Skip to main content

Enterprise CA

  • Integrates with Active Directory. Certificates and Certificate Revocation Lists (CRLs) are published in AD. Certificates can only be issued to objects in the Active Directory forest. Use a Standalone CA for objects outside the forest
  • An Enterprise Root CA must be installed before all other CAs since they rely on the Root CA to certify them. The server that is to run the Enterprise Root CA needs to have its computer account put in the Cert Publishers group. This must be done by a member of the Enterprise Admin group.
  • Automatically approves certificates, based on user account and group account information and certificate template information
  • Works with smart cards
  • Should have some fault tolerance built in, such as regularly scheduled backups
  • The associated server name becomes part of the certificates it manages, so the server name can't be changed after installing Certificate Services
  • Doesn't require the person requesting a certificate to supply all identifying information since this information is based on the user's logon account. The certificate type is based on the certificate template

Next: Standalone CA