Enterprise certification authorities (CAs) publish certificates, certificate revocation lists (CRLs), and other data to Active Directory containers. The Enterprise PKI snap-in can be used to browse and manage objects in those containers.
The Active Directory containers that can be managed with the Enterprise PKI snap-in are:
- NTAuthCertificates. Contains all of the CA certificates in the current forest. Certificates are added automatically when a new CA is installed by a member of the Enterprise Admins group. Certificates can also be added manually by using the Manage AD Containers dialog box.
- AIA. Contains CA certificates that can be retrieved by clients using the authority information access (AIA) certificate extension to build a valid certificate chain and to retrieve any cross-certificates issued by the CA.
- CDP. Contains all base CRLs and delta CRLs published in the forest.
- KRA. Contains the certificates for key recovery agents for the forest. Key recovery agents must be configured to support key archival and recovery. Key recovery agent certificates can be added to this container automatically by enrolling with an enterprise CA. The key recovery agent certificates cannot be added manually by using the Manage AD Containers dialog box.
- Certification Authorities. Contains the certificates for trusted root CAs in the forest. Root CA certificates are added automatically when a member of Enterprise Admins sets up an enterprise root CA or stand-alone root CA that is joined to the domain. Root CA certificates can also be added manually from the command prompt but not through the Manage AD Containers dialog box.
- Enrollment Services. Contains the certificates for enterprise CAs that are available to issue certificates to users, computers, or services in the forest. Enterprise CA certificates can only be added to this container by a member of Enterprise Admins who installs an enterprise CA. The certificates cannot be added manually by using the Manage AD Containers dialog box.