Skip to main content

Configuring Directory Services for Certificate Publication

On completion of this topic you should be able to configure the Active Directory service for certificate publication.

Active Directory uses Directory Access Control Lists (DACLs) to either approve or deny a certificate request, e.g. if a user requests a certificate for EFS, Active Directory will determine whether that user has the Enroll permission for that type of certificate. If the user does, then the request is approved, without requiring administrator intervention to see if the user has the appropriate permission to enroll.

Group Policy can be configured to automatically enroll User and Computer certificates in Windows Server 2003. Previously, in Windows 2000 Server, only Computer certificates could be auto-enrolled.

Your logbook for this section should include documentary evidence that you can configure a directory service for certificate publication.

Next: Plan a Public Key Infrastructure that uses Certificate Services