Enterprise certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and logging on to a domain by using a smart card.
An enterprise CA has the following characteristics:
- Requires access to Active Directory Domain
Services (AD DS).
- Uses Group Policy to propagate its
certificate to the Trusted Root Certification Authorities
certificate store for all users and computers in the domain.
- Publishes user certificates and certificate
revocation lists (CRLs) to AD DS. In order to publish
certificates to AD DS, the server that the CA is installed on
must be a member of the Certificate Publishers group. This is
automatic for the domain the server is in, but the server must be
delegated the proper security permissions to publish certificates
in other domains.
|
Note |
|
You must be a member of the Domain Admins group or be an administrator with Write access to AD DS to install an enterprise root CA. |
An enterprise CA issues certificates based on a certificate template. The following functionality is possible when you use certificate templates:
- Enterprise CAs enforce credential checks on
users during certificate enrollment. Each certificate template has
a security permission set in AD DS that determines whether the
certificate requester is authorized to receive the type of
certificate they have requested.
- The certificate subject name can be generated
automatically from the information in AD DS or supplied
explicitly by the requester.
- The policy module adds a predefined list of
certificate extensions to the issued certificate. The extensions
are defined by the certificate template. This reduces the amount of
information a certificate requester has to provide about the
certificate and its intended use.
- Autoenrollment can be used to issue
certificates.