Certificate Service
Active Directory Certificate Services (AD CS), Microsoft’s Active Directory Public Key Infrastructure (PKI) implementation, provides everything including:
encrypting file systems
digital signatures
user authentication
AD CS is not installed by default but deployed widely.
Overview
A server role, introduced in Windows 2000, can be deployed in one of two configurations:
a standalone certification authority (CA)
an enterprise CA that integrates with AD
Trust Store
All ADCS-related containers are stored in the configuration naming context under Public Key Services container, hence all domain controllers within a forest hold a replication of the content.
Certification Authorities
A container contains trusted root certificates propagated to the Trusted Root Certification Authorities certificate store on each Windows machine.
To consider a certificate as trusted, the certificate’s trust chain must eventually end with one of the root CA’s defined in this container.
Enrollment Services
This container is used to store Enterprise CA objects. Clients use this container to locate Enterprise CAs in the forest.
Enterprise CA certificates are propagated to the Intermediate Certification Authorities certificate store on each Windows machine.
NTAuthCertificates
This container defines CA certificates that enable authentication to AD
AIA
This container holds the AD objects of intermediate and cross CAs
Certificate Templates
This container contains enterprise certificate templates used by Enterprise CAs.
Certificate Enrollment
Users obtain certificates from CA based on the objects in the Enrollment Services container through the certificate enrollment process.
Certificate Template
AD CS Enterprise CAs issue certificates with settings defined by certificate templates.
AD CS specifies that a certificate template is enabled on an Enterprise CA by adding the template’s name to the certificatetemplates field of the AD object with objectClass of pKIEnrollmentService.
Extended Key Usages (EKU)
Last updated
