Components of Certificate Services

This video will look at the different components that make up Active Directory Certificate Services and which services you should look at installing these components on.

Which components to install where?
When looking at which components of certificate services to install where a few points need to be considered. First where is the user or device that is using the certificate located? If they are located over a WAN then additional components may need to be installed closer to the user or device. If the user or device is part of the domain this will make the process simpler. If not, additional components may be required to assist the user or device accessing the certificate infrastructure.

Components Available
There are 6 components in Active Directory Certificate Services.
Certificate Authority (CA): This is the core component which creates certificates for use. These certificates are issued to users or devices or to a subordinate CA.
Online Responder: This component provides a way for certificates to be checked that is uses a small amount of network traffic.
Network Device Enrollment Service: This component allows non-domain devices like switches and routers to obtain certificates.
Certificate Enrollment Web Service: This allows certificates to be obtained using the web.
Certificate Enrollment Policy Web Service: This component works with Certificate Enrollment Policy Web Service to provide certificates. It provides the policy that is used with Certificate Enrollment Web Service.
Certification Authority Web Enrollment: This component provides a web interface which end users can use to obtain certificates.

Certificate Authority (CA)
The Certificate Authority or CA is the main component of certificate services. It should be remembered that Active Directory Certificate Services is Microsoft's implementation of certificates. There are other 3rd party implementations of certificates. Microsoft CA can use certificates from these CA's or these certificates can be used with Microsoft CA's. A CA's job is to create and manage certificates. The certificates that it creates can be used by subordinate CA's or by clients. At the top of the certificate hierarchy is the root CA. If you decide to create your own root CA it is important to be careful which settings you use. The settings used on a CA effect all certificates created below it. This is because certificates form a chain. In order for a certificate to be validated, all certificates in the chain need to be checked.

Online Responder
This component checks if a certificate is valid. The user or device using the certificate can send a query to the online responder and the online responder will send back a response either yes or no if the certificate is valid. The advantage of this is that the response message is always the same size. The other way of doing this is using what is called a Certificate Revocation List or CRL. The CRL contains all certificates that have been revoked so this can become quite large. In order to obtain the CRL the client also requires access to a CA. The second advantage of an online response is that it can talk to the CA on behalf of the client. This means that an online responder can be deployed in locations that you may not normally deploy a CA. For example an area that is accessible on the internet.

Description to long for YouTube. Please see the following link for the rest of the description.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 779 - 780
"Windows Server 2008 PKI and Certificate Security" pg 33 - 37