled. |
Test Auto-Enrollment | Domain-joined client automatically retrieves certificate. |
Backup Keys and Database | System state and CA private key backed up securely. |