Managing Policy and Exit Modules

Applies To: Windows Server 2008 R2

Policy modules determine whether a certificate request should be automatically approved, denied, or marked as pending. Exit modules provide an opportunity to perform certain tasks after a certificate is issued.

Active Directory Certificate Services (AD CS) includes one policy module (Certpdef.dll) and one exit module (Certxds.dll). The policy module includes two separate policies: enterprise and stand-alone. To compare a certification authority (CA) that uses an enterprise policy and a CA that uses a stand-alone policy, see Enterprise Certification Authorities and Stand-Alone Certification Authorities.

As a CA administrator, you can replace these default modules with your own custom policy and exit modules or another vendor's policy and exit modules. In addition, if you have upgraded to AD CS in Windows Server 2008 R2 or Windows Server 2008 from Certificate Services in an earlier version of Windows, you can use the same policy module you used prior to upgrading. When you view the properties of the CA, the policy module will be listed either as a legacy policy module or with its original name, depending on how it was created.

Policy module

The policy module provided with a Windows Server 2008 R2–based CA determines the default action of a CA upon receiving a certificate request: approve, deny, or mark as pending.

In the majority of instances, the administrator of a stand-alone CA should set all incoming certificate requests to pending. Otherwise, because the stand-alone CA does not verify the identity of requesters via Active Directory Domain Services (AD DS), there is no way to verify the identity and validity of the certificate requester.

The CA can have only one policy module loaded at a time.

Exit module

The exit module that is provided with a Windows Server 2008 R2–based CA can be configured to perform the following functions:

  • Send e-mail when a certification event occurs.

  • Publish certificates to the file system.

This is not an exhaustive list of the functions of the exit module. Unlike the policy module, multiple exit modules can be used by a CA simultaneously.

Customizing AD CS policy and exit modules

To configure the settings of the default policy and exit modules, see Configuring the Policy and Exit Modules.

To configure options for sending e-mail, see Send E-mail When a Certification Event Occurs.

Programmable interfaces are included in AD CS for developers to create customized policy modules. For more information, see Certificate Services Architecture (https://go.microsoft.com/fwlink/?LinkId=91405).

If you have created a customized policy module and you want to change the policy module, see Select a Different Policy Module.

If you have created a customized exit module and you want to change or add an exit module, see Select a Different Exit Module.