One powerful administrative feature of Certificate Services is the ability to control and customize the behavior of the certification authority (CA) through the use of policy and exit modules.
Policy modules can determine whether a certificate request should be automatically approved, denied, or marked as pending. Exit modules provide an opportunity to perform post-processing after a certificate is issued, such as the publication of an issued certificate to Active Directory.
Certificate Services comes with one exit module (Certxds.dll) and one policy module (Certpdef.dll). The policy module includes two separate policies: enterprise and stand-alone. For information about the operational characteristics of a CA using enterprise policy versus a CA using stand-alone policy, see Enterprise certification authorities and Stand-alone certification authorities.
As a CA administrator, you can replace these default modules with your own custom policy and exit modules or third-party policy and exit modules. In addition, if you have upgraded to Windows 2000 Certificate Services from Certificate Server 1.0, you will have the option of using the policy module you have been using with Certificate Server 1.0. It will be listed as a legacy policy module when you look at the properties of the CA.
The policy module provided with Windows 2000 performs the following functions:
In Windows 2000, an enterprise CA will always immediately either issue a certificate or deny a request. This policy setting cannot be changed for enterprise CAs. Because enterprise certification authorities use Active Directory to determine the identity of the requester and to determine whether the requester has the security permissions to request a certificate of the type that they specify, the CA automatically determines whether a requester is authorized to receive the certificate requested.
In Windows 2000, a stand-alone certification authority can either issue a certificate automatically upon receiving a request or hold the request as pending. In the majority of instances, the administrator of a stand-alone CA will want to have all incoming certificate requests set to pending. Otherwise, because the stand-alone CA does not verify the identity of requesters via Active Directory, there is no way to verify the identity and validity of the certificate requester.
Please note that this is not an exhaustive list of the functions of the policy module.
The exit module provided with Windows 2000 performs the following functions:
Please note that this is not an exhaustive list of the functions of the exit module.
To configure the settings of the default policy and exit modules see Configuring the policy and exit modulesCustomizing Certificate Services policy and exit modules
Programmable interfaces are included in Certificate Services for developers to create customized policy modules. For more information, refer to the Microsoft Platform Software Development Kit.
If you have created a customized policy module using the guidelines in the Microsoft Platform Software Development Kit, see Select a different policy module to change the policy module.
If you have created a customized exit module using the guidelines in the Microsoft Platform Software Development Kit, see Select a different exit module to change the exit module