Managing Certificates in Windows Server

Certificate Services are managed through the Certificate Authority snap-in.

Use the buttons below to navigate through the lesson


Click Start. Select Administrative Tools. Click Certification Authority. A green tick next to the server indicates that Certificate Services is running on this machine. Expand the server to view its contents. The Revoked Certificates folder holds all certificates that have been revoked (This list is known as the Certificate Revocation List (CRL)). Normally, once revoked, a certificate can’t be unrevoked.

The Issued Certificates folder lists all the certificates that this CA has issued. Double-clicking a certificate will reveal its properties.

The Pending Requests folder lists the requests that are queued on the CA waiting for approval or disapproval. Enterprise CAs will never use this feature, however Stand-Alone CAs store requests as pending.

The Failed Requests folder shows any certificate requests that have failed or have been rejected by this CA along with the reason.

The Certificate Templates folder shows the certificate templates that are available for use on this server.

New templates can be added by right-clicking the Certificate Templates Folder and selecting New > Certificate. Double-click on a template to view its properties. Information about the certificate template is shown such as the purpose of the certificate. Click OK to continue. Right-click on the server to view its general properties. Select Properties.

The General Tab displays general information about this CA such as its name and description. You can view this CAs certificate by selecting View Certificate. The Policy module tab displays which policy module is in place. This will normally be the default Microsoft policy, if you have any additional policies they can be added by selecting the select button. Select Properties to configure the installed policy module. The Request Handling tab gives you control over how incoming requests are processed. The default action for enterprise CAs is shown here.

The Exit Module tab is similar to the Policy Module tab; it shows you which exit modules are currently in use. Select Configure to view and configure options for this exit module.  The properties page for this exit module specifies where certificates should be published. These options will vary depending on the type of CA installed.

The Extensions tab allows you configure two lists of locations: one for where CRLs are published (CRL distribution points (CDPs)) and one for where users can obtain the certificate for this CA (known as Authority Information Access Points (AIAs).

The Storage tab shows the paths where the CA stores is configuration and certificate database files.. These values can’t be changed. On stand-alone CAs information can still be stored in Active Directory (if available) by selecting the Active Directory box.

Certificate Managers Restrictions tab allows you to specify, users and or groups who can issue and manage certificates.

The Auditing tab allows you to specify what events are to be logged. Audit Object access setting must be enabled in a group policy first.

Recovery Agents tab allows you to specify whether the private key of a certificate will be stored by the certificate authority or not .

The Security Tab specifies which users can manage, issue or read certificates on this CA, users will need Request Certificate permission in order to apply for certificates.