Server Certificate Deployment Overview

Applies To: Windows Server 2008

The following illustration shows the components that are required to deploy server certificates.

Server certificate deployment components

The following components are required to deploy server certificates:

Active Directory Certificate Services

This deployment guide provides instructions for deploying an enterprise root certification authority (CA) that is also an issuing CA. The CA issues certificates to computers on the network that have the correct security permissions to enroll a certificate. Active Directory Certificate Services (AD CS) is installed on CA-01.

Copy of the RAS and IAS Servers certificate template

When you deploy server certificates, you make a copy of the RAS and IAS Servers certificate template and then configure the template according to your requirements. The CA uses the copy of the certificate template to create server certificates that it issues to RRAS servers and servers running Network Policy Server (NPS).


NPS replaces Internet Authentication Service (IAS) in Windows Server 2008.

Group Policy

After you configure the certificate template on the CA, you can configure the default domain policy in Group Policy so that server certificates are autoenrolled to all members of the RAS and IAS servers group in Active Directory Domain Services (AD DS). Group Policy is configured in AD DS on the server AD-DNS-01.

Server certificate deployment process

The process of configuring NPS and RRAS server certificate enrollment occurs in these stages:

  • Install the AD CS server role as an enterprise root CA. This step is required only if you have not already deployed a CA on your network.

  • On CA-01, configure a server certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.

  • On AD-DNS-01, configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers running NPS, RRAS, or both on your network will automatically receive a server certificate when Group Policy on the server is refreshed. If you add more servers later, they will automatically receive a server certificate.

  • Refresh Group Policy on servers running NPS and RRAS. When Group Policy is refreshed, the servers receive two certificates. One certificate is the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers that attempt to connect to your network. The other certificate is the CA's certificate, which is automatically installed in the Trusted Root Certification Authorities certificate store.

    The server uses this certificate to determine whether to trust the certificates it receives from other computers. For example, if you deploy EAP-TLS, client computers use a certificate to prove their identities to the server running NPS. When the server receives a certificate from a client computer, trust for the certificate is established because NPS has the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.


If you restart the NPS or RRAS server, Group Policy is automatically refreshed.