共用方式為


Active Directory Certificate Services Overview

Applies To: Windows Server 2008

Active Directory Certificate Services (AD CS) role services can be set up on servers running a variety of operating systems, including Windows Server® 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders.

Note

AD CS is not available on Server Core installations of Windows Server 2008 or Windows Server 2008 for Itanium-Based Systems. A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.

The following table lists the AD CS components that can be configured on different editions of Windows Server 2008.

Components Web Edition Standard Edition Enterprise Edition Datacenter Edition

CA

No

Yes

Yes

Yes

Network Device Enrollment Service

No

No

Yes

Yes

Online Responder service

No

No

Yes

Yes

Certification Authority Web Enrollment Support

No

Yes

Yes

Yes

The following features are available on servers running Windows Server 2008 that have been configured as CAs.

AD CS Features Web Edition Standard Edition Enterprise Edition Datacenter Edition

Customizable version 2 and version 3 certificate templates

No

No

Yes

Yes

Key archival

No

No

Yes

Yes

Role separation

No

No

Yes

Yes

Certificate manager restrictions

No

No

Yes

Yes

Delegated enrollment agent restrictions

No

No

Yes

Yes

Customizing AD CS

AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (https://go.microsoft.com/fwlink/?LinkId=91405).

Managing AD CS

The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:

  • Certification Authority. The primary tool for managing a CA, certificate revocation, and certificate enrollment.

  • Certificate Templates. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.

  • Online Responder. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.

  • Enterprise PKI. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.

  • Certificates. Used to view and manage certificate stores for a computer, user, or service.

Additional references