Using Policy to Manage Active Directory Certificate Services

Applies To: Windows Server 2008 R2

Domain Group Policy can be used to manage the following types of certificate-related activities in an Active Directory Domain Services (AD DS) environment:

  • Credential roaming

  • Autoenrollment of certificates

  • Certificate path validation

  • Certificate distribution

Credential roaming

Credential roaming allows X.509 certificates, certificate requests, and private keys specific to a user in AD DS to be stored independently from the user profile and used on any computer on the network.

Digital certificates and private keys involve comparatively small amounts of data that need to be stored in a secure manner. Credential roaming policy provides a means for managing the use of these credentials on multiple computers in a manner that addresses the secure storage and size requirements of digital certificates and private keys. In Windows Server 2008 R2 and Windows Server 2008, credential roaming policy includes stored user names and passwords as well as certificates and keys.

For more information, see Enable Credential Roaming.

For more information about credential roaming and significant differences between its implementation in Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (https://go.microsoft.com/fwlink/?LinkID=85332).

Certificate autoenrollment

Many organizations use Group Policy to automatically enroll users, computers, or services for certificates.

For more information, see Configure Certificate Autoenrollment.

Certificate path validation

As certificate use for secure communication and data protection is increasing, administrators can use certificate trust policy to enhance their control of certificate use and public key infrastructure performance by using certificate path validation options.

Certificate path validation settings in Group Policy allow administrators to manage stores, trusted publishers, network retrieval, and revocation checking.

For more information, see Manage Certificate Path Validation.

Certificate distribution

The certificate distribution capabilities in Group Policy are useful for managing certificate-related trust in an organization. It allows you to ensure that certain certificates are trusted and that certificate chain building occurs with little or no user intervention. You can also block the use of certificates that you cannot directly revoke because they were issued by an external certification authority (CA).

For more information, see Use Policy to Distribute Certificates.

Additional references