What's New in Active Directory Certificate Services

Applies To: Windows Server 2008 R2

What are the major changes?

Active Directory® Certificate Services (AD CS) in Windows Server® 2008 R2 introduces features and services that allow more flexible public key infrastructure (PKI) deployments, reduce administration costs, and provide better support for Network Access Protection (NAP) deployments.

The AD CS features and services in the following table are new in Windows Server 2008 R2.

Feature Benefit

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

Enables certificate enrollment over HTTP.

Support for certificate enrollment across forests

Enables certification authority (CA) consolidation in multiple-forest deployments.

Improved support for high-volume CAs

Reduced CA database sizes for some NAP deployments and other high-volume CAs.

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

The certificate enrollment Web services are new AD CS role services that enable policy-based certificate enrollment over HTTP by using existing methods such as autoenrollment. The Web services act as a proxy between a client computer and a CA, which makes direct communication between the client computer and CA unnecessary, and allows certificate enrollment over the Internet and across forests.

Who will be interested in this feature?

Organizations with new and existing PKIs can benefit from the expanded accessibility of certificate enrollment provided by the certificate enrollment Web services in these deployment scenarios:

  • In multiple-forest deployments, client computers can enroll for certificates from CAs in a different forest.

  • In extranet deployments, mobile workers and business partners can enroll over the Internet.

Are there any special considerations?

The Certificate Enrollment Web Service submits requests on behalf of client computers and must be trusted for delegation. Extranet deployments of this Web service increase the threat of network attack, and some organizations might choose not to trust the service for delegation. In these cases, the Certificate Enrollment Web Service and issuing CA can be configured to accept only renewal requests signed with existing certificates, which does not require delegation.

The certificate enrollment Web services also have the following requirements:

  • Active Directory forest with Windows Server 2008 R2 schema.

  • Enterprise CA running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

  • Certificate enrollment across forests requires an enterprise CA running the Enterprise or Datacenter edition of Windows Server.

  • Client computers running Windows® 7.

Which editions include this feature?

The certificate enrollment Web services are available in all editions of Windows Server 2008 R2.

Support for certificate enrollment across forests

Before the introduction of enrollment across forests, CAs could issue certificates only to members of the same forest, and each forest had its own PKI. With added support for LDAP referrals, Windows Server 2008 R2 CAs can issue certificates across forests that have two-way trust relationships.

Who will be interested in this feature?

Organizations with multiple Active Directory forests and per-forest PKI deployments can benefit from CA consolidation by enabling certificate enrollment across forests.

Are there any special considerations?

  • Active Directory forests require Windows Server 2003 forest functional level and two-way transitive trust.

  • Client computers running Windows XP, Windows Server 2003, and Windows Vista® do not require updates to support certificate enrollment across forests.

Which editions include this feature?

This feature is available on enterprise CAs running Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter.

Improved support for high-volume CAs

Who will be interested in this feature?

Organizations that have deployed NAP with IPsec enforcement or other high-volume CAs can choose to bypass certain CA database operations to reduce CA database size.

NAP health certificates typically expire within hours after being issued, and the CA might issue multiple certificates per computer each day. By default, a record of each request and issued certificate is stored in the CA database. A high volume of requests increases the CA database growth rate and administration cost.

Are there any special considerations?

Because issued certificates are not stored in the CA database, certificate revocation is not possible. However, maintenance of a certificate revocation list for a high volume of short-lived certificates is often not practical or beneficial. As a result, some organizations might choose to use this feature and accept the limitations on revocation.

Which editions include this feature?

This feature is available on enterprise CAs running any edition of Windows Server 2008 R2.