Enterprise certification authorities

You can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and logging on to a Windows 2000 domain using a smart card.

An enterprise CA has the following features:

• An enterprise CA requires Active Directory.
• When you install an enterprise root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA.
• All certificate requests sent to the enterprise CA will be fulfilled or denied based on the policy and security permission set for the certificate type requested. Enterprise CAs never set a certificate request to pending, they immediately either issue the certificate or deny the request.
• Certificates can be issued for logging on to a Windows 2000 domain using smart cards.
• The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the CA will need to be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules.

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible due to the use of certificate templates:

• Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested.
• The certificate subject name is automatically generated.
• The policy module adds a predefined list of certificate extensions to the issued certificate from the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.

For more information, compare Stand-alone certification authorities. For more information about certificate templates, see Certificate templates. For general information about CAs, see Certification authorities.