Components of Active Directory Certificate Services
Today we will be seeing the different components of the Active Directory Certificate Services. Each of the components have a specific task to be done and they will be used under various different scenarios.
If you have ever installed the Active Directory Certificate Services role, then you must know that there are six different components that are available which are:
- Certificate Authority (CA): This is the core component which creates certificates for use. These certificates are issued to users or devices or to a subordinate CA.
- Online Responder: This component provides a way for certificates to be checked that is uses a small amount of network traffic.
- Network Device Enrollment Service: This component allows non-domain devices like switches and routers to obtain certificates.
- Certificate Enrollment Web Service: This allows certificates to be obtained using the web.
- Certificate Enrollment Policy Web Service: This component works with Certificate Enrollment Policy Web Service to provide certificates. It provides the policy that is used with Certificate Enrollment Web Service.
- Certification Authority Web Enrollment: This component provides a web interface which end users can use to obtain certificates.
Now let us look at each individual component into more detail.
Certificate Authority (CA)
The Certificate Authority is the mail component of the Certificate Services. You should also note that Active Directory Certificate Services is Microsoft’s way of implementing certificate services.
Certificate Authority creates and manages the certificates. The certificates that it creates can be used by the subordinate CA’s or by clients. So this makes the Certificate Authority as the Root CA.
You need to be very careful with the settings that you configure while installing a Root CA as this will become the standard for all the certificates that the subordinates or clients will use and it is very difficult to change them.
The settings used on a CA effect all certificates created below it. This is because certificates form a chain. In order for a certificate to be validated, all certificates in the chain need to be checked.
This component checks if a certificate is valid. The user or device using the certificate can send a query to the online responder and the online responder will send back a response either yes or no if the certificate is valid.
The advantage of having an Online Responder is that the response size is always the same. It acts as an agent between the client and the CA.
The other way of doing this through Certificate Revocation List (CRL). This is quite cumbersome as this list will contain all the certificates and the response time also is increased.
So ideally we would deploy the Online Responder where we do not want to deploy the CA.
Network Device Enrollment Services
This component will help us issue certificates to network devices like routers and switches. The network devices contact the component using the Simple Certificate Enrollment Protocol (SCEP) which n turn contacts the CA to issue the certificate.
Network Device Enrollment Services using this method can allocate certificates to devices on the network that are not domain members.
There are three components that all relate to Web Enrollment, or obtaining certificates via HTTP.
Certificate Enrollment Web Services: This component provides certificates using HTTP, however it does not provide a web page to obtain the certificate. HTTP is only used as the communication protocol to obtain the certificate.
Certificate Enrollment Policy Web Service: This component provides policy information to clients for use with the Certificate Enrollment Web service.
Certification Authority Web Enrollment: This provides a web page that a user can use to request a certificate. This is often used when 3rd parties require certificates. The 3rd party can use this web site to request a certificate and the administrator will need to at some stage approve this certificate to be created.