Tuesday, 23 June 2015

Active Directory Certificate Services


Active Directory Certificate Services (AD CS) provides a Public Key Infrastructure (PKI) that can be used to distribute certificates from a trusted source to enable the following:
  • Secure data transmission to a known recipient through encryption
  • Signing of code and documents that confirms who the sender is and that the data has not been tampered with in any way

PKI uses

  • Control access to the network with 802.1x authentication
  • Approve and authorize applications with Code Signing
  • Protect user data with EFS
  • Secure network traffic using IPSec
  • Remote access via Virtual Private Network (VPN)
  • Protect LDAP-based directory queries Secure LDAP
  • Implement two-factor authentication with Smart Cards
  • Secure web traffic (HTTPS)
  • Implement Secure Email (S/MIME)
  • Mobile devices connecting to Exchange Server infrastructures
  • Mutual authentication of Exchange Server components

Applications that may use certificates

  • Active Directory
  • Exchange
  • IIS
  • Internet Security & Acceleration Server
  • Office Communications Server
  • Outlook
  • System Center Configuration Manager
  • Windows Server Update Services

Hardware Security Module

A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of organizations by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.


  • AD CS - Active Directory Certificate Services
  • AIA - Authority Information Access
  • CA - Certification Authority
  • CDP - CRL Distribution Point
  • CEP - Certificate Enrollment Policy
  • CES - Certificate Enrollment Service
  • CP - Certificate Policy
  • CPS - Certificate Practice Statement
  • CRL - Certificate Revocation List
  • CSP - Cryptographic Service Provider
  • DRA - Data Recovery Agent
  • HSM - Hardware Security Module
  • KRA - Key Recovery Agent
  • KSP - Key Storage Provider
  • OID - Object Identifier
  • OSCP - Online Certificate Status Protocol
  • PEN - Private Enterprise Number
  • PKI - Public Key Infrastructure
  • SCEP - Simple Certificate Enrollment Protocol


No comments:

Post a Comment