Enterprise Certification Authorities

Applies To: Windows Server 2008

Enterprise certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and logging on to a ___domain by using a smart card.

An enterprise CA has the following characteristics:

• Requires access to Active Directory Domain Services (AD DS).

• Uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the ___domain.

• Publishes user certificates and certificate revocation lists (CRLs) to AD DS. In order to publish certificates to AD DS, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the ___domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains.

An enterprise CA issues certificates based on a certificate template. The following functionality is possible when you use certificate templates:

• Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in AD DS that determines whether the certificate requester is authorized to receive the type of certificate they have requested.

• The certificate subject name can be generated automatically from the information in AD DS or supplied explicitly by the requestor.

• The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.

• Autoenrollment can be used to issue certificates.

Additional references

• Types of Certification Authorities