AD CS: Enterprise PKI (PKIView)

Applies To: Windows Server 2008

Monitoring and troubleshooting the health of all certification authorities (CAs) in a public key infrastructure (PKI) are essential administrative tasks facilitated by the Enterprise PKI snap-in. Originally part of the Microsoft® Windows Server® 2003 Resource Kit and called the PKI Health tool, Enterprise PKI is a Microsoft Management Console (MMC) snap-in for the Windows Server® 2008 operating system. Because it is part of the core operating system of Windows Server 2008, you can use Enterprise PKI after server installation by simply adding it to an MMC console. It then becomes available to analyze the health state of CAs installed on computers running Windows Server 2008 or Windows Server 2003.

What does Enterprise PKI do?

Enterprise PKI provides a view of the status of your network's PKI environment. Having a view of multiple CAs and their current health states enables administrators to manage CA hierarchies and troubleshoot possible CA errors easily and effectively. Specifically, Enterprise PKI indicates the validity or accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points.

For each CA selected, Enterprise PKI indicates one of the CA health states listed in the following table.

Indicator CA state

Question mark

CA health state evaluation

Green indicator

CA has no problems

Yellow indicator

CA has a non-critical problem

Red indicator

CA has a critical problem

Red cross over CA icon

CA is offline

Once you add the Enterprise PKI snap-in to the MMC, three panes appear:

  • Tree. This pane displays a tree representation of your enterprise PKI hierarchy. Each node under the Enterprise PKI node represents a CA with subordinate CAs as child nodes.

  • Results. For the CA selected in the tree, this pane displays a list of subordinate CAs, CA certificates, CRL distribution points, and AIA locations. If the console root is selected in the tree, the results pane displays all root CAs. There are three columns in the results pane:

    • Name. If the Enterprise PKI node is selected, the names of the root CAs under the Enterprise PKI node are displayed. If a CA or child CA is selected in the tree, then the names of CA certificates, AIA locations, and CRL distribution points are displayed.

    • Status. A brief description of CA status (also indicated in the tree by the icon associated with the selected CA) or the status of CA certificates, AIA locations, or CRL distribution points (indicated by status text descriptions, examples of which are OK and Unable to Download) is displayed.

    • Location. AIA locations and CRL distribution points (protocol and path) for each certificate are displayed. Examples are file://, HTTP://, and LDAP://.

  • Actions. This pane provides the same functionality found on the Actions, View, and Help menus.

    Depending on the item selected in either the tree or results pane, you can view more details about CAs and CA certificates including AIA and CRL information in the actions pane. You can also manage the enterprise PKI structure and make corrections or changes to CA certificates or CRLs.

Who will be interested in this feature?

You can use Enterprise PKI in an enterprise network that uses Active Directory Certificate Services (AD CS) and contains one or more CAs, including environments with more than one PKI hierarchy.

Potential users of Enterprise PKI include administrators and IT professionals who are familiar with CA health monitoring and troubleshooting in an AD CS network environment.

Are there any special considerations?

You can use Enterprise PKI only in an AD CS environment.

What new functionality does this feature provide?

Enterprise PKI now supports Unicode character encoding.

Support for Unicode characters

Enterprise PKI provides full support for Unicode characters along with PrintableString encoding. Using Unicode character encoding allows you to present text and symbols from all languages. Unicode encoding uses a scheme or Unicode Transformation Format (UTF-8) that assigns two bytes for each character. A total of 65,536 character combinations are possible. In contrast, PrintableString encoding allows you to use only a simple subset of ASCII characters. These characters are A-Z a-z 0-9 (space) ' () + , . / : = ?.

Additional references

For information about other features in Active Directory Certificate Services, see Active Directory Certificate Services Role.