Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Active Directory Certificate Services Overview


Updated: June 24, 2013

Applies To: Windows Server 2012 R2, Windows Server 2012

This document provides an overview of Active Directory Certificate Services (AD CS) in Windows Server® 2012. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

Did you mean…


To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

AD CS provides customizable services for issuing and managing digital certificates used in software security systems that employ public key technologies.

The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can be used for authentication of computer, user, or device accounts on a network. Digital certificates are used to provide:

  1. Confidentiality through encryption

  2. Integrity through digital signatures

  3. Authentication by associating certificate keys with computer, user, or device accounts on a computer network

You can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives you a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

There are multiple changes to AD CS in Windows Server 2012 and the What’s New in AD CS article (http://go.microsoft.com/fwlink/?LinkID=224385) describes these changes.

The installation of AD CS role services can be performed through the Server Manager. The following role services can be installed:

Role service


Certification Authority (CA)

Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web Enrollment

CA Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).

Online Responder

The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

Network Device Enrollment Service

The Network Device Enrollment Service (NDES) allows routers and other network devices that do not have domain accounts to obtain certificates.

Certificate Enrollment Policy Web Service

The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information.

Certificate Enrollment Web Service

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. When used together, the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service enable policy-based certificate enrollment for

  • domain member computers not connected to the domain

  • computers that are not domain members

The following table provides additional resources for evaluating AD CS.

Content type


Product evaluation

Community resources

Related technologies

Active Directory Domain Services 

Active Directory Rights Management Services

Active Directory Federation Services

Active Directory Lightweight Directory Services


To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft