Active Directory Certificate Services
Active Directory Certificate Services enables organizations to implement a public key infrastructure so they can deploy and manage public key cryptography, digital certificates, and digital signature capabilities for users and devices.
The first version of came with Windows Server 2008,the previous versions were simply known as Certificate Services.
AD CS is composed of several role services that perform different tasks for clients. One or more of these role services can be installed on a server as required. These services are as follows:
Certification Authority: Installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
Certification Authority Web Enrollment: Handles the web-based distribution of certificates to clients.Requires Internet Information Services to be installed on the server.
Online Responder: Responds to individual client requests regarding information about the validity of specific certificates.Used for complex or large networks.
Certificate Enrollment Web Service: Enables users and computers to enroll for certificates remotely or from nondomain systems via HTTP.
Certificate Enrollment Web Policy Service: Works with the related Certificate Enrollment Web Service, but only provides policy information rather than certificates.
Network Device Enrollment Service: Streamlines the way that network devices such as routers receive certificates.
New in Windows Server 2012
Integration with Server Manager
Deployment and management capabilities from Windows PowerShell
All AD CS role services run on any version
All AD CS role services can be run on Server Core
Support for key-based renewal
Certificate Template Compatibility
Support for certificate renewal with same key
Support for Internationalized Domain Names
Increased security enabled by default on the CA role service
AD DS Site Awareness for AD CS and PKI Clients
Group-protected PFX format
Certificate lifecycle notifications
CA private keys are included in the System State Backup image
New in Windows Server 2012 R2
New Windows PowerShell cmdlets are available for backup and restore. TPM key attestation lets the certification authority (CA) verify that the private key is protected by a hardware-based TPM. Using a policy module with the Network Device Enrollment Service provides enhanced security so that users and devices can request certificates from the Internet.