AD Certificate Services Fundamentals
AD CS is Microsoft's built-in PKI that issues digital certificates for authentication, encryption, and signing — and it has become one of the most exploited attack surfaces in Active Directory.
Active Directory Certificate Services (AD CS) is a Windows Server role that creates and manages digital certificates. Think of a digital certificate as an electronic ID card that proves who you are on the network. AD CS has several key components: the Certificate Authority (CA) is the server that issues certificates, certificate templates define what types of certificates can be issued and who can request them, and enrollment is the process of requesting and receiving a certificate. Certificates can be used for many things: logging into AD (instead of a password), encrypting emails, signing documents, and securing websites. AD CS is installed in about 50-60 percent of enterprise AD environments, but it is often poorly configured because PKI is complex and was historically considered an infrastructure concern rather than a security one.
Active Directory Certificate Services is like an internal passport office for your organization. The Certificate Authority (CA) is the passport office itself — it verifies identities and issues passports (certificates). Certificate templates are the application forms — they define what information goes on the passport and who is allowed to apply. Just like a passport lets you enter countries without showing your birth certificate each time, an AD certificate lets you authenticate to services without typing your password. If the passport office has lax procedures (misconfigured templates), anyone could walk in and get a passport in the CEO's name.
Key Takeaways
- AD CS provides enterprise PKI: certificate issuance, enrollment, and authentication integration with AD.
- Certificate templates control who can request what — misconfigurations lead to ESC1-ESC16 attacks.
- PKINIT enables certificate-based Kerberos authentication — certificates can replace passwords.
- The NTAuthCertificates object determines which CAs are trusted for AD authentication.
- The CA private key is the ultimate target — stealing it enables forging certificates for any identity.
- AD CS is installed in most enterprise environments but rarely audited, making it a high-value attack surface.
AD CS is one of the most powerful and least understood components of Active Directory. The "Certified Pre-Owned" research revealed that nearly every organization has exploitable AD CS misconfigurations. Understanding the fundamentals is essential before studying the attack techniques.