1.3 Overview

The Certificate Services Remote Administration Protocol consists of a set of DCOM interfaces, as specified in [MS-DCOM], that allow administrative tools to configure the state and policy of a CA on a server. The administrative tools can perform such functions as getting or setting properties on a CA, retrieving data, revoking certificates, or retrieving escrowed private keys from a CA.

The following figure reflects only CA administration, not the normal operation of the CA. The protocol for the normal operation of the Microsoft CA is specified in [MS-WCCE].

Machines involved in remote administration

Figure 1: Machines involved in remote administration

In the preceding figure, the principal components are:

  • CA: The certification authority (CA) that receives configuration and administration tasks. The remote administration protocol that is defined in this document covers the interactions that are shown as a solid line in this figure.

  • Administrator's computer: A client to the CA that performs remote configuration or administration tasks.

  • DC: An Active Directory domain controller (DC) includes a Key Distribution Center (KDC) as specified in [MS-KILE]. In most cases, a Kerberos KDC is used to authenticate the parties for authenticated DCOM messages. The protocol that is documented here is built on top of authenticated DCOM messages. Interactions with the DC are shown in the figure as dashed lines. DCOM is documented as specified in [MS-DCOM], which in turn references interactions with the DC.

The protocol uses two DCOM interfaces: ICertAdminD (section 3.1.4.1) and ICertAdminD2 (section 3.1.4.2), which offer additional methods. The two interfaces define a total of 46 methods.

The methods of the Certificate Services Remote Administration Protocol fall into the following categories:

  • Managing pending certificate requests: A certificate request can be fulfilled immediately or can be held for human administrator approval or other action. When a request is pending human approval, there are ICertAdminD methods that allow the human's administrative console to interact with the CA to query and modify pending requests. For additional information on pending requests, see section 3.1.1.1.1 and also [MS-WCCE].

  • Configuring or retrieving data from CA databases: For purposes of this protocol, a CA is built around a logical database, as specified in section 1.3.1.3. A number of methods in this protocol deal with configuration or data retrieval of particular rows or columns of tables in the logical database.

  • Managing revocation: This protocol includes methods to tell the CA to revoke a certificate, to query the validity of a certificate, and to deal with the mechanics of publication of CRLs.

  • Managing audit: This protocol includes methods that allow the administrator to learn and specify which classes of events generate audit trail entries.

  • Archived key retrieval: This protocol defines one method for retrieving a private key that was archived as part of a certificate request.

  • Miscellaneous administrative actions: This protocol includes a number of methods for miscellaneous administrative actions such as determining if the CA is responsive, determining what kinds of rights the caller has, telling the CA to go offline, or querying and editing various CA state variables. For details, see the descriptions in sections 3.1.4.1 and 3.1.4.2.