Enterprise PKI Concepts

Applies To: Windows Server 2008 R2

The Enterprise PKI snap-in is used to ensure that all of the following elements in a public key infrastructure (PKI) are functioning properly, available, and valid:

  • Certification authorities (CAs). A CA accepts a certificate request, verifies the requester's information according to the policy of the CA, and then uses its private key to sign the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a PKI. A CA is also responsible for revoking certificates and publishing a certificate revocation list (CRL).

  • CA certificates. A CA certificate is a certificate issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs. A certificate that is issued by a CA to itself is referred to as a trusted root certificate. CA certificates are critical to defining the certificate path and usage restrictions for all end-entity certificates issued for use in the PKI.

  • Authority information access locations. Authority information access locations are URLs that are added to a certificate in its authority information access extension. These URLs can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate.

  • CRLs. CRLs are complete, digitally signed lists of unexpired certificates that have been revoked. This CRL is retrieved by clients who can then cache the CRL (based on the configured lifetime of the CRL) and use it to verify certificates presented for use.

  • CRL distribution points. CRL distribution points are locations, typically URLs, that are added to a certificate in its CRL distribution point extension. CRL distribution points can be used by an application or service to retrieve a CRL. CRL distribution points are contacted when an application or service must determine whether a certificate has been revoked before its validity period has expired.

The Certification Authority snap-in allows an administrator to monitor and manage these PKI elements for a single CA. However, separate instances of the snap-in need to be used to monitor and manage a PKI if more than one CA is involved. In addition, the Certification Authority snap-in cannot be used to integrate non-Microsoft CAs into the infrastructure and cannot be used to conveniently manage the authority information access locations and CRL distribution point stores. The Enterprise PKI snap-in, therefore, can be used to resolve these issues from a single snap-in.

For more information about how CAs, CA certificates, authority information access locations, CRL distribution points, and CRLs work together to create a public key trust hierarchy, see How Certificate Services Works (https://go.microsoft.com/fwlink/?LinkID=88045).

Additional references