Windows AD CS Setup

Full DC Infrastructure Setup

For complete Domain Controller deployment including VM creation, AD DS promotion, SSH with YubiKey, and pfSense DNS configuration, see:

Windows DC & AD CS Infrastructure Runbook

This page focuses on certificate template configuration for Linux workstation enrollment.

VM Specifications

Resource	Value
RAM	8 GB
vCPUs	2
Disk	60 GB
OS	Windows Server 2022 Standard
Hostname	home-dc01
IP	10.50.1.50
Domain	inside.domusdigitalis.dev

Resource

Value

RAM

8 GB

vCPUs

Disk

60 GB

Windows Server 2022 Standard

Hostname

home-dc01

10.50.1.50

Domain

inside.domusdigitalis.dev

KVM Installation

sudo virt-install \
    --name home-dc01 \
    --ram 8192 \
    --vcpus 2 \
    --disk path=/var/lib/libvirt/images/home-dc01.qcow2,size=60 \
    --os-variant win2k22 \
    --network bridge=br0 \
    --graphics vnc \
    --cdrom /path/to/windows_server_2022.iso

Install AD CS

Install-WindowsFeature AD-Certificate -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA `
    -CACommonName "HOME-ROOT-CA" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years -ValidityPeriodUnits 10

Create Linux Certificate Template

Step 1: Open Certificate Templates Console

# Open MMC Certificate Templates snap-in
certtmpl.msc

Or via GUI: 1. Open Server Manager 2. Navigate to: Tools → Certification Authority 3. Expand your CA → right-click Certificate Templates → Manage

Step 2: Duplicate Workstation Template

In Certificate Templates console, find Workstation Authentication
Right-click → Duplicate Template
Select Windows Server 2016 for compatibility (or 2012 R2 minimum)

Step 3: Configure General Tab

Field	Value
Template display name	Linux-Workstation-Auth
Template name	Linux-Workstation-Auth
Validity period	2 years
Renewal period	6 weeks

Field

Value

Template display name

Linux-Workstation-Auth

Template name

Linux-Workstation-Auth

Validity period

2 years

Renewal period

6 weeks

Step 4: Configure Request Handling Tab

Field	Value
Purpose	Signature and encryption
Allow private key to be exported	Yes (needed for transfer to Linux)

Field

Value

Purpose

Signature and encryption

Allow private key to be exported

Yes (needed for transfer to Linux)

Step 5: Configure Subject Name Tab

Field	Value
Supply in the request	Selected (allows CSR from Linux)
Use subject information from existing certificates for auto-enrollment renewal requests	Unchecked

Field

Value

Supply in the request

Selected (allows CSR from Linux)

Use subject information from existing certificates for auto-enrollment renewal requests

Unchecked

Do NOT select "Build from Active Directory information" - Linux machines are not AD-joined.

Step 6: Configure Extensions Tab

Application Policies (EKU)

Select Application Policies → Edit
Ensure these are present:

Policy OID

Client Authentication

1.3.6.1.5.5.7.3.2

Server Authentication (optional)

1.3.6.1.5.5.7.3.1

Policy	OID
Client Authentication	1.3.6.1.5.5.7.3.2
Server Authentication (optional)	1.3.6.1.5.5.7.3.1

Client Authentication EKU is REQUIRED for 802.1X. Without it, ISE silently rejects the certificate.

Step 7: Configure Security Tab

Add permissions for certificate enrollment:

Principal	Permissions	Purpose
Domain Admins	Full Control	Template management
Authenticated Users	Read, Enroll	Certificate requests
Domain Computers	Read, Enroll, Autoenroll	Optional: Windows auto-enrollment

Principal

Permissions

Purpose

Domain Admins

Full Control

Template management

Authenticated Users

Read, Enroll

Certificate requests

Domain Computers

Read, Enroll, Autoenroll

Optional: Windows auto-enrollment

Step 8: Publish Template

# Publish template to CA via PowerShell
$ConfigContext = ([ADSI]"LDAP://RootDSE").configurationNamingContext
$ADSI = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext"
$Template = $ADSI.Children | Where-Object {$_.displayName -eq "Linux-Workstation-Auth"}

# Add template to CA
Add-CATemplate -Name "Linux-Workstation-Auth" -Force

Or via GUI: 1. Open Certification Authority (certsrv.msc) 2. Expand CA → right-click Certificate Templates 3. New → Certificate Template to Issue 4. Select Linux-Workstation-Auth → OK

PowerShell: Complete Template Creation

# Import PSPKI module (Install-Module PSPKI if not present)
Import-Module PSPKI

# Get base template
$BaseTemplate = Get-CertificateTemplate -Name "Workstation"

# Clone and configure
$NewTemplate = $BaseTemplate | Get-CertificateTemplate | New-CertificateTemplate -DisplayName "Linux-Workstation-Auth"

# Configure validity
$NewTemplate | Set-CertificateTemplateAcl -Identity "Authenticated Users" -AccessType Allow -AccessMask Read, Enroll

# Alternative: Manual ADSIEdit approach
$ConfigNC = (Get-ADRootDSE).configurationNamingContext
$TemplatePath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigNC"

# List existing templates
Get-ADObject -SearchBase $TemplatePath -Filter * -Properties displayName |
    Select-Object Name, displayName | Sort-Object displayName

Verify Template

# List published templates on CA
certutil -CATemplates

# Verify specific template
certutil -v -template "Linux-Workstation-Auth"

# Check EKU
certutil -v -template "Linux-Workstation-Auth" | Select-String -Pattern "EKU|Client Auth"

The template must include Client Authentication EKU (1.3.6.1.5.5.7.3.2) for 802.1X.

SSH Access for YubiKey

Windows Server 2022 ships with OpenSSH 8.1. Upgrade to 9.5+ for FIDO2:

Invoke-WebRequest -Uri "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.5.0.0p1-Beta/OpenSSH-Win64-v9.5.0.0.msi" -OutFile "$env:TEMP\OpenSSH.msi"
Stop-Service sshd -Force
msiexec /i "$env:TEMP\OpenSSH.msi" /qn
Start-Service sshd