Using Policy to Manage Active Directory Certificate Services

Applies To: Windows Server 2008

Domain Group Policy can be used to manage the following types of certificate-related activities in an Active Directory Domain Services (AD DS) environment:

  • Credential roaming

  • Autoenrollment of certificates

  • Certificate path validation

  • Certificate distribution

Credential roaming

Credential roaming allows X.509 certificates, certificate requests, and private keys specific to a user in AD DS to be stored independently from the user profile and used on any computer on the network.

Until recently, user certificates and private keys on computers running Windows became part of the user profile after they were issued and placed in the user's certificate store. The only way to use these certificates and private keys on more than one computer was to copy the user profile from one computer to another, which could involve an extremely large amount of data that could be accessed by any person with the appropriate administrative rights.

Digital certificates and private keys involve comparatively small amounts of data that need to be stored in a secure manner. Credential roaming policy provides a means for managing the use of these credentials on multiple computers in a manner that addresses the secure storage and size requirements of digital certificates and private keys.

Credential roaming was first made available for domain controllers running Windows Server 2003 Service Pack 1 (SP1). The credential roaming implementation in Windows Vista and Windows Server 2008 is easier to configure and manage. In addition, credential roaming policy in Windows Server 2008 makes it possible to roam stored user names and passwords as well as certificates and keys.

For more information, see Enable Credential Roaming.

For more information about credential roaming and significant differences between its implementation in Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (

Certificate autoenrollment

Many organizations use Group Policy to automatically enroll users, computers, or services for certificates.

For more information, see Configure Certificate Autoenrollment.

Certificate path validation

As certificate use for secure communication and data protection is increasing, administrators can use certificate trust policy to enhance their control of certificate use and public key infrastructure performance by using certificate path validation options.

Certificate path validation settings in Group Policy allow administrators to manage stores, trusted publishers, network retrieval, and revocation checking.

For more information, see Manage Certificate Path Validation.

Certificate distribution

The certificate distribution capabilities in Group Policy are a powerful method for managing certificate-related trust in an organization. It allows you to ensure that certain certificates are trusted and that certificate chain building occurs with little or no user intervention. You can also block the use of certificates that you cannot directly revoke because they were issued by an external certification authority (CA).

For more information, see Use Policy to Distribute Certificates.

Additional references