Share via


Relationship of the Configuration Container and Certificate Store

Applies To: Windows Server 2003 with SP1

The table in this section describes the relationship between the information that is stored in the configuration container of Active Directory and the certificate store. Typically, parts of the configuration information are replicated to the client's certificate store.

The default view of the Certificates MMC does not display the physical structure of the certificate store. To view the physical structure of the certificate store, follow this procedure:

  1. Open Certificates.

    To do this, click Start, click Run, in the Open box, type certmgr.msc, and then press ENTER.

  2. Verify that the local computer's certificates and the current user's certificate are displayed in the console tree.

  3. In the console tree, click Certificate (Local Computer).

  4. On the View menu, click Options, and select the Physical certificates store check box.

Note

Any information that is stored in a registry container has an impact on only the local client. Registry containers never receive information from the Active Directory configuration context. The Intermediate Certificate Authorities – Group Policy container is not used in the client certificate store.

Certificates that are stored in the Active Directory Configuration container (Sites and Services) are deployed to all clients across the forest. Certificates that are deployed through domain security are deployed only in the domain. If a certificate is registered in the Configuration container and the Domain Security Group Policy object (GPO), a certificate may occur twice on the client. To prevent confusion with expired or invalid certificates, you must ensure that certificates are correctly published.

You can view the Active Directory configuration context through the Active Directory Sites and Services MMC.

Table 22 Certificate Containers and Certificate Stores

Active Directory Configuration container Client certificates store

Active Directory Sites and Services MMC

In the console tree, navigate to Certification Authorities:

DomainName\Configuration Services\Public Key Services\Certification Authorities

Enterprise CAs are installed and automatically published to this location. CA certificates may also be added manually through the certutil –dspublish command.

Local Computer

In the console tree, navigate to Certificates:

Trusted Root Certificate Authorities\Enterprise\Certificates

Sites and Services MMC

In the console tree, navigate to AIA:

DomainName\Configuration\Services\Public Key Services\AIA

This container also contains qualified subordination certificates (cross-certificates) that are controlled by the template that is used to generate CA certificates.

Local Computer

In the console tree, navigate to Certificates:

Intermediate Certificate Authorities\Enterprise\Certificates

Windows 2000, Windows XP, or Windows Server 2003 clients automatically download the content from the configuration container; Windows 2000 clients do not support cross-certificates

Domain Security Settings MMC

In the console tree, navigate to Trusted Root Certification Authorities:

Computer Configuration\Windows settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

Local Computer

In the console tree, navigate to Certificates:

Trusted Root Certificate Authorities\Group Policy\Certificates

Domain Security Settings MMC

In the console tree, navigate to Enterprise Trust:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Enterprise Trust

Local Computer

In the console tree, navigate to Group Policy:

Enterprise Trust\Group Policy