Term | Definition |
certificate practice statement (CPS) | A document describing how a CA issues certificates containing the CA identity, security practices used to maintain CA integrity, types of certificates issued, the renewal policy, and so forth. |
certificate revocation list (CRL) | A list of certificates that the CA administrator has invalidated before their expiration dates. |
certificate templates | |
CRL distribution point (CDP) | An attribute of a certificate that identifies where the CRL for a CA can be retrieved; can include URLs for HTTP, FILE, FTP, and LDAP locations. See also certificate revocation list (CRL). |
enterprise CA | A server running Windows Server 2012/R2 with the AD CS role installed; integrates with Active Directory. |
hash algorithm | A mathematical function that takes a string of data as input and produces a fixed-size value as output. Hash values are used to verify that the original data hasn’t been changed and to sign CA certificates and certificates issued by the CA. |
intermediate CAs | A CA in a multilevel CA hierarchy that issue certificates to issuing CAs, which respond to user and device certificate requests; sometimes called a “policy CA.” |
issuing CAs | A CA that interacts with clients to field certificate requests and maintain the CRL. See also certificate revocation list (CRL). |
key archival | A method of backing up private keys and restoring them if users’ private keys are lost. |
Network Device Enrollment Service (NDES) | A service that allows network devices, such as routers and switches, to get certificates by using Simple Certificate Enrollment Protocol (SCEP), a Cisco proprietary protocol. |
online responder (OR) | A role service that enables clients to check a certificate’s revocation status without having to download the CRL. See also certificate revocation list (CRL). |
public key infrastructure (PKI) | A security system that binds a user’s or device’s identity to a cryptographic key that secures data transfers with encryption and ensures data authenticity with digital certificates. |
registration authority | A server configured with the Web Enrollment role service; also called a “CA Web proxy.” |
restricted enrollment agent | An enrollment agent that’s limited to enrolling only specific users or security groups; available only with an enterprise CA. |
root CA | The first CA installed in a network. Clients are configured to trust the root CA’s certificate, and then implicitly trust the certificate of any CA that’s subordinate to the root. |
stand-alone CA | A server running Windows Server 2012/R2 with the AD CS role installed; not integrated with Active Directory. |