Active Directory Certificate Services Overview

  • Article

Applies To: Windows Server 2008

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

In the following sections, learn more about AD CS, the required and optional features in AD CS, and hardware and software used for running AD CS. At the end of this topic, learn how to open the interface for AD CS and how to find more information about AD CS.

Features in AD CS

By using Server Manager, you can set up the following components of AD CS:

  • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

  • Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).

  • Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

  • Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

Benefits of AD CS

Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Among the new features of AD CS in Windows Server® 2008 are:

  • Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.

  • Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.

  • Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

Hardware and software considerations

AD CS requires Windows Server 2008 and Active Directory Domain Services (AD DS). Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. CAs can be set up on servers running a variety of operating systems, including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.

Note

A limited set of server roles is available for a Server Core installation of Windows Server 2008 and for Windows Server 2008 for Itanium-based systems. AD CS cannot be installed on Server Core or Itanium-based installations of Windows Server 2008.

Installing AD CS

After you finish installing the operating system, you can set up a CA and other optional components by using Server Manager.

Additional configuration steps need to be completed by using the appropriate snap-ins before a CA or Online Responder is functional. For more information, refer to the related Help topics for the Certification Authority and Online Responder snap-ins.

Managing AD CS

AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.

  • To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.

  • To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.

  • To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.

  • To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.

If you are using Windows Server 2008 but have not yet installed any of the AD CS role services, then only the Certificates snap-in is installed by default. You can install the remaining snap-ins without installing AD CS roles services by using Server Manager and selecting the Active Directory Certificate Services tools under Remote Server Administration Tools. If the computer you want to perform remote administration tasks from is running Windows Vista, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=89361).

For more information

  • To learn more about AD CS, you can view the Help on your server. To do this, open the Certification Authority snap-in and then press F1 to display Help.

  • For more information about AD CS, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkId=48545).