• Home
  • |
  • Blog
  • |
  • How To Request A Certificate From Windows ADCS?
How to request a certificate from Windows ADCS!

A Certificate is one of the obvious things when it comes to identity verification of a user, machine, server, service, application, and many things in the digital world. The ideal process to get a digital certificate is: CSR (Create a Certificate Signing Request), Submit the CSR to a CA (Certificate Authority), Download the certificate after CA issues your CSR. We have covered the first part, which is creating a CSR in another article. In this article, we are going to cover how to request a certificate from Windows ADCS. You can request a certificate from any other Certificate Authorities as well, However, we are using (Microsoft’s Active Directory Certificate Service) for demonstration purpose. The idea behind the process remains the same.

What Is Microsoft ADCS (Active Directory Certificate Service)?

Microsoft Active Directory Certificate service is a CA (Certificate Authority) used to issue certificates to meet the internal certificate needs for a secure communication.

Users can request a certificate for the Web browser, e-mail client, Remote Desktop Connections, and any applications or services from ADCS. You can request a certificate for pretty much anything. ADCS supports all standard and custom templates to issue certificates.

To Request A Certificate From Windows ADCS:

There are four major tasks that a user has to perform from his end with respect to get the certificate.

  1. Generate a CSR.
  2. Requesting a new certificate.
  3. Check the status of the pending certificate request.
  4. Download the certificate, certificate chain or CRL.

1. Generate A CSR;

Follow the procedure written in the article to create a custom CSR: Step by step procedure to create a custom CSR on a Windows Server!

2. Request A New Certificate From ADCS:

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
  2. You will see a welcome page as like here:
  3. Select “Request a Certificate

4. You will be able to request a certificate either way mentioned below:

Can create and submit a new certificate with the available templates
Certificate Authority has some pre-defined templates in which the certificates can be requested. Use this option only in case if the requirement can be met with the available template if not sure with the certificate request process from the application end. Go for the next option that is:

Can submit a request by using base-64-encoded CMC/PKCS#10 file
This option is best suited for a more enhanced and accurate certificate request with all details belonging to the application or the system. The user should generate the certificate request from the application or the system with the necessary details and need to submit the base-64-encoded data using this option.

We suggest using this option for all application related certificates as it contains all the required fields that need to be mentioned in the issued certificate.

5. Select the option “Submit a certificate request by using a base64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base64-encoded PKCS#7 file

Paste the base-64 encoded certificate request (CSR) at the space provided. Select ‘Webserver Compatibility Certificate’ as Certificate Template. Leave Attribute field blank. Click on ‘Submit’.

After successful submission of certificate request, note down the “Request ID”. Ask the CA administrator to issue the certificate.

3. Check The Status Of the Pending Certificate Request:

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
  2. You will see a welcome page as like here:
CA Welcome page

3. Select ‘View the status of a pending certificate request’. You will see the status of the requests as below. Select the certificate request you want to check the status of,

4. If the certificate is issued, it will be displayed as follows.

5. Select ‘Base 64 encoded’ and click on ‘Download Certificate’ to download the requested certificate.

6. Select ‘Base 64 encoded’ and click on ‘Download certificate chain’ to download the certificate along with intermediary and root certificates.

4. Download A CA Certificate, Certificate Chain Or CRL:

The certificate or CRL for your application related requirement can be downloaded from the option at home page as well.

  1. Browse the CA page in the browser: https://yourcaserver/certsrv
CA Welcome page

S1. elect “Download a CA certificate, Certificate Chain or CRL” option and select the required certificate to download.

This completes the process of requesting a certificate from Windows ADCS and downloading the certificate along with chain certificates.

Thanks for reading the article. Please read more such technical articles here:

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

  1. Hi Arun,

    Thanks for these articles. This article is probably not entirely correct. We recently had a ADCS stuff set up / migrated to Win 2019 architecture and we were told that the Web page prcedure no longer works.

    Is that correct? if so please be kind enough to make the necessary changes so that the article remain useful and relevant as it has been for the previous versions of win ADCS architectures.

  2. Arun sir, I encountered the Remote Desktop Certificate Expired Error and thus am trying to follow your procedure/. However, I cannot find the CA server in my Win 11 Pro and also cannot execute the command certutil.exe to locate the CA server. Would you mind advising for that?

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.