The Certificate Services provides customizable services for issuing and managing certificates for applications using public-key cryptography. The Certificate Server can perform a central role in the management of such a system in order to provide secure communications across the Internet, corporate intranets, and other nonsecure networks. The Certificate Services is customizable to support the application requirements of different organizations.
The Certificate Server receives requests for new certificates over transports such as RPC, HTTP, or electronic mail. Each request is checked against custom or site-specific policies, sets optional properties of the certificate to be issued, and issues the certificate. It also allows administrators to add elements to a certificate revocation list (CRL), and publish a signed CRL on a regular basis. Programmable interfaces are included for use by developers to create support for additional transports, policies, certificate properties, and formats.
The policy module for the Certificate Services uses network authentication of certificate requests to issue certificates to users with Windows NT domain accounts. The policy module may be customized to meet the needs of the issuing organization. The Certificate Server generates certificates in a standard X.509 format. Certificates in the X.509 format are commonly used to authenticate servers and clients involved in secure communications using either the PCT or SSL protocols. The following sections describe uses of and some key features of client authentication for secure communications using certificates generated by the Certificate Server. The Certificate Server can also generate server certificates used by IIS and other Web servers to provide server authentication in order to assure clients (browsers) that they are communicating with the intended entity.