Certificates in AD RMS, from a Programmatic Perspective

  • Article

Active Directory Rights Management Services (AD RMS) uses the following certificates. Each identifies a specific entity, such as a computer or user, by signing it into the AD RMS certificate hierarchy.

Machine certificate - Issued by an AD RMS certification service to identify a computer in the AD RMS certificate hierarchy. 
Rights account certificate - Issued by an AD RMS certification service to identify an Active Directory user account in the AD RMS certificate hierarchy.
Client licensor certificate - Issued the AD RMS licensing service to enable offline signing of an issuance license. For more information, see Creating and Using Issuance Licenses.
Server licensor certificate - Identifies an AD RMS server in the AD RMS certificate hierarchy. Beginning with Windows Server 2008, the certificate is created automatically when you install the AD RMS role.
Application manifest - Identifies an AD RMS application by signing it with the Pre-production or Production certificate provided by Microsoft.
Pre-Production certificate - Provided by Microsoft to sign a custom application into the Pre-production AD RMS certificate hierarchy. This certificate is used during application development.
Production certificate - Provided by Microsoft to sign a custom application into the Production AD RMS certificate hierarchy. This certificate is used by released applications that have been licensed by Microsoft.

AD RMS certificates and licenses are structurally similar. Both are XrML documents and both consist of a certificate chain that ends with a Microsoft root of trust. The purpose of the two documents, however, differs. Certificates are used to identify entities and sign them into an AD RMS certificate hierarchy. Licenses typically specify rights and conditions that govern content use.

The following example shows the basic XrML structure of an AD RMS machine certificate:

- <XrML version="1.2" >
  - <BODY >
    + <ISSUEDTIME>
    + <DESCRIPTOR>
    + <ISSUER>
    + <DISTRIBUTIONPOINT>
    + <ISSUEDPRINCIPALS>
    </BODY>
    <SIGNATURE>
    + <DIGEST>
      <ALGORITHM />
      <VALUE />
   </SIGNATURE>
  </XrML>

  • <XrML version "1.2">  <!-- server licensor certificate -->
  • <XrML version "1.2">  <!-- DRM-CA-Certificate -->
  • <XrML version "1.2">  <!-- DRM-CA-Certificate -->
  • <XrML version "1.2">  <!-- DRM-CA-Certificate -->

 

See Also