Windows Server Summit | AD certificate authority

Certificate authorities —once established, it's best never to touch them again.

Certification authorities (CAs) are indeed quite static constructs and require careful planning in advance. If subsequent adjustments are necessary, this often means a complete reinstallation. And maintaining a CA is usually not an IT department's favorite task.

However, CAs can make a valuable contribution to corporate security by enabling passwordless authentication, for example! This article therefore focuses on improvements that will be introduced with Windows Server 2025.

CRL partitioning

In large environments, the Certificate Revocation List (CRL) can become quite large over time. Clients use the CRL to check the validity of a certificate, but they have to download it in its entirety to do so.

With Windows Server 2025, it is now possible to automatically split the CRL into smaller packages so that clients only need to download the part that is relevant to them.

Increase in the maximum size for extensions

By default, certificates can contain extensions of up to 4 KB. However, this may not be sufficient in some situations (e.g., many SAN extensions), resulting in corresponding error messages. This limit has now been increased to 16 KB.

More detailed information in event logs

Previously, events such as certificate requests and rejections were insufficiently traceable in the event log. Accordingly, four events (4886-4889) have been expanded to include additional information such as SANs, the certificate template, the authentication level, etc.

Recommendations for hardening a CA

Since a CA is a critical component of corporate security, it should also be secured accordingly. Microsoft provides the following recommendations for this purpose:

• Classification in Tier 0 (when using the tiering model)
• Use HSMs to secure the private key of the CA certificate
• Remove unnecessary permissions (Enroll, AutoEnroll) (e.g., for groups such as “Authenticated Users” and “Domain Users”)
• Only publish required certificate templates; remove unnecessary ones
• Do not allow the “Supply in request” option globally, but only for selected templates/users
• Implement steps to harden against NTLM relay attacks against web enrollment (enabled by default in Windows Server 2025)
• Implement strong certificate mappings (mandatory since September 2025)

Additional information

Official video: AD CS enhancements, innovations, and security - Windows Server Summit

Overview of all articles: Windows Server Summit in a nutshell

Liked this article? Share it!

• Share on LinkedIn
• Share on Bluesky
• Share on Facebook
• Email this Page
• Share on Reddit