The Enterprise PKI snap-in is used to ensure that all of the following elements in a public key infrastructure (PKI) are functioning properly, available, and valid:
- Certification authorities (CAs). A CA
accepts a certificate request, verifies the requester's information
according to the policy of the CA, and then uses its private key to
sign the certificate. The CA then issues the certificate to the
subject of the certificate for use as a security credential within
a PKI. A CA is also responsible for revoking certificates and
publishing a certificate revocation list (CRL).
- CA certificates. A CA certificate is a
certificate issued by a CA to itself or to a second CA for the
purpose of creating a defined relationship between the two CAs. A
certificate that is issued by a CA to itself is referred to as a
trusted root certificate. CA certificates are critical to defining
the certificate path and usage restrictions for all end-entity
certificates issued for use in the PKI.
- Authority information access
locations. Authority information access locations are URLs that
are added to a certificate in its authority information access
extension. These URLs can be used by an application or service to
retrieve the issuing CA certificate. These CA certificates are then
used to validate the certificate signature and to build a path to a
- CRLs. CRLs are complete, digitally
signed lists of unexpired certificates that have been revoked. This
CRL is retrieved by clients who can then cache the CRL (based on
the configured lifetime of the CRL) and use it to verify
certificates presented for use.
- CRL distribution points. CRL
distribution points are locations, typically URLs, that are added
to a certificate in its CRL distribution point extension. CRL
distribution points can be used by an application or service to
retrieve a CRL. CRL distribution points are contacted when an
application or service must determine whether a certificate has
been revoked before its validity period has expired.
The Certification Authority snap-in allows an administrator to monitor and manage these PKI elements for a single CA. However, separate instances of the snap-in need to be used to monitor and manage a PKI if more than one CA is involved. In addition, the Certification Authority snap-in cannot be used to integrate non-Microsoft CAs into the infrastructure and cannot be used to conveniently manage the authority information access locations and CRL distribution point stores. The Enterprise PKI snap-in, therefore, can be used to resolve these issues from a single snap-in.
For more information about how CAs, CA certificates, authority information access locations, CRL distribution points, and CRLs work together to create a public key trust hierarchy, see How Certificate Services Works (http://go.microsoft.com/fwlink/?LinkID=88045).