Certificate Service
Last updated
Last updated
Active Directory Certificate Services (AD CS), Microsoft’s Active Directory Public Key Infrastructure (PKI) implementation, provides everything including:
encrypting file systems
digital signatures
user authentication
AD CS is not installed by default but deployed widely.
A server role, introduced in Windows 2000, can be deployed in one of two configurations:
a standalone certification authority (CA)
an enterprise CA that integrates with AD
All ADCS-related containers are stored in the configuration naming context under Public Key Services container, hence all domain controllers within a forest hold a replication of the content.
A container contains trusted root certificates propagated to the Trusted Root Certification Authorities certificate store on each Windows machine.
To consider a certificate as trusted, the certificate’s trust chain must eventually end with one of the root CA’s defined in this container.
This container is used to store Enterprise CA objects. Clients use this container to locate Enterprise CAs in the forest.
Enterprise CA certificates are propagated to the Intermediate Certification Authorities certificate store on each Windows machine.
This container defines CA certificates that enable authentication to AD
This container holds the AD objects of intermediate and cross CAs
This container contains enterprise certificate templates used by Enterprise CAs.
Users obtain certificates from CA based on the objects in the Enrollment Services container through the certificate enrollment process.
AD CS Enterprise CAs issue certificates with settings defined by certificate templates.
AD CS specifies that a certificate template is enabled on an Enterprise CA by adding the template’s name to the certificatetemplates field of the AD object with objectClass of pKIEnrollmentService.
