Microsoft Direct Access Continued: Public Key Infrastructure

What is PKI?

Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively provide a framework for addressing the previously illustrated fundamentals of security – authentication, confidentiality, integrity, non-repudiation and access control. Read more about PKI: What is PKI?

Installing AD CS Role:

Go the “Add Roles and Features” under Server Manager, add “Active Directory Certificate Service”(AD CS)

Select “Certification Authority”(CA), confirm and install

Post-deployment configurations, select CA to configure


Choose the setup type based on your environment

Choose “Root CA” since we are creating a new PKI

Create a new private key

Adjust the settings if you wish, I went with the defaults

This step is autofilled, you can rename the CA here

Adjust the validity period

Again, the locations will be autofilled, Next>

Confirmation page


Generating Certificates:

Go to CA Management Console

On the left pane, right click “Certificate Templates” > “Manage”

On the bottom, right click “Workstation Authentication” > “Duplicate Template”

Now configure the properties of the new template, under “General” tab, name the template, since it’ll be used for Direct Access authentication, I named it accordingly.

Under “Extensions” tab, edit “Application Policies”

Client Authentication is already there, add “Server Authentication”

Go back to template properties, under “Security”, Allow domain computers to “Autoenroll”, so later when a certificate is created, the domain clients will enroll automatically

Under “Subject Name”, select “Common name”, this makes the certificate easier to identify. Click “OK” to save your settings and close the window


Close the template console, on the left pane of the CA Management Console, right click “Certificate Template” > “New” > “Certificate Template to Issue”

Select the template just created

And it will show up on the right pane

Go to Direct Access Management Console, edit server settings

Under “Authentication”, check “Use computer certificates”, browse and find the proper certificate

Restart the server and client computer…


Verifying Client Enrollment:

To verify the client computers have received the certificate, log in as a administrator on the client computer, do not log in as a domain user, you won’t have the authority to view the computer certificates. Run “mmc” to open up Microsoft Management Console, add a “Certificates” snap-in

Select “Computer account”

> “Local computer”

On the left pane, click on “Personal” > “Certificates”, you will see the certificate on the right pane

Click on the certificate to view its information

And this is the end of the tutorial.