Active Directory Certificate Authority

epuloneepulone Registered Users Posts: 4 ■□□□□□□□□□
I am studying to get the 70-640 certificate. Unfortunately I have difficulties to fully understand the Active Directory Certificate Authority (AD CA - AD CS ) and how it works.
Can someone help me?
Many Thanks


  • Options
    rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    You asked a very open ended question, you should ask what you are specifically having trouble with. That being said, the best thing to do is setup your own CA and go through the labs in whatever books you are using.
  • Options
    epuloneepulone Registered Users Posts: 4 ■□□□□□□□□□
    I am studying on Microsoft Learning [6425B] .. I couldn't find a lot of regarding CA .... just the following:
    Active Directory Certificate Services (AD CS) extend the concept of trust so that a user, computer, organization, or service can prove its identity outside or inside the border of your Active Directory forest.Certificates are issued from a certificate authority (CA). When a user, computer, or service uses a certificate to prove its identity, the client in the transaction must trust the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign and Thawte, is maintained by Windows, and updated as part of Windows Update.
    If you think about the last time you made a purchase on an Intranet site, you will recall that it was probably performed on a site using secure sockets layer (SSL), with an HTTPS:// address. The server proves its identity to the client, your browser, representing a certificate issued by a CA that your browser trusts, such as VeriSign or Thawte.
    A public key infrastructure (PKI) is based on a chain of trust. A certificate authority can create a certificate for another certificate authority. The second CA can then issue certificates to users, computers, organizations, or services that will be trusted by any client that trusts the upstream, root CA.
    The certificates can be used for numerous purposes in an enterprise network, including the creation of secure channels such as the SSL example mentioned earlier and for virtual private networks (VPNs) and wireless security as well as for authentication, such as smart card logon.

    I know it is not easy to reply but It would be great for me get at least an idea in how it is used for in the real life and how it works in general.... to go further deep :)
    I was looking a particle exam.... I have realised there are a lot of question on CA - CS ....

    Many Thanks
  • Options
    hennrizzlerhennrizzler Member Posts: 23 ■□□□□□□□□□
    lab lab lab. set up a lab and mess around with certificates. If you want real world examples, just take a look at the certificate templates. There's many reasons why you would need CS, web server security/authenticating users/machines are a few reasons.

    Build a lab. Create an offline root Certificate Authoriy (CA) (more complex but you'll learn more) with an enterprise subordinate CA. Attempt to issue user certificates for EFS for your domain users (this will require Data Recovery Agent - again you will learn more) and if you really want to get good with it, do a web server certificate and make your IIS setting set to require SSL.

    For theory and lessons on it, technet or the ms press training kit do a great job already. Rest is real experience with a CA.
  • Options
    jmritenourjmritenour Member Posts: 565
    For a domain based CA, the most common use is going to for smart cards or some other form of two factor authentication. IPSec, and two way client/server verification (ie, this server is in fact the server I believe it is, and I am the user I claim to be, connecting from the domain joined computer I claim to be connecting from).

    In 2008/R2, another use would be for certificates of health in network access protection, but I honestly have no idea how much that is used in the real world.
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
Sign In or Register to comment.