2.1 Overview

The following abstract components provide the main functionality for certificate services. The Certificate Services protocols enable communication among these components, as shown in the diagram at the end of this section.

Certificate authority (CA) server: The CA server can operate in one of two modes, as a stand-alone CA or as an enterprise certificate authority (enterprise CA).

The following are additional requirements when the CA operates in enterprise CA mode:

  • The CA server is a member of the domain.

  • The CA server uses Active Directory service to store the policy, authentication, and other related information that is required.

  • Optionally, the CA server depends on the Group Policy service as the configuration store for the policy server endpoints.

Certificate transparency: An enrollment client can initiate certificate transparency processing on a certificate authority (CA) server. Certificate transparency is a scheme in which digital certificates issued by a CA server are also published to one or more public certificate transparency logs to be available for public monitoring. Certificates can be added to a certificate transparency log either before or after digital certificates are issued to clients, the former requiring the use of precertificates.

Enrollment clients: Clients can enroll the certificates by using one of two methods: Direct enrollment and WSTEP enrollment. The enrollment clients can be different types, see section 2.1.2.

Policy server: Enrollment clients contact the policy server to obtain the policy information that consists of the types of certificates that it can enroll for, which enrollment servers to contact to enroll for them, and what type of authentication to use for each service. The policy server can be an XCEP server or a domain controller. The Direct enrollment clients always use the domain controller as the policy server. WSTEP enrollment clients use the XCEP server as policy server.

The clients have to first be configured with information about which policy server(s) to contact and how to authenticate to them. This information can be configured through either Group Policy or local configuration.

XCEP server: Hosts the enrollment policy web services and allows the enrollment clients to retrieve the certificate enrollment policies (CEP) by using the XCEP protocol.

WSTEP server: Hosts the enrollments' Web services and allows the enrollment clients to enroll the certificates by using the WSTEP protocol.

CA admin clients: The clients from which administrators perform remote CA administration.

Domain controller: Enrollment clients and CA servers in enterprise mode primarily depend on the Active Directory and optionally on Group Policy server as described earlier in this section.

The following diagram shows the functionality of the Certificate Services protocols in enterprise mode. The classification and purpose of the member protocols are described in section 2.2.

Certificate Services protocols functional architecture in enterprise mode

Figure 3: Certificate Services protocols functional architecture in enterprise mode