Deploying Server Certificates Overview

Updated: June 17, 2009

Applies To: Windows Server 2008 R2

You can use this guide to install Active Directory® Certificate Services (AD CS) as an Enterprise root certification authority (CA) and to enroll a server certificate to servers running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.

If you deploy certificate-based authentication, servers running NPS and RRA are required to use a server certificate to prove their identities to client computers that are attempting to connect to the network.

The process of configuring NPS and RRAS server certificate enrollment occurs in these stages:

  • Install the AD CS server role. This step is required only if you have not already deployed a certification authority (CA) on your network.

  • Configure a server certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.

  • Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers running NPS, RRAS, or both on your network will automatically receive a server certificate when Group Policy on the server is refreshed. If you add more servers later, they will automatically receive a server certificate, too.

  • Refresh Group Policy on servers running NPS and RRAS. When Group Policy is refreshed, the servers receive two certificates. One certificate is the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers that attempt to connect to your network. The other certificate is the CA's certificate, which is automatically installed in the Trusted Root Certification Authorities certificate store. The server uses this certificate to determine whether to trust certificates it receives from other computers. For example, if you deploy EAP-TLS, client computers use a certificate to prove their identities to the server running NPS. When the server receives a certificate from a client computer, trust for the certificate is established because NPS has the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.