Exit modules are used to create procedures for what occurs after a certificate is issued.
The Windows default exit module is typically used, which can be configured to publish
new certificates to Active Directory. You can also publish new certificates to the file system
by opening the Properties window of the Windows default exit module and checking
the Allow Certificates to Be Published to the File System checkbox (Figure 12-9). These
certificates get stored in %SYSTEMROOT%\system32\certsrv\certenroll.
The Enrollment Agents tab (Figure 12-10) contains options for configuring which accounts
can act as enrollment agents and which certificate templates can be applied. The
default is not to restrict enrollment agents, but if you need to limit who and what gets
access, this is the place to do it.
Figure 12-6. Certification Authority MMC snap-in
416 Microsoft Windows Server 2008 Administration
Figure 12-7. General tab
Figure 12-8. Windows default policy module request handling
417 Chapter 12: Enterprise Public Key Infrastructure
Figure 12-10. Enrollment Agents tab
Figure 12-9. Enabling certificates to be published to the file system
418 Microsoft Windows Server 2008 Administration
NOTE Restricting enrollment agents can be enforced only by servers running Windows Server
2008.
The Auditing tab lets you configure what CA events get logged to the security event
log (Figure 12-11).
Pages:
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451