Implementing Computer Certificate Authentication with AD CS

Last updated: Jan 10, 2025

I've shown how to set up a WPA Enterprise architecture with EAP-TLS using a user certificate. You can find the tutorial here. This works quite well, but in some situations it may not be appropriate, as the network connection will only be established once the user session has been opened.

This causes the following problems:
- GPO scripts that are run at startup won't work
- We won't be able to connect remotely to these computers if the session is closed

To remedy this, we need to use computer authentication. With this method, the computer will establish a connection at system start-up, i.e. from the Lock Screen.

In this guide, I'll describe the steps involved in deploying computer certificates in an AD CS architecture, so that you can authenticate with them.

This guide assumes that the AD CS architecture is already installed and operational. For a detailed explanation of how to set up an ADCS architecture, follow this link: Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points.

Adding the Authentication Template for Workstations

From the AD CS server, we'll create a certificate template for our workstations, which will enable us to generate the certificates used for computer authentication.

Open the Certification Authority management console:

Screenshot of the Windows Run dialog box with 'certsrv.msc' entered to open the Certification Authority management console.

Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:

Screenshot of the Certification Authority console, showing the option to manage certificate templates in the AD CS 'Certificate Templates' section.

Right-click on the User template and select Duplicate Template:

Screenshot of the Certificate Templates Console, showing the option to duplicate a workstation certificate template in AD CS.

Optional, but if you have a recent architecture, set the Compatibility Settings to the most recent systems:

Screenshot of the Properties of New Template window in AD CS, showing compatibility settings for certification authority and certificate recipient.

Give the Template a name:

Screenshot of the Properties of New Template window in AD CS, showing the template name and display name set to EAP-TLS with validity and renewal periods.

Increase key size for greater security:

Screenshot of the Properties of New Template window in AD CS, showing cryptographic settings with a minimum key size of 4096 and selected cryptographic providers.

To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Computers:

Screenshot of the Properties of New Template window in AD CS, showing security settings where Domain Computers are granted Enroll and Autoenroll permissions.

Finally, click OK to create the template.

From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:

Screenshot of the Certification Authority console in AD CS, showing the option to issue a new certificate template under 'Certificate Templates'.

Select the Workstation_Auth_EAP-TLS template created earlier:

Screenshot of the Enable Certificate Templates window in AD CS, showing the selection of the EAP-TLS certificate template for enabling.

The Workstation_Auth_EAP-TLS template should appear in the Certificate Templates folder:

Screenshot of the Certification Authority console in AD CS, showing the EAP-TLS certificate template enabled under 'Certificate Templates'.

Deploying Certificates

Once the AD CS has been properly configured, we can request a Workstation certificate from any Domain Computer.

Manually from the Certificate Management Console

From a user computer, open the Certificate Management Console for the current computer:

Screenshot of the Windows Run dialog with certlm.msc entered, ready to open the Local Machine Certificate Management Console.

Right-click on the Personal folder and select Request New Certificate…:

Screenshot of the Certificates snap-in in the Local Computer Personal store, highlighting the option to request a new certificate.

Click Next to start the certificate enrollment process:

Certificate Enrollment Wizard displaying the 'Before You Begin' screen with instructions for requesting certificates.

Select the Active Directory Enrollment Policy and click Next to continue:

Certificate Enrollment Wizard showing the 'Select Certificate Enrollment Policy' screen with 'Active Directory Enrollment Policy' selected.

Select the previously defined Workstation policy and click Enroll:

Certificate Enrollment Wizard showing the 'Request Certificates' screen with 'Workstation_Auth_EAP-TLS' selected and the 'Enroll' button highlighted.

Simply click on Finish when the enrollment process is complete:

Certificate Enrollment Wizard showing 'Certificate Installation Results' screen with the status 'Succeeded' for the NPS certificate, and the 'Finish' button highlighted.

After clicking on Refresh, you should see your computer's certificate appear:

Certificate Manager showing a successfully installed certificate in the 'Personal > Certificates' section. The certificate 'W11.std.local' issued by 'std-ADCS-CA' with expiration date '5/1/2025' is highlighted.

Automatically with a Group Policy (GPO)

To automate the certificate renewal process, we can create a GPO and apply it to the domain computers.

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:

Group Policy Management Editor with the selected 'Certificate Services Client - Auto-Enrollment' option in the Public Key Policies section. The context menu highlights 'Properties'.

Enable the Configuration Model and check the boxes to enable automatic certificate renewal:

Certificate Services Client - Auto-Enrollment Properties window showing configuration for automatic certificate renewal and updates.

Run gpupdate to obtain a certificate:

C:\> gpupdate

Computing

Music

Misc

Implementing Computer Certificate Authentication with AD CS

Adding the Authentication Template for Workstations

Deploying Certificates

Manually from the Certificate Management Console

Automatically with a Group Policy (GPO)