Active Directory Certificate Services

AD CS allows you to set up your own public key infrastructure (PKI), which allows you to issue certificates for users and internal systems that are trusted.Some reasons for using PKI could be to:

Protect Internal Websites with HTTPS

Provide Secure Communication to your Active Directory Domain Controllers.

Issue Certificates to Users: Users can use certificates to encrypt email, protect data with Encrypting File System (EFS), or use as an authentication factor as a second authentication factor for multifactor authentication.

AD CS role services

Certification Authority: The Certification Authority role service is the primary role service in a PKI.Your root CAs and intermediate CAs run this role service and issue certificate to users and devices.

Certificate Enrollment Policy Web Service:Provides certificate enrollment policy information to users and computers.

Certificate Enrollment Web Service:Enables users and computers to obtain certificates through a web browser. This is useful when a computer is not part of the Active Directory domain. By combining this role service with the Certificate Enrollment Policy Web Service, you can enable automatic certificate enrollment for users and computers.

The Certification Authority Web Enrollment role service: Provides a web-based method for users to request certificates. Without it, users can use the Certificates MMC or command-line tools to request certificates.

The Network Device Enrollment Service (NDES): Enables routers, switches, and other network devices to obtain certificates, even without having an associated user account.

Online Responder: The Online Responder role service is responsible for providing certificate revocation information to requestors.