Active Directory Certificate Services (AD CS) extend the concept of trust so that a user, computer, organization, or service can prove its identity outside or inside the border of your Active Directory forest.Certificates are issued from a certificate authority (CA). When a user, computer, or service uses a certificate to prove its identity, the client in the transaction must trust the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign and Thawte, is maintained by Windows, and updated as part of Windows Update.
If you think about the last time you made a purchase on an Intranet site, you will recall that it was probably performed on a site using secure sockets layer (SSL), with an HTTPS:// address. The server proves its identity to the client, your browser, representing a certificate issued by a CA that your browser trusts, such as VeriSign or Thawte.
A public key infrastructure (PKI) is based on a chain of trust. A certificate authority can create a certificate for another certificate authority. The second CA can then issue certificates to users, computers, organizations, or services that will be trusted by any client that trusts the upstream, root CA.
The certificates can be used for numerous purposes in an enterprise network, including the creation of secure channels such as the SSL example mentioned earlier and for virtual private networks (VPNs) and wireless security as well as for authentication, such as smart card logon.