Certificate Server Development Architecture

Microsoft® Certificate Server is a development platform for building Certificate Authorities for enterprises or secure Internet applications. A configured and operational Certificate Authority will allow a site to issue, track, manage, and revoke certificates with minimal administration overhead and maximal security.

The Certificate Server consists of the Server Engine, the Server Database, and a set of modules and tools that work together to function as a Certificate Authority. External applications, modules, and administration tools use Component Object Model (COM) interfaces to interact with the Server Engine. The following diagram shows the interfaces used by the Server Engine:

An operational certification system will typically have four major subsystems.

Client The client is the software that is used by the end user to generate a certificate request, send the request, and receive the finished certificate. An example of a client is Microsoft® Internet Explorer version 3.0. The client will typically interact with a custom interface maintained by the intermediary application.
Intermediary The intermediary is a sub-system that consists of the intermediary application and the Certificate Server Client Interface (Certificate Server Web Client in the setup program). The intermediary application interacts directly with the client, receiving certificate requests and returning finished certificates. It communicates with the Server Engine through the Certificate Server Client Interface, which contains the ICertConfig and ICertReqest COM interfaces. An example of an intermediary application is Microsoft Internet Information Server. The intermediary application can be implemented entirely through Active Server Pages.
Server The server is the system that builds the certificate. In addition to the Server Engine, two configurable components are included; the policy module and the exit module. The policy module interacts with the Server Engine through the ICertPolicy and ICertServerPolicy interfaces. Exit modules (there can be more than one) interact with the Server Engine through the ICertExit and ICertServerExit interfaces.
Administrative Client The administrative client is the system that monitors and manages certificates and requests. The administrative client uses the ICertAdmin interface to communicate with the Server Engine.

For further information about the Certificate Server architecture, see Certificate Server Interfaces and Building a Certificate.