AD CS Facts
You can use Active Directory Certificate Services (AD CS) to create your own PKI. Servers running AD CS issue certificates to users and computers. When you install AD CS on a server, you choose one of the following CA types:
- The enterprise root CA is the first CA in the PKI hierarchy. The enterprise CA is integrated with Active Directory, and can use information in Active Directory to issue certificates, or it can store certificates in Active Directory.
- An enterprise subordinate CA gets its authority to issue certificates from a root CA. A subordinate enterprise CA can use information in Active Directory for responding to certificate requests.
- A standalone root CA is the first CA in the PKI hierarchy. It is not integrated with Active Directory.
- A standalone subordinate CA gets its authority from a root CA. It is not integrated with Active Directory.
When you install AD CS on a server, you choose one (or more) of the following role services:
|Certification Authority||Add the Certification Authority role service to configure the server as a CA that can issue certificates to other CAs or to users and computers. When you add this role service, you configure the server as an enterprise or standalone and a root or subordinate CA.|
|Certification Authority Web Enrollment||Add the Certification Authority Web Enrollment role service to allow users to connect to a CA through a Web browser and perform common tasks, such as:
|Online Responder||The Microsoft Online Responder service makes it possible to configure and manage Online Certificate Status Protocol (OCSP) validation and revocation checking in Windows-based networks. OCSP allows a relying party (i.e., a client) to submit a certificate status request to an online responder (also called an OCSP responder). The OCSP responder returns to the client a definitive, digitally signed response indicating the certificate status. Use the Online Responder service to:
|Network Device Enrollment Service (NDES)||The Network Device Enrollment Service makes it possible for software running on network devices such as routers and switches (which cannot otherwise be authenticated on the network) to enroll for certificates from a CA. The following process is used to obtain certificates for non-Microsoft devices:
The registration authority must be running the Windows Server 2008 Enterprise or Datacenter edition.
|Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service||The Certificate Enrollment Web services are new AD CS role services in Windows Server 2008 R2. The services enable policy-based certificate enrollment over HTTP by using existing methods. The Web services:
The Certificate Enrollment Web services have the following requirements:
Note: The Certification Authority role service is automatically selected when the AD CS role is added, but it cannot be installed at the same time as the Certificate Enrollment Web Service or Certificate Enrollment Policy Web Service. If you intend to install both the CA and the Certificate Enrollment Web Service or Certificate Enrollment Policy Web Service, complete the CA installation first.
The following table lists additional features available through Active Directory Certificate Services.
|Certificate templates||A certificate template identifies a certificate type and describes the rules the CA follows when issuing a certificate based on the template. Templates also give instructions to the user on how to create and submit a certificate request.|
|Autoenrollment||With autoenrollment, certificates can be requested, issued, or renewed without user intervention. Autoenrollment automatically downloads and manages certificates from Active Directory into the local machine registry for all users who log on to domain-joined machines. Autoenrollment also manages certificates for user objects in Active Directory by deleting revoked and expired certificates.|
|Web enrollment||Web enrollment allows users to connect to a CA via a Web browser and perform common tasks, such as the following:
|Credential roaming||Credential roaming allows a user to store a single set of certificates and private keys in Active Directory. This makes the certificates and keys available on multiple computers in a manner that is extremely secure, easy to implement and manage, and transparent to the user.|
|Certificate enrollment across forests||Windows Server 2008 R2 CAs can issue certificates across forests that have two-way trust relationships (with the use of LDAP referrals). Before the introduction of enrollment across forests, CAs could issue certificates only to members of the same forest, and each forest had its own PKI.
Preparing for multiple-forest deployments of Active Directory Certificate Services requires that you identify the account forest (the forest that contain the user accounts that will be requesting certificates) and the resource forest (the forest that will be providing certificates to the account forest). You then need to take the following steps:
|High-volume CA support||A CA supporting an environment that requires Network Access Protection (NAP) with IPSec enforcement can expect a high volume of certificate requests. There may be hundreds or even thousands of certificates issued every day depending on the environment, all of which have short validation periods. By default, CAs store a record of each certificate request and issued certificate in the CA database.
High-volume CAs may experience rapid database growth which can consume all available disk space. Enabling non-persistent certificate processing causes the CA to process certificate requests and issue certificates without storing those requests and certificates in the CA database.
Note: Many of these features require an enterprise CA.