Print Friendly and PDF

Active Directory Certificate Services

Active Directory Certificate Services enables organizations to implement a public key infrastructure so they can deploy and manage public key cryptography, digital certificates, and digital signature capabilities for users and devices. The first version of came with Windows Server 2008,the previous versions were simply known as Certificate Services. AD CS is composed of several role services that perform different tasks for clients. One or more of these role services can be installed on a server as required. These services are as follows:

Certification Authority: Installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.

Certification Authority Web Enrollment: Handles the web-based distribution of certificates to clients.Requires Internet Information Services to be installed on the server.

Online Responder: Responds to individual client requests regarding information about the validity of specific certificates.Used for complex or large networks.

Certificate Enrollment Web Service: Enables users and computers to enroll for certificates remotely or from nondomain systems via HTTP.

Certificate Enrollment Web Policy Service: Works with the related Certificate Enrollment Web Service, but only provides policy information rather than certificates.

Network Device Enrollment Service: Streamlines the way that network devices such as routers receive certificates.

New in Windows Server 2012

Integration with Server Manager

Deployment and management capabilities from Windows PowerShell

All AD CS role services run on any version

All AD CS role services can be run on Server Core

Support for key-based renewal

Certificate Template Compatibility

Support for certificate renewal with same key

Support for Internationalized Domain Names

Increased security enabled by default on the CA role service

AD DS Site Awareness for AD CS and PKI Clients

Group-protected PFX format

Certificate lifecycle notifications

CA private keys are included in the System State Backup image

New in Windows Server 2012 R2

New Windows PowerShell cmdlets are available for backup and restore. TPM key attestation lets the certification authority (CA) verify that the private key is protected by a hardware-based TPM. Using a policy module with the Network Device Enrollment Service provides enhanced security so that users and devices can request certificates from the Internet.