Active Directory Certificate Services Brief

What It Is

AD CS is a Windows Server role that gives an organization its own internal certificate authority, integrated with Active Directory. Certificates issued by an enterprise CA can prove identity to the domain — they function as authentication credentials, not just encryption tools.

Mental Model

AD CS is the organization's internal passport office. It issues identity documents that the network trusts automatically. Security depends on who can request a passport, what identity it claims, and whether the office verifies those claims properly.

Key Distinctions

AD CS is an optional server role, not a default component of every AD deployment
Enterprise CAs integrate with AD identity — standalone CAs do not
Certificates can authenticate users via PKINIT — they are credentials, not just encryption
The primary attack surface is template configuration and enrollment permissions, not the CA server
NTAuthCertificates defines which CAs are trusted for domain authentication

Common Confusion

Thinking AD CS is just about encrypting web traffic — it issues identity credentials
Confusing AD CS with generic certificate management — the AD integration is what makes misconfiguration domain-wide
Believing securing the CA server is sufficient — the vulnerabilities are in templates and enrollment
Treating AD CS misconfigurations as bugs — the CA works exactly as configured; the configuration is the problem

Interview Phrasing

AD CS gives an organization its own CA integrated with AD. Certificates can authenticate to the domain — they are credentials. The attack surface is template configuration and enrollment permissions. The risk is the CA doing exactly what a dangerous template tells it to do.