This article on the basis of the previous development, with the web, and even the subsequent exchange and OCS and other Microsoft products, we may need a certificate of cooperation to work, this article will be the environment first and then the next chapter on the Web configuration and enable certificates.
The ADCs update on the 2008r2 is as follows
Windows Server? Active Directory (R) Certificate Services (AD CS) in 2008 R2 introduces a number of features and services that allow more flexible public key infrastructure (PKI) deployments, reduce administrative costs, and provide better support for network Access Protection (NAP) deployments.
The AD CS features and services in the following table are new features in Windows Server 2008 R2.
Functional advantages
Feature 1: Certificate enrollment Web service and certificate enrollment policy Web Service
Advantage 1: Support for certificate enrollment on HTTP.
Feature 2: Support for cross forest certificate enrollment
Advantage 2: Supports consolidation of certification authorities (CAS) in a multiple-forest deployment.
Feature 3: Improved support for large batches of CAs
Advantage 3: Reduces the CA database size for some NAP deployments and other large scale CAs.
Certificate Enrollment Web service and certificate enrollment policy Web Service
The certificate Enrollment Web service is the new AD CS role service that supports policy-based certificate enrollment on HTTP by using existing methods, such as autoenrollment. The Web service acts as a proxy between the client computer and the CA (which makes the client computer do not have to communicate directly with the CA), while certificate enrollment and Cross-forest certificate enrollment over the Internet.
The certificate Enrollment Web service submits the request on behalf of the client computer and must trust the service for delegation. The Extranet deployment of this WEB service extends the threat of network attacks, and some organizations may choose not to trust the service for delegation. In these cases, you can configure the certificate Enrollment Web service and the issuing CA to accept only renewal requests that are signed with an existing certificate (no delegation is required).
The certificate Enrollment Web service also has the following requirements:
* Active Directory Forest with Windows Server 2008 R2 Schema
* An enterprise CA running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
* Cross-Forest certificate enrollment Enterprise or Datacenter version of the enterprise CA that needs to run Windows Server.
* Running Windows? 7 of the client computer.
Certificate Enrollment WEB services are available in all versions of Windows Server 2008 R2.
Support for cross forest certificate enrollment
Before introducing Cross-forest registrations, a CA can only issue certificates to members of the same forest, and each forest has its own PKI. With additional support for LDAP references, the Windows Server 2008 R2 CA can issue certificates that have two-way trust relationships across forests.
By supporting cross forest certificate enrollment, organizations that have multiple Active Directory forests and PKI deployments by forest can benefit from CA consolidation.
Attention:
* Active Directory forests require Windows Server 2003 forest functional levels and two-way transitive trusts.
* Running Windows XP, Windows Server 2003, and Windows Vista? Client computers do not need to be updated to support Cross-forest certificate enrollment.