Enterprise certification authorities (CAs) publish certificates, certificate revocation lists (CRLs), and other data to Active Directory containers. The Enterprise PKI snap-in can be used to browse and manage objects in those containers.
The Active Directory containers that can be managed with the Enterprise PKI snap-in are:
- NTAuthCertificates. Contains all of
the CA certificates in the current forest. Certificates are added
automatically when a new CA is installed by a member of the
Enterprise Admins group. Certificates can also be added manually by
using the Manage AD Containers dialog box.
- AIA. Contains CA certificates that can
be retrieved by clients using the authority information access
(AIA) certificate extension to build a valid certificate chain and
to retrieve any cross-certificates issued by the CA.
- CDP. Contains all base CRLs and delta
CRLs published in the forest.
- KRA. Contains the certificates for key
recovery agents for the forest. Key recovery agents must be
configured to support key archival and recovery. Key recovery agent
certificates can be added to this container automatically by
enrolling with an enterprise CA. The key recovery agent
certificates cannot be added manually by using the Manage AD
Containers dialog box.
- Certification Authorities. Contains
the certificates for trusted root CAs in the forest. Root CA
certificates are added automatically when a member of Enterprise
Admins sets up an enterprise root CA or stand-alone root CA that is
joined to the domain. Root CA certificates can also be added
manually from the command prompt but not through the Manage AD
Containers dialog box.
- Enrollment Services. Contains the
certificates for enterprise CAs that are available to issue
certificates to users, computers, or services in the forest.
Enterprise CA certificates can only be added to this container by a
member of Enterprise Admins who installs an enterprise CA. The
certificates cannot be added manually by using the Manage AD
Containers dialog box.