Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages. Further, these digital certificates can be used for authentication of computer, user, or device accounts on a network. Digital certificates are used to provide:

• Confidentiality - through encryption
• Integrity - through digital signatures
• Authentication - by associating certificate keys with computer, user, or device accounts on a computer network.

These certificate services were available starting in Windows 2000 and continue to be available as a server role in Windows Server 2008 R2.

Important: By installing AD CS, you are either creating or extending a Public Key Infrastructure (PKI). A PKI structure that meets the requirements of most organizations is a multi-tier Certification Authority (CA) hierarchy that implements an Offline Root CA. For more information, see the PKI Design Brief Overview and the Windows PKI documentation and reference library.

The sections in this overview of AD CS are:

Features of AD CS in Different OS Versions

AD CS provides the following features:

• Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
• Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
• Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
• Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

The following table describes features available to enterprise (not standalone) certification authorities:

Windows Server version and SKU	Role Services Available	Certificate Templates available	Auto-enrollment & Key Archival (comes with V2 Templates)	CA Features: SMTP Exit Module & Role Separation	Cross-forest Enrollment (over DCOM protocol)
Windows Web Server 2008 R2	None	NA	NA	NA	NA
Windows Server 2008 R2 Standard or Foundation	-Certification Authority (CA) -CA Web Enrollment -Certificate Enrollment Web Services* (policy service and enrollment service)	V1, V2*, and V3* templates	Yes*	No	No
Windows Server 2008 R2 Standard, Foundation, or Server Core ** installations	-Certification Authority (CA)*	V1, V2*, and V3* templates	Yes*	No	No
Windows Server 2008 R2 Enterprise or Datacenter	-Certification Authority (CA) -CA Web Enrollment -Certificate Enrollment Web Services* (policy service and enrollment service) -Online Responder (OCSP) -Network Device Enrollment Service (NDES)	V1, V2, and V3 templates	Yes	Yes	Yes
Windows Server 2008 R2 Enterprise, Datacenter, or Server Core ** installations	-Certification Authority (CA)*	V1, V2, and V3 templates	Yes	Yes	Yes
Windows Server 2008 Standard Edition	-Certification Authority (CA) -CA Web Enrollment	V1 only	No	No	No
Windows Server 2008 Enterprise or Datacenter Edition	-Certification Authority (CA) -CA Web Enrollment -Online Responder (OCSP) -Network Device Enrollment Service (NDES)	V1, V2, and V3 templates	Yes	Yes	No
Windows Server 2003 Standard Edition	-Certification Authority (CA) -CA Web Enrollment	V1 only	No	No	No
Windows Server 2003 Enterprise or Datacenter Edition	-Certification Authority (CA) -CA Web Enrollment (NDES available as “MSCEP” via resource kit)	V1 and V2 templates	Yes	Yes	No
Windows Server 2012 Datacenter and standard (including Server Core and Minimal Server Interface)	-Certification Authority (CA) -CA Web Enrollment - Certificate Enrollment Web Services (both policy and enrollment service) -Online Responder (OCSP) -Network Device Enrollment Service	V1, V2, V3, V4	Yes	Yes	Yes; also new for Windows Server 2012 and Windows 8 certificate clients is the ability to automatically renew certificates using Certificate Enrollment Web Services when not joined to the same domain using key-based renewal.

* new for Windows Server 2008 R2
** the SMTP Exit Module is not supported on Server Core installations

Benefits of AD CS

You can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives you a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Active Directory Certificate Services Role

The AD CS server role in the Windows Server 2008 and Windows 2008 R2 operating systems provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies. In addition to binding the identity of a person, device, or service to a corresponding private key, AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

Plan Before Installing

Anyone considering installing AD CS, should be aware of PKI hierarchies first. For a quick introduction, see PKI Design Brief Overview and  basic PKI planning. You can learn more about planning a PKI Hierarchy or CA Hierarchy from various places on the Internet or in the Windows Server 2008 PKI and Certificate Security book by Brian Komar.
 

Cryptography Next Generation

Cryptography Next Generation (CNG) in the Windows Server® 2008 operating system provides a flexible cryptographic development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory® Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol security (IPsec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing.

CNG provides a set of APIs that are used to:

• Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data.
• Create, store, and retrieve cryptographic keys.
• Install and use additional cryptographic providers.

CNG has the following capabilities:

• CNG allows customers to use their own cryptographic algorithms or implementations of standard cryptographic algorithms. They can also add new algorithms.
• CNG supports cryptography in kernel mode. The same API is used in both kernel mode and user mode to fully support cryptography features. Secure Sockets Layer/Transport Layer Security (SSL/TLS) and IPsec, in addition to startup processes that use CNG, operate in kernel mode.
• The plan for CNG includes acquiring Federal Information Processing Standards (FIPS) 140-2 level 2 certification together with Common Criteria evaluations.
• CNG complies with Common Criteria requirements by using and storing long-lived keys in a secure process.
• CNG supports the current set of CryptoAPI 1.0 algorithms.
• CNG provides support for elliptic curve cryptography (ECC) algorithms. A number of ECC algorithms are required by the United States government's Suite B effort.

Online Certificate Status Protocol Support: Online Responder

Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.

The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.

In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. For example:

• Clients connect to the network remotely and either do not need nor have the high-speed connections required to download large CRLs.
• A network needs to handle large peaks in revocation checking activity, such as when large numbers of users log on or send signed e-mail simultaneously.
• An organization needs an efficient means to distribute revocation data for certificates issued from a non-Microsoft CA.
• An organization wants to provide only the revocation checking data needed to verify individual certificate status requests, rather than make available information about all revoked or suspended certificates.

Network Device Enrollment Service

The Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a certification authority (CA).

NDES operates as an Internet Server Application Programming Interface (ISAPI) filter on Internet Information Services (IIS) that performs the following functions:

• Generates and provides one-time enrollment passwords to administrators.
• Receives and processes SCEP enrollment requests on behalf of software running on network devices.
• Retrieves pending requests from the CA.

Web Enrollment

Certificate Web enrollment has been available since its inclusion in Windows® 2000 operating systems. It is designed to provide an enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, and for users of non-Microsoft operating systems. Instead of relying on the autoenrollment mechanism of a certification authority (CA) or using the Certificate Request Wizard, the Web enrollment support provided by a Windows-based CA allows these users to request and obtain new and renewed certificates over an Internet or intranet connection. For more information, see Web Enrollment and Setup Certification Authority Web Enrollment Support on TechNet.

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

The certificate enrollment Web services are available starting with Windows Server 2008 R2 AD CS role services. These enable policy-based certificate enrollment over HTTP by using existing methods such as autoenrollment. The Web services act as a proxy between a client computer and a CA, which makes direct communication between the client computer and CA unnecessary, and allows certificate enrollment over the Internet and across forests. For more information see Certificate Enrollment Web Services on the askds blog or Certificate Enrollment Web Services in Windows Server 2008 R2.

Policy Settings

Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. Configuring the settings by using Group Policy can effect changes throughout the entire domain. The following are a few examples where administrators can use the new certificate-related settings to:

• Deploy intermediate certification authority (CA) certificates to client computers.
• Ensure that users never install applications that have been signed with an unapproved publisher certificate.
• Configure network timeouts to better control the chain-building timeouts for large certification revocation lists (CRLs).
• Extend CRL expiration times if a delay in publishing a new CRL is affecting applications.

Restricted Enrollment Agent

The restricted enrollment agent is a new functionality in the Windows Server 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. The following sections describe this change and its implications.

Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.

Enterprise PKI (PKIView)

Monitoring and troubleshooting the health of all certification authorities (CAs) in a public key infrastructure (PKI) are essential administrative tasks facilitated by the Enterprise PKI snap-in. Originally part of the Microsoft® Windows Server® 2003 Resource Kit and called the PKI Health tool, Enterprise PKI is a Microsoft Management Console (MMC) snap-in for the Windows Server 2008 and Windows Server 2008 R2 operating systems. Because it is part of the core operating system, you can use Enterprise PKI after server installation by simply adding it to an MMC console. It then becomes available to analyze the health state of CAs installed on computers running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

Enterprise PKI provides a view of the status of your network's PKI environment. Having a view of multiple CAs and their current health states enables administrators to manage CA hierarchies and troubleshoot possible CA errors easily and effectively. Specifically, Enterprise PKI indicates the validity or accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points.

For each CA selected, Enterprise PKI indicates one of the CA health states listed in the following table.

Indicator	CA state
Question mark	CA health state evaluation
Green indicator	CA has no problems
Yellow indicator	CA has a non-critical problem
Red indicator	CA has a critical problem
Red cross over CA icon	CA is offline

Once you add the Enterprise PKI snap-in to the MMC, three panes appear:

• Tree. This pane displays a tree representation of your enterprise PKI hierarchy. Each node under the Enterprise PKI node represents a CA with subordinate CAs as child nodes.
• Results. For the CA selected in the tree, this pane displays a list of subordinate CAs, CA certificates, CRL distribution points, and AIA locations. If the console root is selected in the tree, the results pane displays all root CAs. There are three columns in the results pane:
  • Name. If the Enterprise PKI node is selected, the names of the root CAs under the Enterprise PKI node are displayed. If a CA or child CA is selected in the tree, then the names of CA certificates, AIA locations, and CRL distribution points are displayed.
  • Status. A brief description of CA status (also indicated in the tree by the icon associated with the selected CA) or the status of CA certificates, AIA locations, or CRL distribution points (indicated by status text descriptions, examples of which are OK and Unable to Download) is displayed.
  • Location. AIA locations and CRL distribution points (protocol and path) for each certificate are displayed. Examples are file://, HTTP://, and LDAP://.
• Actions. This pane provides the same functionality found on the Actions, View, and Help menus.
  Depending on the item selected in either the tree or results pane, you can view more details about CAs and CA certificates including AIA and CRL information in the actions pane. You can also manage the enterprise PKI structure and make corrections or changes to CA certificates or CRLs.

Hardware and software considerations

AD CS requires Windows Server 2008 or Windows Server 2008 R2 and for enterprise roles Active Directory Domain Services (AD DS) is also required. While AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, which is recommended. Other servers could be configured as Online Responders, and still other servers acting as Web enrollment portals. CAs can be set up on servers running a variety of operating systems, including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server (although Windows 2000 is no longer supported by Microsoft). Not all operating systems support all features or design requirements (as discussed previously), and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.

Additional Resources

Active Directory Certificate Services (AD CS) Frequently Asked Questions (FAQ)
Windows PKI Documentation and Reference Library