Share via

Do I need to purchase any license other than the Operating system if need to use ADCS(machine certificate life cycle and CRL )

Anonymous
2024-03-27T13:51:54+00:00

Dear Microsoft Team,

I am writing to inquire about AD CS related licensing information and limitations.

Just wanted to understand AD CS more and would like to know more about the licensing requirements and options available. Specifically, interested in learning about any limitations or restrictions associated with the implementation of AD CS.

Additionally, I would like to inquire if AD CS supports generating machine certificates for Linux machines. also want to know if the Certificate Revocation List (CRL) management feature is included in the AD CS, and if it supports multi-PEM files containing multiple CRL objects and multiple CA certificates compliant to X.509v3 format using PEM format.

Could you please provide me with information regarding the licenses required for the implementation of AD CS in DMZ, any limitations or restrictions associated with it, support for Linux machine certificates, and the Certificate Revocation List (CRL) management feature?

Thank you in advance for your time and assistance. I look forward to hearing back from you soon.

Best regards,

RK

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-28T08:27:27+00:00

    Hello,

    Regarding AD CS limitations:

    1. AD CS is specially designed for the Windows Server series operating systems and can only be deployed and run on computers running Windows Server.
    2. AD CS can run in standalone mode without an Active Directory environment, but its functionality and efficiency are significantly improved when integrated with AD. For example, AD combined with group policy can implement advanced functions such as automatic distribution of certificate templates, automatic certificate registration, and automatic certificate renewal.
    3. Deploying AD CS requires holding a corresponding Windows Server license, which can be a significant cost investment, especially for large-scale deployments or where advanced features (such as Datacenter edition) are required.

    If you want to know more about AD CS, you can refer to the following link: What is Active Directory Certificate Services? | Microsoft Learn

    AD CS does not directly support Linux computers by default, but you can use a third-party tool to generate and submit a certificate request to AD CS to obtain a certificate. Reference links: windows - How do I request a certificate from CEP / CES on a Microsoft CA on OSX or Linux? - Server Fault

    CS includes Certificate Revocation List (CRL) management capabilities. You can use the AD CS management console to create and publish CRLs.

    AD CS itself does not directly generate or manage multiple PEM files containing multiple CRL objects. It usually publishes a CRL file as a single CRL object and can support multiple CRL distribution points at the same time (each corresponding to a separate CRL file), which is not a built-in feature of AD CS.

    As for multiple CA certificates in X.509v3 format, AD CS certainly supports that. In an AD CS deployment, there may be one or more root CAs and intermediate CAs. Each CA will have its own certificates (PEM format or other formats) that comply with the X.509v3 standard.

    Implementing AD CS in the DMZ requires some additional configuration to ensure security. You can use the Jamf AD CS Connector to add AD CS as a PKI provider to Jamf Pro for distributing certificates. Reference links: Overview - Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro | Jamf

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Anonymous
    2024-04-01T04:41:52+00:00

    Hi Yanhong Liu,

    Thank you for your response. Based on your feedback, I understand that an additional license beyond the operating license is not required. I did not find any information regarding limitations of AD CS in the link you provided do we have any limitations?

    Thank you,

    Raja

    0 comments
  3. Anonymous
    2024-04-01T07:10:05+00:00

    Hello,

    Good day!

    Make sure you deploy AD CS on Windows Server, and if you want to manage certificates more conveniently, you can integrate AD CS with AD.

    Best Regards,

    Yanhong Liu

    0 comments