Active Directory Certificate Services Overview

Applies To: Windows Server 2008 R2

Active Directory Certificate Services (AD CS) role services can be set up on servers running operating systems including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root CAs, policy CAs, and issuing CAs, and other servers configured as Online Responders.

The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.

Components Web edition Standard edition Enterprise edition Datacenter edition

CA

No

Yes

Yes

Yes

Network Device Enrollment Service

No

No

Yes

Yes

Online Responder service

No

No

Yes

Yes

CA Web Enrollment

No

Yes

Yes

Yes

Certificate Enrollment Web Service

No

Yes

Yes

Yes

Certificate Enrollment Policy Web Service

No

Yes

Yes

Yes

The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.

AD CS features Web edition Standard edition Enterprise edition Datacenter edition

Customizable version 2 and version 3 certificate templates

No

Yes

Yes

Yes

Key archival

No

Yes

Yes

Yes

Role separation

No

No

Yes

Yes

Certificate manager restrictions

No

No

Yes

Yes

Delegated enrollment agent restrictions

No

No

Yes

Yes

Certificate enrollment across forest boundaries

No

No

Yes

Yes

Customizing AD CS

AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (https://go.microsoft.com/fwlink/?LinkId=91405).

Managing AD CS

The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:

  • Certification Authority. The primary tool for managing a CA, certificate revocation, and certificate enrollment.

  • Certificate Templates. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.

  • Online Responder. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.

  • Enterprise PKI. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.

  • Certificates. Used to view and manage certificate stores for a computer, user, or service.

Additional references