Active Directory Certificate Services (AD CS) role services can be set up on servers running operating systems including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root CAs, policy CAs, and issuing CAs, and other servers configured as Online Responders.
The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.
| Components | Web edition | Standard edition | Enterprise edition | Datacenter edition |
|---|---|---|---|---|
|
CA |
No |
Yes |
Yes |
Yes |
|
Network Device Enrollment Service |
No |
No |
Yes |
Yes |
|
Online Responder service |
No |
No |
Yes |
Yes |
|
CA Web Enrollment |
No |
Yes |
Yes |
Yes |
Certificate Enrollment Web Service |
No |
Yes |
Yes |
Yes |
Certificate Enrollment Policy Web Service |
No |
Yes |
Yes |
Yes |
The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.
| AD CS features | Web edition | Standard edition | Enterprise edition | Datacenter edition |
|---|---|---|---|---|
|
Customizable version 2 and version 3 certificate templates |
No |
Yes |
Yes |
Yes |
|
Key archival |
No |
No |
Yes |
Yes |
|
Role separation |
No |
No |
Yes |
Yes |
|
Certificate manager restrictions |
No |
No |
Yes |
Yes |
|
Delegated enrollment agent restrictions |
No |
No |
Yes |
Yes |
|
Certificate enrollment across forest boundaries |
No |
No |
Yes |
Yes |
Customizing AD CS
AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (
Managing AD CS
The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:
-
Certification Authority. The primary tool for managing a CA, certificate revocation, and certificate enrollment.
-
Certificate Templates. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.
-
Online Responder. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.
-
Enterprise PKI. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.
-
Certificates. Used to view and manage certificate stores for a computer, user, or service.
Additional references
-
Public Key Infrastructures
-
Types of Certification Authorities
- Certificate Enrollment Web Service Overview
- Certificate Enrollment Policy Web Service Overview
- Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries