Active Directory Certificate Services Overview
Applies To: Windows Server 2008
Active Directory Certificate Services (AD CS) role services can be set up on servers running a variety of operating systems, including Windows ServerĀ® 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders.
Note
AD CS is not available on Server Core installations of Windows Server 2008 or Windows Server 2008 for Itanium-Based Systems. A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.
The following table lists the AD CS components that can be configured on different editions of Windows Server 2008.
| Components | Web Edition | Standard Edition | Enterprise Edition | Datacenter Edition |
|---|---|---|---|---|
CA |
No |
Yes |
Yes |
Yes |
Network Device Enrollment Service |
No |
No |
Yes |
Yes |
Online Responder service |
No |
No |
Yes |
Yes |
Certification Authority Web Enrollment Support |
No |
Yes |
Yes |
Yes |
The following features are available on servers running Windows Server 2008 that have been configured as CAs.
| AD CS Features | Web Edition | Standard Edition | Enterprise Edition | Datacenter Edition |
|---|---|---|---|---|
Customizable version 2 and version 3 certificate templates |
No |
No |
Yes |
Yes |
Key archival |
No |
No |
Yes |
Yes |
Role separation |
No |
No |
Yes |
Yes |
Certificate manager restrictions |
No |
No |
Yes |
Yes |
Delegated enrollment agent restrictions |
No |
No |
Yes |
Yes |
Customizing AD CS
AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (https://go.microsoft.com/fwlink/?LinkId=91405).
Managing AD CS
The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:
Certification Authority. The primary tool for managing a CA, certificate revocation, and certificate enrollment.
Certificate Templates. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.
Online Responder. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.
Enterprise PKI. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.
Certificates. Used to view and manage certificate stores for a computer, user, or service.