The following abstract components provide the main functionality for certificate services. The Certificate Services protocols enable communication among these components, as shown in the diagram at the end of this section.
The following are additional requirements when the CA operates in enterprise CA mode:
The CA server is a member of the domain.
The CA server uses Active Directory service to store the policy, authentication, and other related information that is required.
Certificate transparency: An enrollment client can initiate certificate transparency processing on a certificate authority (CA) server. Certificate transparency is a scheme in which digital certificates issued by a CA server are also published to one or more public certificate transparency logs to be available for public monitoring. Certificates can be added to a certificate transparency log either before or after digital certificates are issued to clients, the former requiring the use of precertificates.
Policy server: Enrollment clients contact the policy server to obtain the policy information that consists of the types of certificates that it can enroll for, which enrollment servers to contact to enroll for them, and what type of authentication to use for each service. The policy server can be an XCEP server or a domain controller. The Direct enrollment clients always use the domain controller as the policy server. WSTEP enrollment clients use the XCEP server as policy server.
The clients have to first be configured with information about which policy server(s) to contact and how to authenticate to them. This information can be configured through either Group Policy or local configuration.
WSTEP server: Hosts the enrollments' Web services and allows the enrollment clients to enroll the certificates by using the WSTEP protocol.
CA admin clients: The clients from which administrators perform remote CA administration.
Domain controller: Enrollment clients and CA servers in enterprise mode primarily depend on the Active Directory and optionally on Group Policy server as described earlier in this section.
The following diagram shows the functionality of the Certificate Services protocols in enterprise mode. The classification and purpose of the member protocols are described in section 2.2.
Figure 3: Certificate Services protocols functional architecture in enterprise mode