AD CS Certification Authority (CA)

Applies To: Windows Server 2008

Certification authorities (CAs) accept certificate requests, verify the requester's identifying information according to the policy of the CA, and then use their private keys to digitally sign the certificates that they issue. CAs are also used to revoke certificates that are no longer valid before their scheduled expiration date and to publish certificate revocation lists (CRLs) that are used to verify the validity of published certificates.


The following is a list of all aspects that are part of this managed entity:

Name Description

AD CS Access Control

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

AD CS Active Directory Domain Services Connection

Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.

AD CS Certificate Request (Enrollment) Processing

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

AD CS Certificate Revocation List (CRL) Publishing

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

AD CS Certification Authority Certificate and Chain Validation

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

AD CS Certification Authority Upgrade

Upgrading a certification authority (CA) that was installed on an earlier version of Windows to a computer running Windows Server 2008 can affect configuration options or components that need to be reconfigured after the upgrade. In some cases, you may also have to fix configuration problems before the upgrade can be completed.

AD CS Cross-Certification

When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.

To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:

  • The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
  • The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.

Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.

AD CS Database Availability

The certfication authority (CA) database records all certificate transactions, including requests, the requester, and whether the request was granted or denied; information for the issued certificate, such as the private key, serial number, and expiration date; and information about revoked certificates. Problems accessing a CA database can prevent a CA from starting and functioning properly. 

AD CS Exit Module Processing

The Active Directory Certificate Services (AD CS) exit module performs several functions after a certificate has been issued, such as publishing the certificate to the file system or sending an e-mail notification.

AD CS Key Archival and Recovery

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

AD CS Performance Counters Availability

Performance counters make it possible to monitor the use of a certification authority (CA). If performance counters cannot be started, this data will not be available.

AD CS Policy Module Processing

The policy module contains the set of rules governing issuance, renewal, and revocation of certificates. This policy is created from hard-coded values, registry settings, and, if you are using an enterprise certification authority (CA), certificate templates. The policy module determines whether a certificate request is approved, denied, or marked as pending for an administrator to approve or deny. Problems detected with a policy module can cause a CA to fail to start or to cease functioning.

AD CS Program Resource Availability

Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.

AD CS Registry Settings

Active Directory Certificate Services (AD CS) records critical configuration settings in the registry and may not start or function properly if this information becomes corrupted or is deleted.

Active Directory Certificate Services