AD CS role services
Certification Authority: The Certification Authority role service is the primary role service in a PKI.Your root CAs and intermediate CAs run this role service and issue certificate to users and devices.
Certificate Enrollment Policy Web Service:Provides certificate enrollment policy information to users and computers.
Certificate Enrollment Web Service:Enables users and computers to obtain certificates through a web browser. This is useful when a computer is not part of the Active Directory domain. By combining this role service with the Certificate Enrollment Policy Web Service, you can enable automatic certificate enrollment for users and computers.
The Certification Authority Web Enrollment role service: Provides a web-based method for users to request certificates. Without it, users can use the Certificates MMC or command-line tools to request certificates.
The Network Device Enrollment Service (NDES): Enables routers, switches, and other network devices to obtain certificates, even without having an associated user account.
Online Responder: The Online Responder role service is responsible for providing certificate revocation information to requestors.