![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 2%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
343 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello TBone,
Thank you for posting question on Microsoft Windows Forum.
The followings are some plausible explanations to address your queries.
1.Server Licensing:
- You will need a valid Windows Server license for the server on which you install the standalone CA role. This license covers the operating system itself.
2.No CALs for Active Directory Certificate Services (AD CS) Itself:
- Unlike some other Windows Server roles (like Active Directory Domain Services, File Services, or Remote Desktop Services), Active Directory Certificate Services (AD CS) itself does not generally require Client Access Licenses (CALs) for users or devices to obtain certificates.
Some considerations for your Entra-only environment:
1.Standalone CA vs. Enterprise CA:
- Standalone CAs do not require Active Directory Domain Services (AD DS) to function. They are independent and don't publish certificates or CRLs to AD DS. This aligns well with your goal of being "Entra-only" with no on-prem AD users.
- Enterprise CAs are integrated with AD DS and rely on it for user accounts, security groups, and certificate templates. If you were setting up an Enterprise CA, you would inherently have AD DS, and thus likely require Windows Server CALs for users/devices accessing AD DS.
2.Other Server Roles/Services:
- Be mindful of any other server roles or services that might be running on the same server as your CA, or any other on-premises servers in your environment.
- If you have any other Windows Server roles (like a file server, print server, DHCP, DNS, etc.) that users or devices access, those would typically require Windows Server CALs.
- Your plan to be "Entra-only" suggests minimizing on-prem services, which helps reduce CAL requirements.
3.Future Needs:
- While a standalone CA doesn't require CALs, consider if your "Entra-only" environment might evolve to include other on-premises resources that users or devices need to access. If so, those interactions might necessitate CALs.
You can refer to the below article for further information relating to Licensing.
Hope the above information is helpful!