Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Policy and exit modules

One powerful administrative feature of Certificate Services is the ability to control and customize the behavior of the certification authority (CA) through the use of policy and exit modules.

Policy modules can determine whether a certificate request should be automatically approved, denied, or marked as pending. Exit modules provide an opportunity to perform post-processing after a certificate is issued, such as the publication of an issued certificate to Active Directory.

Certificate Services comes with one exit module (Certxds.dll) and one policy module (Certpdef.dll). The policy module includes two separate policies: enterprise and stand-alone. For information about the operational characteristics of a CA using enterprise policy versus a CA using stand-alone policy, see Enterprise certification authorities and Stand-alone certification authorities.

As a CA administrator, you can replace these default modules with your own custom policy and exit modules or third-party policy and exit modules. In addition, if you have upgraded to Windows 2000 Certificate Services from Certificate Server 1.0, you will have the option of using the policy module you have been using with Certificate Server 1.0. It will be listed as a legacy policy module when you look at the properties of the CA.

The policy module provided with Windows 2000 performs the following functions:

  • Adds certificate revocation list distribution points (CDP) to a certificate being issued. The certificate revocation list (CRL) distribution point is an optional extension in an X.509v3 certificate that is a directory entry or other distribution source for certificate revocation lists. A verifier of a certificate, such as a secure Web site, can use the CRL distribution point address, contained in a certificate, to retrieve a current copy of the issuing CA's CRL in order to insure that the certificate being presented has not been revoked by the CA.
  • Adds authority information access points to a certificate being issued. The authority information access point is an optional extension in an X.509v3 certificate. It serves as a directory entry or other distribution source for the certificate of the certification authority.
  • Determines the default action of a certification authority upon receiving a certificate request. Upon receiving a certificate request, a certification authority can either automatically issue a certificate or hold it as pending until an administrator reviews the request.

    In Windows 2000, an enterprise CA will always immediately either issue a certificate or deny a request. This policy setting cannot be changed for enterprise CAs. Because enterprise certification authorities use Active Directory to determine the identity of the requester and to determine whether the requester has the security permissions to request a certificate of the type that they specify, the CA automatically determines whether a requester is authorized to receive the certificate requested.

    In Windows 2000, a stand-alone certification authority can either issue a certificate automatically upon receiving a request or hold the request as pending. In the majority of instances, the administrator of a stand-alone CA will want to have all incoming certificate requests set to pending. Otherwise, because the stand-alone CA does not verify the identity of requesters via Active Directory, there is no way to verify the identity and validity of the certificate requester.

Please note that this is not an exhaustive list of the functions of the policy module.

The exit module provided with Windows 2000 performs the following functions:

  • Allows certificate publication to Active Directory. If the certificate request specifies a location to publish the certificate in Active Directory, the exit module will do so.
  • Allows certificate publication to the file system. If the certificate request specifies a location to publish the certificate in the file system, the exit module will do so.
  • Publishes certificate revocation lists to specified URLs. The exit module determines where the CA publishes the certificate revocation list .

Please note that this is not an exhaustive list of the functions of the exit module.

To configure the settings of the default policy and exit modules see Configuring the policy and exit modules

Customizing Certificate Services policy and exit modules

Programmable interfaces are included in Certificate Services for developers to create customized policy modules. For more information, refer to the Microsoft Platform Software Development Kit.

If you have created a customized policy module using the guidelines in the Microsoft Platform Software Development Kit, see Select a different policy module to change the policy module.

If you have created a customized exit module using the guidelines in the Microsoft Platform Software Development Kit, see Select a different exit module to change the exit module


Share this article: