# AD CS Architecture

## Core Components

Below are a few core components of AD CS. There are more, but I'll cover the ones I see most often.

### Certification Authority

The Certification Authority (CA) is the core AD CS role that issues and signs certificates. Its role includes:

* Processing certificate requests
* Issuing and signing certificates
* Maintaining a database of issued and revoked certificates

{% hint style="info" %}
Commonly called Certificate Authority
{% endhint %}

### Certificate Templates

Certificate Templates define the rules for certificates that can be issued by the CA. Templates control things like:

* Who can request the certificate
* Certificate usage (authentication, encryption, etc.)
* Enrollment permissions

### Certification Authority Web Enrollment

CA Web Enrollment is an optional (but commonly enabled) AD CS role that provides a web interface for requesting certificates. Its role includes:

* Allowing manual certificate requests through a browser
* Allowing administrators to retrieve issued certificates
* Supports certificate enrollment for non-domain systems

{% hint style="info" %}
The typical CA Web Enrollment endpoint is http\://\[CA Server]/certsrv
{% endhint %}

### Certificate Revocation List (CRL)

The Certificate Revocation List isn't necessarily an AD CS component or role - it is data published by the CA that lists revoked certificates.