Active Directory Certificate Services Overview

Applies To: Windows Server 2008, Windows Server 2008 R2

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

In the following sections, learn more about AD CS, the required and optional features, and hardware and software used for running AD CS. At the end of this topic, learn how to open the management interface for AD CS and how to find more information.

Features in AD CS

By using Server Manager, you can install the following components of AD CS:

  • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

  • CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).

  • Online Responder. The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

  • Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

  • Certificate Enrollment Web Service. The Certificate Enrollment Web Service enables users and computers to perform certificate enrollment that uses the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

  • Certificate Enrollment Policy Web Service. The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

Benefits of AD CS

Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

The new features of AD CS in Windows Server 2008 R2 include:

  • Certificate enrollment that uses the HTTPS protocol.

  • Certificate enrollment across Active Directory Domain Services (AD DS) forest boundaries.

  • Improved support for high-volume certificate issuance.

  • Support for CAs on a Server Core installation of Windows Server 2008 R2.

Hardware and software considerations

Although AD CS can be deployed on a single server, many deployments will include multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. CAs can be installed on servers running a variety of operating systems, including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.

Installing AD CS

After you finish installing the operating system, you can use Server Manager to set up a CA and other optional components.

Additional configuration steps need to be completed by using the appropriate snap-ins before a CA or Online Responder is functional. For more information, refer to the related Help topics for the Certification Authority snap-in and the Online Responder snap-in.

Managing AD CS

You can use either Server Manager or Microsoft Management Console (MMC) snap-ins to manage AD CS role services. Use the following steps to open the snap-ins:

  • To manage a CA, use the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type certsrv.msc, and click OK.

  • To manage certificates, use the Certificates snap-in. To open the Certificates snap-in, click Start, click Run, type certmgr.msc, and click OK.

  • To manage certificate templates, use the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type certtmpl.msc, and click OK.

  • To manage an Online Responder, use the Online Responder snap-in. To open the Online Responder snap-in, click Start, click Run, type ocsp.msc, and click OK.

Note

Remote Server Administration Tools (RSAT) are available for Windows Vista and Windows 7:

For more information

  • To learn more about AD CS, you can view the Help on your server. To do this, open the Certification Authority snap-in, and then press F1 to display Help.

  • For more information about AD CS, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkId=48545).