| Server IP : 180.180.241.3 / Your IP : 216.73.216.252 Web Server : Microsoft-IIS/7.5 System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 User : IUSR ( 0) PHP Version : 5.3.28 Disable Function : NONE MySQL : ON | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /Windows/Help/Windows/en-US/ |
Upload File : |
MZ����������������������������������������������������������@���PE��L��������������!
��������������������������@�����������������������0�����d_
��@����������������������������������������������������������������������������������������������������������������������������������������������������.rsrc��������������������������@��@.its�������� ��������������������@��@��������������������������������������������������������������������������������������������������������������������������������������������������������������0����������������� ��H���X��|����������|4���V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�������������������������������������������������������S�t�r�i�n�g�F�i�l�e�I�n�f�o������0�4�0�9�0�4�b�0���b�!��F�i�l�e�V�e�r�s�i�o�n�����1�.�0�0�.�0�0� � � � � � � � � � � � � � � � � � � � � � � � � �����l�"��F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�����C�o�m�p�i�l�e�d� �M�i�c�r�o�s�o�f�t� �H�e�l�p� �2�.�0� �T�i�t�l�e���B���F�i�l�e�S�t�a�m�p�����8�4�2�1�0�6�C�C�0�1�C�A�0�4�1�F���4�����J���C�o�m�p�i�l�e�r�V�e�r�s�i�o�n�����2�.�5�.�7�1�2�1�0�.�0���8�5�7�9�����V���C�o�m�p�i�l�e�D�a�t�e�����2�0�0�9�-�0�7�-�1�4�T�0�1�:�0�7�:�5�4��� � � � � � �����>���T�o�p�i�c�C�o�u�n�t���1�7�7���0�0�0�0�0�0�0�0�0�0�0�0������A��L�e�g�a�l�C�o�p�y�r�i�g�h�t���� �2�0�0�5� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.���C�C�C�C�C�C�C�C�C�C�C�C�C�����D����V�a�r�F�i�l�e�I�n�f�o�����$����T�r�a�n�s�l�a�t�i�o�n����� ��������������������������������������������ti����!����) ITOLITLS���(���������X쌡^�
V`������������������� ������������ ������x��������������������������������������������������������� ���������������������������������������������������������������������������������������������CAOL���P���HH��C��� �����������������������ITSF��� ������#������h# ��������^
�������������-Y쌡^�
VY쌡^�
VIFCM����������������AOLL������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������IFCM���� ������������AOLL�������������������������/���/$FXFtiAttribute/���/$FXFtiAttribute/BTREE/$FXFtiAttribute/DATA��/$FXFtiAttribute/PROPERTY&N
/$FXFtiMain/���/$FXFtiMain/BTREE+/$FXFtiMain/DATAC}/$FXFtiMain/PROPERTY@N/$Index/$ATTRNAMEdp/$Index/$PROPBAG</$Index/$STRINGS|~/$Index/$SYSTEMjR
/$Index/$TOC/���/$Index/$TOC/$certsvr� /$Index/$TOPICATTRtp/$Index/$TOPICSJ /$Index/$URLSTRzH/$Index/$URLTBLB/$Index/$VTAIDXT/$Index/AssetId/���/$Index/AssetId/$BL0h�
/$Index/AssetId/$LEAF_COUNTSh/$Index/AssetId/$LEAVES|� /$OBJINST
/assets/���0/assets/026bba14-e615-409f-a480-01ef71375fbf.xml�t
0/assets/0588b149-8413-421d-844c-9a53857eac65.xml�0/assets/05c491e0-99e3-4a33-aab8-8b00c32c5bdf.xml�%0/assets/07a53b9e-c593-4264-8126-508e743dc155.xml�) 0/assets/0e22c650-0bdd-4807-8a90-68dbf4f39dc2.xml�HG0/assets/0f428311-c433-460c-96be-ced456f7e016.xml�]0/assets/11b65839-a8fb-47cf-aaec-687e5428e8cc.xml�l`0/assets/1227bc23-4eea-478e-921b-9c805f3925b9.xml�LH0/assets/12afc6dc-7e94-471f-953b-9ed9271a1b85.xml�{0/assets/18656667-17b6-4e81-af4c-4ff1b767c8b8.xml�0/assets/1b396c19-25ca-4855-bc60-fb06af1ea3d4.xml�!v0/assets/1b4c0f44-d488-41e8-afb3-80408014c64f.xml�0/assets/1e4b6432-977c-4e21-a245-5ce30ae80cc4.xml�(Q0/assets/1eb5a9e3-de04-44a0-8972-bc744ca43320.xml�yw0/assets/24bce8a3-bf9b-48b9-adfa-b523d393038c.xml�p$0/assets/25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40.xml�e0/assets/26af007f-65e7-4f2b-a154-2bdcc7af2657.xml�yP0/assets/281af9f9-b1cb-4efa-99d0-ba44e9b7ee21.xml�IF0/assets/2979e21a-28f0-4e84-b978-e52514a86f90.xml�I0/assets/2c78c461-1d3f-40f4-b435-1d87f03c299a.xml�X'0/assets/336d3a6a-33c6-4083-8606-c0a4fdca9a25.xml�Q0/assets/3435d75d-3bec-41c9-8ba2-dc16511d4e12.xml�P,0/assets/3d31dd67-df01-4e8e-809e-22e5bd0a4a32.xml�|R0/assets/419159e1-a432-4169-a4cd-45612fbf3266.xml�N0/assets/47cd6246-68d0-4579-8b76-5b5b0998d11d.xml�U}0/assets/49e21964-dc6f-444b-a97f-e7fb70dfbcde.xml�R0/assets/4aaea26c-e132-4c04-9849-e5106f93d042.xml�c&0/assets/51842149-feee-43d7-8813-38a64d1f4caa.xml� 0/assets/5531ecb5-3073-490f-80f9-5d263e60b07a.xml�(0/assets/5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2.xml�?j0/assets/637ff3b3-6881-4ffb-b4f9-ea56171527e0.xml�)
0/assets/6517f2bf-bf39-4275-86f6-d579a26e3654.xml�4W0/assets/698175c2-9ca5-4124-a851-937e659232e7.xml�
b0/assets/6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0.xml�m20/assets/70e5d64c-91ce-4355-a9c9-115fe0866911.xml� 0/assets/74abcd5f-c2c7-474b-b154-8cfe285a1754.xml�0z0/assets/78f85b75-f12b-4408-913e-8add44aeb750.xml�*L0/assets/7b561f6e-d9a8-43ed-b790-f612482c99f7.xml�v0/assets/7b886752-8d1f-4594-90ee-14686f79fb22.xml�
J0/assets/7f6f2678-440f-4d5f-bada-7953d9ffa6b7.xml�U
0/assets/82ad05ce-4f9f-4cb0-889b-b0e21bb4766c.xml�q]0/assets/855f7a2f-429f-40c2-b297-09a55047cc4c.xml�N0/assets/86a959c3-88f5-48ab-8457-21bc8755d205.xml�Oe0/assets/89610b23-0af5-4bc7-8eb9-2e2584d3f0a2.xml�40/assets/8cb0540b-a5c2-47e5-913c-4d995a4adc2d.xml�Jr0/assets/8d3dcbf1-d83e-4be6-866a-a1e9449b3adc.xml�<>0/assets/910c18a2-6b51-4bc5-8f02-9ff32ffc3087.xml�z0/assets/928ede4c-c06d-4e5b-8d6e-fda1334627ed.xml�~0/assets/964edfbd-d935-4352-b054-5e3dfe6c547e.xml�40/assets/98cde842-f281-4892-9da4-1e467199ea14.xml�:?0/assets/99dc782e-81fa-4f86-909b-87489465a650.xml�yT0/assets/9ab7283a-533f-4eef-a243-9acbf85cbfbd.xml�M0/assets/9b2626dc-5d07-4619-a0cc-be44f9682fb2.xml�\k0/assets/a24a23a7-b723-42fc-8295-2641e6fc5de3.xml�Gk0/assets/a6445362-7927-492f-9e82-0d7058e599f5.xml�270/assets/a793d37c-717c-4b41-ab67-87bf559f4d80.xml�i0/assets/aab315d6-7dad-4d5c-bf0f-a766e8ad0d21.xml�w0/assets/afc1d704-3d8f-43de-b4b3-51a062878d14.xml� b0/assets/b19a07e1-9984-444d-b968-a330c7a8a60c.xml�ki0/assets/b3cbf5d7-d1f6-4454-8194-48a3afc87b59.xml�Te0/assets/b3d53f51-56f6-4031-8aad-ebdc4c71cb56.xml�9q0/assets/b5af94a1-4caf-4c05-b344-d996fdb9e2eb.xml�*)0/assets/b71c1373-6f1a-4c93-9eb4-875cc4a58bec.xml�S$0/assets/b8d01da1-12ac-404b-8239-ff5b59679f02.xml�w20/assets/b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml�).0/assets/bac506b2-57be-45c2-bdf6-1f976eeeb475.xml�Wv0/assets/bb63e84f-9313-4b54-b3f2-5a3c8490f250.xml�M"0/assets/c3b0e476-4bec-411c-b6cc-6bed8a1c378d.xml�oO0/assets/c651f8cf-5c84-42c0-9a61-37e0000e6989.xml�>50/assets/c6fde0cd-3964-42ef-b3af-de1ef683f534.xml�s
0/assets/c8955f83-fed9-4a18-80ea-31e865435f73.xml�:0/assets/cba53c53-a842-42b1-8de4-7235e0b3c5fc.xml�9e0/assets/cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30.xml�
y0/assets/cf5622e1-daa9-42cc-8b43-14953e34f8b6.xml�L0/assets/d6267265-af06-47c2-a2aa-f61695eb4084.xml�cB0/assets/d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml�%H0/assets/d6e60022-fcad-4192-b038-be51c15b8f6a.xml�ml0/assets/d762c3f4-f7ac-4af2-8e2d-331d33dc0583.xml�Yy0/assets/e22f74dc-82e6-4b3e-8429-5f1faf393f33.xml�R0/assets/e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml�eY0/assets/e3990c59-f588-45ad-b3fd-3052e0b4f659.xml�>\0/assets/e8c88a49-84e8-48a8-a303-9aab2e68a1db.xml�0/assets/e9bd1194-e088-4671-840f-0847cf5ee2a0.xml�+J0/assets/ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml�uz0/assets/ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd.xml�o0/assets/f07ac4f6-269b-41d7-9d09-06ca4930bff4.xml�
>0/assets/f0bb5698-e30a-46fc-92d2-10d1f949e970.xml�H20/assets/f3911350-ab45-494d-a07e-d0b9696a651e.xml�ze0/assets/f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml�_<0/assets/f5ae6b2c-a94f-4e74-a3b9-59cdcf195575.xml�\0/assets/f9e48956-7408-4ec8-8907-b2b5b075ad77.xml�wE0/assets/fbe9a9e0-ae87-4134-9dec-48bfda4266df.xml�<o0/assets/fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c.xml�+c
/certsvr.h1c�
/certsvr.H1F�
/certsvr.H1T�a
/certsvr.H1V�01/certsvr_AssetId.H1K�wk/certsvr_BestBet.H1K�bk/certsvr_LinkTerm.H1K�Ml/certsvr_SubjectTerm.H1K�9o::DataSpace/NameList��<(::DataSpace/Storage/MSCompressed/Content�(f,::DataSpace/Storage/MSCompressed/ControlData�T )::DataSpace/Storage/MSCompressed/SpanInfo�L/::DataSpace/Storage/MSCompressed/Transform/List�<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/���i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTable�x3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������z[lYF3
taN;(ES�q��
��
�U�n�c�o�m�p�r�e�s�s�e�d���
�M�S�C�o�m�p�r�e�s�s�e�d���FX쌡^�
V��������LZXC����������������HH��<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Install and Use the Certification Authority Snap-In</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The Certification Authority snap-in can be used to administer a certification authority (CA) on this computer or on another computer. The snap-in is installed automatically on a computer that has a CA installed. Otherwise, you must first install the Active Directory Certificate Services (AD CS) Remote Server Administration Tools.</maml:para>
<maml:para>You must be a CA administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To administer a CA on this computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If this is the first time you are using the Certification Authority snap-in on this computer, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:userInput>mmc</maml:userInput>, and then press ENTER. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Add the <maml:ui>Certification Authority</maml:ui> snap-in to the list on the right. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the computer hosting the CA that you want to administer, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You can also use an existing instance of the Certification Authority snap-in to switch from administering one CA to administering another CA. </maml:para>
<maml:para>You must be a CA administrator on the remote CA to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To administer a CA on another computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Retarget Certification Authority</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Another computer</maml:ui>, and type the name of the computer.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You can also customize the Certification Authority snap-in by using display filters. With filters, you can restrict the items displayed in the details pane of the Certification Authority snap-in to items that meet a set of criteria you establish. For example, you can create a filter that will display in the <maml:ui>Issued Certificates</maml:ui> folder only those certificates that were effective after a specific date.</maml:para>
<maml:para>You do not need to be a CA administrator, but you must have permissions to perform administration tasks on the CA to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To set display filters for the Certification Authority snap-in</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click any of the displayed folders except <maml:ui>Certificate templates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>View</maml:ui> menu, click <maml:ui>Filter</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>For each of the selection criteria:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Field</maml:ui>, click the field on which to filter.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Operation</maml:ui>, click the operation to qualify the filter value for this field.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In <maml:ui>Value</maml:ui>, type the qualification value.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To remove a filter, select it in the <maml:ui>Filter</maml:ui> dialog box, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To remove all existing filters, in the <maml:ui>Filter</maml:ui> dialog box, click <maml:ui>Reset</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The Remote Server Administration Tools can be installed on a computer running Windows Server 2008 R2 or Windows Server 2008 by using the Add Features Wizard. </maml:para>
<maml:para>You must be an administrator on the server to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To install the AD CS Remote Server Administration Tools</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Server Manager. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features </maml:ui>to start the Add Features Wizard. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Features </maml:ui>page, click the plus sign to the left of the <maml:ui>Remote Server Administration Tools </maml:ui>check box, and then click the plus sign to the left of the <maml:ui>Role Administration Tools </maml:ui>check box. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Active Directory Certificate Services </maml:ui>check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When installation is complete, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>To perform remote administration tasks from a computer running Windows Vista, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=89361</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=89361"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certification Authority Naming</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Before you configure certification authorities (CAs) in your organization, you should establish a CA naming convention. </maml:para>
<maml:para>Names for CAs cannot be more than 64 characters in length. You can create a name by using any Unicode character, but you might want to use the ANSI character set if interoperability is a concern. For example, certain types of routers will not be able to use the Network Device Enrollment Service to enroll for certificates if the CA name contains special characters such as an underscore.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>If you use non-Latin characters (such as Cyrillic, Arabic, or Chinese characters), your CA name must contain fewer than 64 characters. If you use only non-Latin characters, your CA name can be no more than 37 characters in length. </maml:para>
</maml:alertSet>
<maml:para>In Active Directory Domain Services (AD DS), the name that you specify when you configure a server as a CA becomes the common name of the CA, and this name is reflected in every certificate that the CA issues. For this reason, it is important that you do not use the fully qualified domain name for the common name of the CA. This way, malicious users who obtain a copy of a certificate cannot identify and use the fully qualified domain name of the CA to create a potential security vulnerability.</maml:para>
<maml:para>The CA name does not have to be identical to the name of the computer. However, you cannot change the name of a server after Active Directory Certificate Services (AD CS) has been installed without invalidating all the certificates issued by the CA.</maml:para>
<maml:para>To change the server name after AD CS has been installed, you must uninstall the CA, change the name of the server, reinstall the CA, and reissue all the certificates issued by the CA. </maml:para>
<maml:para>You do not have to reinstall a CA if you rename a domain; however, you will have to reconfigure the CA to support the name change. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para>Administering Active Directory Domain Rename in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143938</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143938"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
<maml:listItem><maml:para>Windows Server 2003 Active Directory Domain Rename Tools (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91448</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91448"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Authenticate Web Servers with Certificates Issued by a Windows-Based CA</maml:title><maml:introduction>
<maml:para>Certificates can be used to authenticate queries sent by clients to Web servers. By using certificates issued by a Microsoft certification authority (CA), clients can verify that the query results have not been tampered with and that the results were returned by the correct domain controller or Web server. </maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate CAs. (Optional)</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure a Web Server certificate template.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure certificate enrollment.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enable Key Archival for a CA</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA).</maml:para>
<maml:para>You must be a CA administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To enable key archival for a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action </maml:ui>menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Recovery Agents</maml:ui> tab, and then click <maml:ui>Archive the key</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Number of recovery agents to use</maml:ui>, type the number of key recovery agents that will be used to encrypt the archived key.</maml:para>
<maml:para>The <maml:ui>Number of recovery agents to use</maml:ui> must be between one and the number of key recovery agent certificates that have been configured. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Add</maml:ui>. Then, in <maml:ui>Key Recovery Agent Selection</maml:ui>, click the key recovery certificates that are displayed, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>The certificates should appear in the <maml:ui>Key recovery agent certificates</maml:ui> list, but their status is listed as <maml:ui>Not loaded</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> or <maml:ui>Apply</maml:ui>. When prompted to restart the CA, click <maml:ui>Yes</maml:ui>. When the CA has restarted, the status of the certificates should be listed as <maml:ui>Valid</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The list of <maml:ui>Key recovery agent certificates</maml:ui> can include the status values and causes in the following table.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Status</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Cause</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Expired</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate's expiration date has passed, so the certificate cannot be used.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Invalid</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate may be malformed or causes an error when loading.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Not found</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate was configured but cannot be located by the CA.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Not loaded</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate was configured but has not yet been loaded by the CA.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Revoked</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate has been revoked and cannot be used.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Untrusted</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The root CA for this certificate is not trusted by the CA.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Valid</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The certificate has been loaded by the CA and is operating normally.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para>If the <maml:ui>Number of recovery agents to use</maml:ui> value exceeds the number of recovery agent certificates with the status of <maml:ui>Valid</maml:ui>, enrollment requests that require key archival will fail.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Server Certificates for Certificate Enrollment Web Services</maml:title><maml:introduction>
<maml:para>The certificate enrollment Web services require HTTPS connections. Follow this procedure to select a Server Authentication certificate and configure the HTTPS binding.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:procedure><maml:title>To configure the HTTPS binding</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open Server Manager.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand <maml:ui>Roles</maml:ui>, and then expand <maml:ui>Web Server (IIS)</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Internet Information Services (IIS) Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree under <maml:ui>Connections</maml:ui>, expand the Web server, expand <maml:ui>Sites</maml:ui>, and then click the Web site that hosts the Web service.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Actions</maml:ui> pane, click <maml:ui>Bindings</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Type</maml:ui> list, click <maml:ui>https</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If <maml:ui>https</maml:ui> is not in the list, click <maml:ui>Add</maml:ui>, click <maml:ui>https</maml:ui>, and then select the IP address and port of the site that hosts the Web service.</maml:para>
</maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>SSL Certificate</maml:ui> list, select a certificate.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The specified certificate must include the Server Authentication purpose and have a subject name that matches the host name that client computers will use to access the Web service. To request a Server Authentication certificate, see Request Certificates by Using the Certificate Request Wizard (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143456</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143456"></maml:uri></maml:navigationLink>).</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the binding.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Checklist: Authenticate Web Servers with Certificates Issued by a Windows-Based CA</maml:linkText><maml:uri href="mshelp://windows/?id=05c491e0-99e3-4a33-aab8-8b00c32c5bdf"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Policy Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=99dc782e-81fa-4f86-909b-87489465a650"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificates Database</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>When you install a certification authority (CA), you also need to create a CA database to record: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Every certificate issued by the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Every private key archived by the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Every certificate revoked by the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Every certificate request received by the CA, regardless of whether the request is approved, denied, or set to pending.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>This database should be located on an NTFS file system partition on the server's disk drives to provide the best security possible for the database file. You specify the locations for the database during the setup of a CA. By default, the database is located in <maml:replaceable>systemroot</maml:replaceable>\system32\certlog.</maml:para>
<maml:para>You also specify the location of the CA database log during Active Directory Certificate Services (AD CS) setup. The CA database log keeps a record of every transaction involving the CA database. CA database logs are used when restoring the CA from a backup. If a CA is restored from a backup that is one month old, then the CA database can be updated with more recent activity recorded in the log to restore the database to its most current state. When you back up a CA, the existing certificate database logs will be truncated in size because they will no longer be needed to restore the certificate database to its most current state. </maml:para>
<maml:para>The name of the database file is based on the name of the CA, with an .edb extension. </maml:para>
<maml:para>The Certification Authority snap-in allows you to view and administer the CA database.</maml:para>
<maml:para>For more information about CA backup and restore, see <maml:navigationLink><maml:linkText>Protecting a CA from Data Loss</maml:linkText><maml:uri href="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Protecting a CA from Data Loss</maml:title><maml:introduction>
<maml:para>A certification authority (CA) is an important resource for any organization. Therefore, it is important to plan for potential problems, such as hard disk failure or database corruption, by backing up and restoring a CA regularly. A complete backup of a server will also provide backup for the CA installed on the server. However, you can also back up and restore just the CA. Also, for hardware that is several years old, some organizations might decide to move a CA to new hardware both to improve performance and to remove older hardware from service before a critical component failure occurs.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Back Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Restore a CA from a Backup Copy</maml:linkText><maml:uri href="mshelp://windows/?id=1b4c0f44-d488-41e8-afb3-80408014c64f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Infrequent Management Tasks</maml:title><maml:introduction>
<maml:para>The following management tasks need to be performed when a certification authority (CA) is initially deployed or when significant changes are needed.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Securing Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Deploying Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142228</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142228"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Policy and Exit Modules</maml:linkText><maml:uri href="mshelp://windows/?id=7f6f2678-440f-4d5f-bada-7953d9ffa6b7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Protecting a CA from Data Loss</maml:linkText><maml:uri href="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Identify a Key Recovery Agent</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned to this role. </maml:para>
<maml:para>To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow the person assigned to this role to enroll for a key recovery agent certificate.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure the Key Recovery Agent certificate template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click the <maml:ui>Key Recovery Agent</maml:ui> certificate template. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Duplicate Template</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Duplicate Template</maml:ui> dialog box, click <maml:ui>Windows Server 2003 Enterprise</maml:ui> unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Template</maml:ui>, type a new template display name, and then modify any other optional properties as needed.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security </maml:ui>tab, click <maml:ui>Add</maml:ui>, type the name of the users you want to issue the key recovery agent certificates to, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Group or user names</maml:ui>, select the user names that you just added. Under <maml:ui>Permissions</maml:ui>, select the <maml:ui>Read </maml:ui>and <maml:ui>Enroll </maml:ui>check boxes, and then click <maml:ui>OK</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>To enhance security and control of the key recovery process, you should not use autoenrollment for key recovery agent certificates. </maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>Before the new key recovery agent can enroll for a certificate based on the new certificate template that you created, the template must first be added to the CA. For information about how to complete this procedure, see Add a Certificate Template to a Certification Authority (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=147110</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=147110"></maml:uri></maml:navigationLink>). </maml:para>
<maml:para>If the certificate was configured with Read and Enroll permissions, the new key recovery agent must use the Certificates snap-in and the Certificate Import Wizard to obtain a key recovery certificate. If the certificate template was configured with Autoenroll permissions, the certificate will be issued automatically the next time the user logs on to the network. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>By default, the <maml:ui>CA certificate manager approval</maml:ui> check box is selected on the <maml:ui>Issuance Requirements</maml:ui> tab. Unless you clear this check box, a CA manager must approve the certificate request before a key recovery agent certificate is issued.</maml:para>
</maml:alertSet>
<maml:para>The next procedure, <maml:navigationLink><maml:linkText>Enable Key Archival for a CA</maml:linkText><maml:uri href="mshelp://windows/?id=07a53b9e-c593-4264-8126-508e743dc155"></maml:uri></maml:navigationLink>, cannot be completed until the key recovery agent has obtained this certificate. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Specify CRL Distribution Points</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can add, remove, or modify certificate revocation list (CRL) distribution points in issued certificates by using the following procedure. However, modifying the URL for a CRL distribution point only affects newly issued certificates. Previously issued certificates will continue to reference the original location. </maml:para>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To specify CRL distribution points in issued certificates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>, and then click the <maml:ui>Extensions </maml:ui>tab. Confirm that <maml:ui>Select extension</maml:ui> is set to <maml:ui>CRL Distribution Point (CDP)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one or more of the following. (The list of CRL distribution points is in the <maml:ui>Specify locations from which users can obtain a certificate revocation list (CRL)</maml:ui> box.)</maml:para>
<maml:table>
<maml:row>
<maml:entry>
<maml:para>To add a new CRL distribution point</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click <maml:ui>Add</maml:ui>, type the name of the new CRL distribution point, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To remove a CRL distribution point from the list</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, click <maml:ui>Remove</maml:ui>,<maml:ui> </maml:ui>and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you want to use a URL as a CRL distribution point</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, select the <maml:ui>Include in the CDP extension of issued certificates </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you do not want to use a URL as a CRL distribution point</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, clear the <maml:ui>Include in the CDP extension of issued certificates </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you want to use a URL as a delta CRL distribution point</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, select the <maml:ui>Publish Delta CRLs to this location </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you do not want to use a URL as a delta CRL distribution point</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, clear the <maml:ui>Publish Delta CRLs to this location </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you want to publish this location in CRLs to point clients to a delta CRL</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, select the <maml:ui>Include in CRLs. Clients use this to find Delta CRL locations </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>To indicate that you do not want to publish this location in CRLs to point clients to a delta CRL</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click the CRL distribution point, clear the <maml:ui>Include in CRLs. Clients use this to find Delta CRL locations </maml:ui>check box, and then click<maml:ui> OK</maml:ui>.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Yes</maml:ui> to stop and restart Active Directory Certificate Services (AD CS).</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>CRL URLs can be HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL. </maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Variable</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>CAName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The name of the CA</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CAObjectClass</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The object class identifier for a CA, used when publishing to an LDAP URL</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CATruncatedName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The "sanitized" name of the CA, truncated to 32 characters with a hash at the end </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CDPObjectClass</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The object class identifier for CRL distribution points, used when publishing to an LDAP URL</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CertificateName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The renewal extension of the CA</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ConfigurationContainer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The location of the Configuration container in Active Directory Domain Services (AD DS)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CRLNameSuffix</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>DeltaCRLAllowed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>When a delta CRL is published, this replaces the CRLNameSuffix variable with a separate suffix to distinguish the delta CRL from the CRL</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ServerDNSName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS name of the CA server</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ServerShortName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The NetBIOS name of the CA server</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=5531ecb5-3073-490f-80f9-5d263e60b07a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Restrict Certificate Managers</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificates<maml:ui> </maml:ui>permission.</maml:para>
<maml:para>When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.</maml:para>
<maml:para>This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.</maml:para>
<maml:para>You must be a CA administrator or a member of <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure certificate manager restrictions for a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in, and right-click the name of the CA. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Properties</maml:ui>, and then click the <maml:ui>Security </maml:ui>tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify that the user or group that you have selected has <maml:ui>Issue and Manage Certificates</maml:ui> permission. If they do not yet have this permission, select the <maml:ui>Allow</maml:ui> check box, and then click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Certificate Managers </maml:ui>tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Restrict certificate managers</maml:ui>, and verify that the name of the group or user is displayed.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Certificate Templates</maml:ui>, click <maml:ui>Add</maml:ui>, select the template for the certificates that you want this user or group to manage, and then click <maml:ui>OK</maml:ui>. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Permissions</maml:ui>, click <maml:ui>Add</maml:ui>, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under <maml:ui>Permissions</maml:ui>, select this user, computer, or group, and click <maml:ui>Deny</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When you are finished configuring certificate manager restrictions, click <maml:ui>OK</maml:ui> or <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Securing Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Restore a CA from a Backup Copy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>In general, you should use the Backup snap-in to back up and restore both a certification authority (CA) and the server at the same time. However, there may be times when you want to restore just a CA without restoring the entire server on which the CA is installed.</maml:para>
<maml:para>You must be a CA administrator or a member of the <maml:phrase>Backup Operators</maml:phrase> group, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To restore a CA from a backup copy by using the Certification Authority snap-in</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Restore CA</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Follow the instructions in the Certification Authority Restore Wizard.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You can also complete this procedure by using the Certutil command-line tool.</maml:para>
<maml:para>You must be a CA administrator or a member of the <maml:phrase>Backup Operators</maml:phrase> group, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To restore a CA from a backup copy by using Certutil</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<dev:code>certutil -restore <<maml:replaceable>BackupDirectory></maml:replaceable></dev:code>
<maml:para><maml:replaceable>BackupDirectory</maml:replaceable><maml:foreignPhrase> </maml:foreignPhrase>specifies the path where the backup data is located.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Protecting a CA from Data Loss</maml:linkText><maml:uri href="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add the Online Responder Snap-in to a Console</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can use the Online Responder snap-in to monitor and manage the Online Responder service and revocation configurations on this computer or another computer. </maml:para>
<maml:para>You must have <maml:ui>Manage Online Responder</maml:ui> permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To add the Online Responder snap-in to a console </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:computerOutputInline>mmc</maml:computerOutputInline>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Online Responder</maml:ui>, select the computer on which the Online Responder is installed, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To save this console, on the <maml:ui>File</maml:ui> menu, click <maml:ui>Save</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Administer an Online Responder from Another Computer</maml:linkText><maml:uri href="mshelp://windows/?id=8d3dcbf1-d83e-4be6-866a-a1e9449b3adc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Setting Up Online Responder Services in a Network</maml:title><maml:introduction>
<maml:para>Setting up Online Responder services involves several interrelated steps. Several of these steps must be performed on the certification authority (CA) that will be used to issue the Online Certificate Status Protocol (OCSP) signing certificates necessary for an Online Responder to function. These steps include configuring the appropriate certificate template, enabling the certificate template, and configuring and completing certificate autoenrollment so that the computer hosting the Online Responder has the certificates needed for the Online Responder to function. </maml:para>
<maml:para>Installation and configuration of an Online Responder involves using Server Manager to install the Online Responder service, the Certificate Templates snap-in to configure and publish OCSP Response Signing certificate templates, the Certification Authority snap-in to include OCSP extensions in the certificates that it will issue and to issue OCSP Response Signing certificates, and the Online Responder snap-in to create a revocation configuration.</maml:para>
<maml:para>The following topics describe the steps needed to complete these installation and configuration steps and how to verify that the installation was successful.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure a CA to Support OCSP Responders</maml:linkText><maml:uri href="mshelp://windows/?id=c6fde0cd-3964-42ef-b3af-de1ef683f534"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Set Up an Online Responder</maml:linkText><maml:uri href="mshelp://windows/?id=3d31dd67-df01-4e8e-809e-22e5bd0a4a32"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Verify an Online Responder Installation</maml:linkText><maml:uri href="mshelp://windows/?id=e8c88a49-84e8-48a8-a303-9aab2e68a1db"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Setting Up a Certification Authority</maml:title><maml:introduction>
<maml:para>Many organizations will set up multiple certification authorities (CAs), including a root and subordinate CA. The following topics describe how to set up different types of CAs and other installation-related procedures.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Set Up a Certification Authority by Using a Hardware Security Module</maml:linkText><maml:uri href="mshelp://windows/?id=b19a07e1-9984-444d-b968-a330c7a8a60c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Uninstall a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=7b561f6e-d9a8-43ed-b790-f612482c99f7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Back Up a Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can back up a certification authority (CA) without having to back up the entire server on which the CA is installed. However, in most situations you should use the Backup snap-in to back up and restore both the CA and the server at the same time.</maml:para>
<maml:para>You must be a CA administrator or a member of the <maml:phrase>Backup Operators</maml:phrase> group, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To back up a CA by using the Certification Authority snap-in</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Back Up CA</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Follow the instructions in the CA Backup Wizard.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You can also back up a CA by using the Certutil command-line tool. </maml:para>
<maml:para>You must be a CA administrator or a member of the <maml:phrase>Backup Operators</maml:phrase> group, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To back up a CA by using Certutil</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<dev:code>certutil -backup <BackupDirectory></dev:code>
<maml:para><maml:replaceable>BackupDirectory</maml:replaceable> is the path used to store the backup data.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Protecting a CA from Data Loss</maml:linkText><maml:uri href="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Public Key Infrastructures</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A public key infrastructure (PKI) is a system of digital certificates, certification authorities (CAs), and registration authorities that verify and authenticate the validity of each entity that is involved in an electronic transaction through the use of public key cryptography. Standards for PKIs are still evolving, even as they are being widely implemented as a necessary element of electronic commerce. For more information about planning a PKI and using public key cryptography, see <maml:navigationLink><maml:linkText>Active Directory Certificate Services Resources</maml:linkText><maml:uri href="mshelp://windows/?id=e2d10a64-83c5-4a2b-bcca-e6984de16fdf"></maml:uri></maml:navigationLink>. </maml:para>
<maml:para>The Microsoft PKI supports a hierarchical CA model that is scalable and provides consistency with a growing number of commercial and other CA products.</maml:para>
<maml:para>In its simplest form, a certification hierarchy consists of a single CA. However, a hierarchy frequently contains multiple CAs with clearly defined parent/child relationships. In this model, the child subordinate CAs are certified by their parent CA-issued certificates, which bind a CA's public key to its identity. The CA at the top of a hierarchy is referred to as the root CA. The child CA of a root CA is called a subordinate CA. For more information, see <maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>In Windows, if you trust a root CA (by having its certificate in your Trusted Root Certification Authorities certificate store), you trust every subordinate CA that has a valid CA certificate in the hierarchy. Thus, a root CA is a very important point of trust in an organization and should be secured accordingly. For more information, see <maml:navigationLink><maml:linkText>CA Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=d6d69e62-0640-4055-bee9-8b4a993c6ac8"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>There are several practical reasons for setting up multiple subordinate CAs, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Usage</maml:phrase>. Certificates may be issued for a number of purposes, such as secure e-mail and network authentication. The issuing policy for these uses may be distinct, and separation provides a basis for administering these polices.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Organizational divisions</maml:phrase>. There may be different policies for issuing certificates, depending upon an entity's role in the organization. Again, you can create subordinate CAs to separate and administer these policies.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Geographic divisions</maml:phrase>. Organizations may have entities at multiple physical sites. Network connectivity between these sites may require individual subordinate CAs for many or all sites.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Load balancing</maml:phrase>. If your PKI will be used to issue and manage a large number of certificates, having only one CA can result in considerable network load for that single CA. Using multiple subordinate CAs to issue the same kind of certificates divides the network load between CAs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Backup and fault tolerance</maml:phrase>. Multiple CAs increase the possibility that your network will always have operational CAs available to respond to user requests.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>A CA hierarchy can also provide administrative benefits, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Flexible configuration of the CA security environment to tailor the balance between security and usability. For example, you may choose to employ special-purpose cryptographic hardware on a root CA, operate it in a physically secure area, or operate it offline. These may be unacceptable for subordinate CAs, due to cost or usability considerations.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The ability to "turn off" a specific portion of the CA hierarchy without affecting established trust relationships. For example, you can easily shut down and revoke an issuing CA certificate that is associated with a specific business unit without affecting other parts of the organization.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure the Network Device Enrollment Service</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Setting up the Network Device Enrollment Service involves the following tasks:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Add the account that will be the registration authority to the Internet Information Services (IIS) user group.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Set up and configure the Network Device Enrollment Service.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> group is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To add a designated registration authority to the IIS_IUSRS group </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Local Users and Groups snap-in, and double-click the <maml:ui>Groups</maml:ui> folder.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>IIS_IUSRS</maml:ui> built-in group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Add to Group</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Add</maml:ui>, type the domain name of the account that will be the registration authority, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>Membership in <maml:phrase>Enterprise Admins</maml:phrase> or <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To set up and configure the Network Device Enrollment Service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the server where you want to install the Network Device Enrollment Service, open Server Manager, and click <maml:ui>Add Roles</maml:ui> to start the Add Roles Wizard. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Server Roles</maml:ui> page, select the <maml:ui>Active Directory Certificate Services </maml:ui>check box, and then click <maml:ui>Next</maml:ui> two times.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services </maml:ui>page, clear the <maml:ui>Certification Authority </maml:ui>check box, and then select the <maml:ui>Network Device Enrollment Service </maml:ui>check box. </maml:para>
<maml:para>You are prompted to install IIS and Windows Activation Service. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Add Required Role Services</maml:ui>, and then click <maml:ui>Next </maml:ui>three times. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify User Account </maml:ui>page, click <maml:ui>Select User</maml:ui>, and type the user name and password for the account that the Network Device Enrollment Service will use to authorize certificate requests. Click <maml:ui>OK</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify CA </maml:ui>page, if this computer does not host a CA, select either the <maml:ui>CA name </maml:ui>or <maml:ui>Computer name </maml:ui>check box, click <maml:ui>Browse</maml:ui> to locate the CA that will issue the Network Device Enrollment Service certificates, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify Registry Authority Information </maml:ui>page, type the name of the registration authority in the <maml:ui>RA name </maml:ui>box. Under <maml:ui>Country/region</maml:ui>, select the country/region you are in, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Cryptography </maml:ui>page, accept the default values for the signature and encryption keys or configure your own values, and then click <maml:ui>Next</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Review the summary of configuration options, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>For more information about the Simple Certificate Enrollment Protocol (SCEP), see the Internet Engineering Task Force Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=71055</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=71055"></maml:uri></maml:navigationLink>).</maml:para>
<maml:para>For more information about the Network Device Enrollment Service, see AD CS: Network Device Enrollment Service (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85475</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85475"></maml:uri></maml:navigationLink>) and Microsoft SCEP Implementation Whitepaper (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93875</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93875"></maml:uri></maml:navigationLink>). </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Use the Network Device Enrollment Service</maml:linkText><maml:uri href="mshelp://windows/?id=f3911350-ab45-494d-a07e-d0b9696a651e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Revocation Provider Signing</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The <maml:ui>Signing</maml:ui> tab on the <maml:ui>Online Responder Properties</maml:ui> page shows the hash algorithm that is used to help verify signing operations for Online Responder responses to clients.</maml:para>
<maml:para>The following signing options can be configured:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Do not prompt for credentials for cryptographic operations</maml:ui>. If the signing key is strongly protected by an additional password, selecting this option means the Online Responder will not prompt the user for the password and will fail silently. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Do not select this option if a hardware security module (HSM) is used to protect private keys.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Automatically use renewed signing certificates</maml:ui>. Instructs the Online Responder to automatically use renewed signing certificates without asking the Online Responder administrator to manually assign them.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Enable NONCE extensions support</maml:ui>. Instructs the Online Responder to inspect and process an Online Certificate Status Protocol (OCSP) request that includes a nonce extension. If a nonce extension is included in the OCSP request and this option is selected, the Online Responder will ignore any cached OCSP response and will create a new response that includes the nonce provided in the request. If this option is disabled and a request that includes a nonce extension is received, the Online Responder will reject the request with an "unauthorized" error.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Microsoft OCSP client does not support the nonce extension.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Use any valid OCSP signing certificate</maml:ui>. By default, the Online Responder will only use signing certificates that are issued by the same certification authority (CA) that issued the certificate being validated. This option allows modifying the default behavior and instructs the Online Responder to use any valid existing certificate that includes the OCSP Signing EKU extension.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Clients running versions of Windows earlier than Windows Vista with Service Pack 1 (SP1) do not support this option, and certificate status requests from these clients will fail if this option is selected.</maml:para>
</maml:alertSet>
</maml:listItem>
</maml:list>
<maml:para>The following Online Responder identifier options can be used to select whether to include the key hash or the subject of the signing certificate in the response:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Key hash of the signing certificate</maml:ui>. Some cryptographic service providers (CSPs) require the key hash of the signing certificate in order to access private keys.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Subject of the signing certificate</maml:ui>. Some CSPs require the subject of the signing certificate in order to access private keys.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing Online Responders</maml:title><maml:introduction>
<maml:para>Procedures are available to complete the following basic Online Responder management tasks:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add the Online Responder Snap-in to a Console</maml:linkText><maml:uri href="mshelp://windows/?id=1e4b6432-977c-4e21-a245-5ce30ae80cc4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Audit Online Responder Operations</maml:linkText><maml:uri href="mshelp://windows/?id=a793d37c-717c-4b41-ab67-87bf559f4d80"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Administer an Online Responder from Another Computer</maml:linkText><maml:uri href="mshelp://windows/?id=8d3dcbf1-d83e-4be6-866a-a1e9449b3adc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Modify the Online Responder Web Proxy</maml:linkText><maml:uri href="mshelp://windows/?id=74abcd5f-c2c7-474b-b154-8cfe285a1754"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add OCSP Locations to Issued Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=b3d53f51-56f6-4031-8aad-ebdc4c71cb56"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Renew OCSP Response Signing Certificates with an Existing Key</maml:linkText><maml:uri href="mshelp://windows/?id=82ad05ce-4f9f-4cb0-889b-b0e21bb4766c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Certificate Revocation</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Every certificate is issued with a specific validity period. Revoking a certificate invalidates it as a trusted security credential before its original validity period expires. There are a number of reasons why a certificate can become untrustworthy as a security credential before its scheduled expiration. Examples include:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Compromise, or suspected compromise, of the certificate subject's private key.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Compromise, or suspected compromise, of a certification authority's (CA) private key.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Discovery that a certificate was obtained fraudulently.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change in the status of the certificate subject as a trusted entity.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change in the name of the certificate subject.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>It is not always possible to contact a CA or other trusted server for information about the validity of a certificate. To effectively support certificate status checking, a client must be able to access revocation data to determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory Certificate Services (AD CS) supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs, which can be made available to clients from a variety of locations, including Active Directory Domain Services (AD DS), Web servers, and network file shares. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>In Windows Server 2008 R2 and Windows Server 2008, an Online Responder can be used to make CRL data more readily accessible in complex network environments. An Online Responder uses the certificate revocation data from CRLs and processes certificate status requests from clients individually.</maml:para>
</maml:alertSet>
<maml:para>CRLs are complete, digitally signed lists of certificates that have been revoked. These lists are published periodically and can be retrieved and cached by clients (based on the configured lifetime of the CRL) and used to verify a certificate's revocation status.</maml:para>
<maml:para>Because CRLs can become large, depending on the number of certificates issued and revoked by a CA, you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data to be published more frequently because the size of the delta CRL usually does not require as much time to transfer as a full CRL.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Specify CRL Distribution Points</maml:linkText><maml:uri href="mshelp://windows/?id=18656667-17b6-4e81-af4c-4ff1b767c8b8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure CRL and Delta CRL Overlap Periods</maml:linkText><maml:uri href="mshelp://windows/?id=9b2626dc-5d07-4619-a0cc-be44f9682fb2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Schedule Publication of Certificate Revocation Lists</maml:linkText><maml:uri href="mshelp://windows/?id=b3cbf5d7-d1f6-4454-8194-48a3afc87b59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=5531ecb5-3073-490f-80f9-5d263e60b07a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing Certificate Enrollment</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The administrator of a certification authority (CA) can manage certificate enrollment by:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Configuring certificate enrollment and autoenrollment options on certificate templates. For more information, see Issuing Certificates Based on Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142333</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142333"></maml:uri></maml:navigationLink>). </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enabling certificate autoenrollment options in Group Policy. For more information, see <maml:navigationLink><maml:linkText>Configure Certificate Autoenrollment</maml:linkText><maml:uri href="mshelp://windows/?id=a24a23a7-b723-42fc-8295-2641e6fc5de3"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configuring the default request handling options for the CA. For more information, see <maml:navigationLink><maml:linkText>Set the Default Action Upon Receipt of a Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=9ab7283a-533f-4eef-a243-9acbf85cbfbd"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can specify whether a stand-alone CA will hold incoming certificate requests as pending or automatically issue the certificate. In most cases, for security reasons, all incoming certificate requests to a stand-alone CA should be marked as pending.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>Selecting whether to allow certificates to be published to the file system. Actual publication will only occur if the certificate request specifies a file system location where the certificate is to be published. For more information, see <maml:navigationLink><maml:linkText>Publish Certificates to the File System</maml:linkText><maml:uri href="mshelp://windows/?id=ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Evaluating and acting on pending certificate requests. For more information, see <maml:navigationLink><maml:linkText>Review Pending Certificate Requests</maml:linkText><maml:uri href="mshelp://windows/?id=fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c"></maml:uri></maml:navigationLink>. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Recurring Management Tasks</maml:linkText><maml:uri href="mshelp://windows/?id=f5ae6b2c-a94f-4e74-a3b9-59cdcf195575"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set Up an Online Responder</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>An Online Responder can be installed on any computer running Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter. The certificate revocation data can come from a certification authority (CA) on a computer running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or from a non-Microsoft CA.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Internet Information Services (IIS) must also be installed on this computer before the Online Responder can be installed.</maml:para>
</maml:alertSet>
<maml:para>The following procedure can be used if none of the Active Directory Certificate Services (AD CS) role services (such as a CA) have been installed on this computer. </maml:para>
<maml:para>Membership in local<maml:phrase> Administrators</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To install the Online Responder service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Server Manager</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Manage Roles</maml:ui>. Under <maml:ui>Active Directory Certificate Services, </maml:ui>click <maml:ui>Add role services</maml:ui>. If a different AD CS role service has already been installed on this computer, select the <maml:ui>Active Directory Certificate Services</maml:ui> check box in the <maml:ui>Role Summary</maml:ui> pane, and then click <maml:ui>Add role services</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services</maml:ui> page, select the <maml:ui>Online Certificate Status Protocol </maml:ui>check box.</maml:para>
<maml:para>A message appears explaining that IIS and Windows Activation Service (WAS) must also be installed to support OCSP. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Add required role services</maml:ui>, and then click <maml:ui>Next</maml:ui> three times.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Installation Options </maml:ui>page, click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When the installation is complete, review the status page to verify that the installation was successful.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Before an Online Responder can be used, you must also create a revocation configuration. See <maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>By default, IIS 7.0 request filtering blocks the plus sign (+), which is used in the URL of delta CRLs. To allow delta CRL retrieval, modify the IIS configuration by setting <maml:computerOutputInline>allowDoubleEscaping=true</maml:computerOutputInline> on the <maml:computerOutputInline>requestFiltering</maml:computerOutputInline> element in the <maml:computerOutputInline>system.web</maml:computerOutputInline> section of IIS configuration. For more information about IIS 7.0 request filter configuration, see IIS 7.0: Configure Request Filters in IIS 7.0
(<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=136512</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=136512"></maml:uri></maml:navigationLink>.)</maml:para><maml:alertSet class="security"><maml:title>Security Note </maml:title><maml:para>Allowing certain characters to pass through the request filter can result in a reduced security level, which might be unacceptable in some environments. For an explanation of this type of threat, see chapter 12 of <maml:foreignPhrase>Writing Secure Code</maml:foreignPhrase> (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=136514</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=136514"></maml:uri></maml:navigationLink>).</maml:para></maml:alertSet></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Advanced Configuration Options for the Certificate Enrollment Web Services</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:para>Advanced configuration options for certificate enrollment Web services include:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Deploy multiple instances of the Certificate Enrollment Web Service on one computer.</maml:para></maml:listItem>
<maml:listItem><maml:para>View and configure settings for certificate enrollment Web services.</maml:para></maml:listItem>
<maml:listItem><maml:para>Enabling logging and tracing for troubleshooting.</maml:para></maml:listItem></maml:list>
<maml:para>For more information about these and other advanced configuration and deployment options, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143458</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143458"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure a Certificate Template for Key Archival</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template. </maml:para>
<maml:para>Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure a certificate template for key archival and recovery</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Duplicate Template</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Duplicate Template</maml:ui> dialog box, click <maml:ui>Windows Server 2003 Enterprise</maml:ui> unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Template</maml:ui>, type a new template display name, and then modify any other optional properties as needed.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security </maml:ui>tab, click <maml:ui>Add</maml:ui>, type the name of the users or groups you want to issue the certificates to, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Group or user names</maml:ui>, select the user or group names that you just added. Under <maml:ui>Permissions</maml:ui>, select the <maml:ui>Read</maml:ui> and <maml:ui>Enroll</maml:ui> check boxes, and if you want to automatically issue the certificate, also select the <maml:ui>Autoenroll </maml:ui>check box.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>To implement autoenrollment, all three check boxes must be selected.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Request Handling</maml:ui> tab, select the <maml:ui>Archive subject's encryption private key</maml:ui> check box. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If users already have EFS certificates that are not configured for key archival and recovery, click the <maml:ui>Superseded Templates </maml:ui>tab, click <maml:ui>Add</maml:ui>, and then click the name of the template that you want to replace. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, they are not covered by key archival. Clients must be re-enrolled to receive a certificate that is based on the changed template if they already have a valid certificate that is based on the old template. For more information about re-enrolling clients, see Re-Enroll All Certificate Holders (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=147103</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=147103"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certification Authorities</maml:title><maml:introduction>
<maml:para>The Certification Authority snap-in allows you to perform a variety of administrative tasks, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Start and stop the certification authority (CA).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Back up and restore the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change exit and policy modules.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>View the CA certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Install or reinstall a CA certificate for the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Set security permissions and delegate administrative control for the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Revoke certificates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>View or modify certificate revocation list (CRL) distribution points.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Publish CRLs and schedule CRL publication.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the types of certificates that are to be issued by the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>View information about certificates that have been issued or revoked.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>View, approve, or deny pending certificate requests.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>View failed certificate requests.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Renew the CA's certificate.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information about installing, configuring, and using the Certification Authority snap-in, see <maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Revocation Configuration CA Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Use the following criteria to select the revocation configuration certificate:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the certification authority (CA) certificate has been published to Active Directory Domain Services (AD DS) and the computer you are configuring has access to this information in AD DS, click<maml:ui> Select a certificate for an existing enterprise CA</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If AD DS cannot be accessed and you know the name of the CA certificate and that it exists in the local root certificate store, click<maml:ui> Select a certificate from the local certificate store</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This option is not available if the Online Responder is not on the same computer as the Online Responder snap-in.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>If AD DS cannot be accessed and the CA certificate (with a .cer extension) is available on removable media, click<maml:ui> Import certificate from a file</maml:ui>. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing Key Archival and Recovery</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>When users lose their private keys, any information that was persistently encrypted with the corresponding public key is no longer accessible. Using key archival and recovery helps protect encrypted data from permanent loss if, for example, an operating system needs to be reinstalled, the user account to which the encryption key was originally issued is no longer available, or the key is otherwise no longer accessible. To help protect private keys, Microsoft enterprise certification authorities (CAs) can archive a user's keys in its database when certificates are issued. These keys are encrypted and stored by the CA.</maml:para>
<maml:para>This private key archive makes it possible for the key to be recovered at a later time. The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent to decrypt them. When a correctly signed key recovery request is received, the user's certificate and private key are provided to the requester. The requester would then use the key as appropriate or securely transfer the key to the user for continued use. As long as the private key is not compromised, the certificate does not have to be replaced or renewed with a different key.</maml:para>
<maml:para>Key archival and recovery are not enabled by default. This is because many organizations would consider the storage of the private key in multiple locations to be a security vulnerability. Requiring organizations to make explicit decisions about which certificates are covered by key archival and recovery and who can recover archived keys helps ensure that key archival and recovery are used to enhance security rather than detract from security.</maml:para>
<maml:para>You must be a CA administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure your environment for key archival of Encrypting File System (EFS) certificates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Create a key recovery agent account or designate an existing user to serve as the key recovery agent. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Configure the key recovery agent certificate template and enroll the key recovery agent for a key recovery agent certificate. For information, see <maml:navigationLink><maml:linkText>Identify a Key Recovery Agent</maml:linkText><maml:uri href="mshelp://windows/?id=12afc6dc-7e94-471f-953b-9ed9271a1b85"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Register the new key recovery agent with the CA. For information, see <maml:navigationLink><maml:linkText>Enable Key Archival for a CA</maml:linkText><maml:uri href="mshelp://windows/?id=07a53b9e-c593-4264-8126-508e743dc155"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Configure a certificate template, such as Basic EFS, for key archival, and enroll users for the new certificate. If users already have EFS certificates, ensure that the new certificate will supersede the certificate that does not include key archival. For information, see <maml:navigationLink><maml:linkText>Configure a Certificate Template for Key Archival</maml:linkText><maml:uri href="mshelp://windows/?id=47cd6246-68d0-4579-8b76-5b5b0998d11d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enroll users for encryption certificates based on the new certificate template.</maml:para>
<maml:para>Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, data encrypted with these certificates is not covered by key archival.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>For more information about key archival and recovery, see Key Archival and Recovery in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=92523</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=92523"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Recover a Lost Key</maml:linkText><maml:uri href="mshelp://windows/?id=d6267265-af06-47c2-a2aa-f61695eb4084"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Certificate Revocation</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Certificates can be revoked for a variety of reasons, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The key has been compromised.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The certification authority (CA) that issued the certificate has been compromised.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The certificate is no longer valid for the intended purpose or has been superseded by another certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The client no longer qualifies for the certificate.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You must be a CA administrator or certificate manager to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To revoke a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Issued Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate you want to revoke.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Revoke Certificate</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the reason for revoking the certificate, adjust the time of the revocation, if necessary, and then click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The following reason codes are available: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Unspecified</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Key Compromise</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>CA Compromise</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change of Affiliation</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Superseded</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Cease of Operation</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate Hold</maml:para>
</maml:listItem>
</maml:list>
<maml:para>If you specify "Certificate Hold" as the reason for revoking the certificate, it typically means that you may want to unrevoke the certificate at a future time. Only certificates that have been revoked with the reason of "Certificate Hold" can be unrevoked.</maml:para>
<maml:para>You must be a CA administrator or certificate manager to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To unrevoke a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Revoked Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate you want to unrevoke.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Unrevoke Certificate</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the reason for unrevoking the certificate, adjust the time of the revocation, if necessary, and then click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>To be meaningful, certificate revocation must be combined with the publication and distribution of certificate revocation data. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Establish Restricted Enrollment Agents</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>An enrollment agent is a user who can enroll for a certificate on behalf on another client. Unlike a certificate manager, an enrollment agent can only process the enrollment request and cannot approve pending requests or revoke issued certificates.</maml:para>
<maml:para>Windows Server 2008 R2 includes three certificate templates that enable different types of enrollment agents:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Enrollment Agent</maml:ui>. Used to request certificates on behalf of another subject.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Enrollment Agent (Computer)</maml:ui>. Used to request certificates on behalf of another computer subject.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Exchange Enrollment Agent (Offline Request)</maml:ui>. Used to request certificates on behalf of another subject and supply the subject name in the request. This template is used by the Network Device Enrollment Service for its enrollment agent certificate.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>When you create an enrollment agent, you can further refine the agent's ability to enroll for certificates on behalf of others by group and by certificate template. For example, you might want to implement a restriction that the enrollment agent can only enroll for smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.</maml:para>
<maml:para>This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>You can only apply enrollment agent restrictions on Windows Server 2008–based CAs. Enrollment agent policy must also be configured properly.</maml:para>
</maml:alertSet>
<maml:para>You must be a CA administrator or a member of <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure enrollment agent restrictions for a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in, right-click the name of the CA, and then click <maml:ui>Properties</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Enrollment Agents </maml:ui>tab, click <maml:ui>Restrict enrollment agents</maml:ui>, and click <maml:ui>OK</maml:ui> on the message that appears.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Enrollment agents</maml:ui>, click <maml:ui>Add</maml:ui>, type the names of the users or groups that you want to configure, and then click <maml:ui>OK</maml:ui>. Click <maml:ui>Everyone</maml:ui>, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Certificate Templates</maml:ui>, click <maml:ui>Add</maml:ui>, select the template for the certificates that you want this user or group to be able to enroll from, and then click <maml:ui>OK</maml:ui>. Repeat this step until you have selected all certificate templates that you want to enable for this enrollment agent. When you have finished adding the names of certificate templates, click <maml:ui><All></maml:ui>, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Permissions</maml:ui>, click <maml:ui>Add</maml:ui>, type the names of the users or groups for whom you want the enrollment agent to manage the defined certificate types, and then click <maml:ui>OK</maml:ui>. Click <maml:ui>Everyone</maml:ui>, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you want to block the enrollment agent from managing certificates for a user, computer, or group, under <maml:ui>Permissions</maml:ui>, select this user, computer, or group, and then click <maml:ui>Deny</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When you are finished configuring enrollment agent restrictions, click <maml:ui>OK</maml:ui> or <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The user or group that you applied enrollment agent restrictions to must have a valid enrollment agent certificate for the CA before they can act as an enrollment agent, whether restricted enrollment agent permissions have or have not been configured.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Securing Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Common Scenarios for Using Active Directory Certificate Services</maml:title><maml:introduction>
<maml:para>One or more certification authorities (CAs) can be configured to support a number of scenarios that require the added security that certificates can provide. The following checklists identify the general steps and procedures needed to configure one or more CAs to enable these scenarios.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configure CAs to Issue and Manage Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=7b886752-8d1f-4594-90ee-14686f79fb22"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Protect Encrypted Data from Loss by Enabling Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=86a959c3-88f5-48ab-8457-21bc8755d205"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Enhance Certificate Revocation Checking in Diverse Environments by Setting Up an Online Responder Array</maml:linkText><maml:uri href="mshelp://windows/?id=f07ac4f6-269b-41d7-9d09-06ca4930bff4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Authenticate Web Servers with Certificates Issued by a Windows-Based CA</maml:linkText><maml:uri href="mshelp://windows/?id=05c491e0-99e3-4a33-aab8-8b00c32c5bdf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Enhance Wireless Network Security by Requiring Certificates for Authentication and Encryption</maml:linkText><maml:uri href="mshelp://windows/?id=6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Strengthen Identity Management by Issuing Certificates for Smart Cards</maml:linkText><maml:uri href="mshelp://windows/?id=89610b23-0af5-4bc7-8eb9-2e2584d3f0a2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Select a Different Policy Module</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To select a different policy module</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Policy Module </maml:ui>tab, click <maml:ui>Select</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the new policy module, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the policy module has its own configuration interface, you can configure it by clicking <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Stop and restart the CA.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To register a new policy module so that it is available in the list of policy modules, see Certificate Services Architecture (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91405</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91405"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Only one policy module can be active at a time.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To stop and restart the CA, at the command prompt, type:</maml:para>
<dev:code>net stop certsvc
net start certsvc</dev:code>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Policy and Exit Modules</maml:linkText><maml:uri href="mshelp://windows/?id=7f6f2678-440f-4d5f-bada-7953d9ffa6b7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring the Policy and Exit Modules</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The administrator of a certification authority (CA) can configure settings in the default policy and exit modules provided with Active Directory Certificate Services (AD CS) by using the Certification Authority snap-in.</maml:para>
<maml:para>You can configure the following policy module settings:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The default action of the CA upon receiving a valid certificate request. You can specify whether a stand-alone CA will hold incoming certificate requests as pending or automatically issue the certificate. In most cases, for security reasons, it is recommended that all incoming certificate requests to a stand-alone CA be marked as pending.</maml:para>
<maml:para>To change the default action of a CA upon receipt of a certificate request, see <maml:navigationLink><maml:linkText>Set the Default Action Upon Receipt of a Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=9ab7283a-533f-4eef-a243-9acbf85cbfbd"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You can configure the following exit module settings:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Allow certificate publication to the file system. You can select whether to allow the publishing of certificates to the file system. Actual publication will only occur if the certificate request specifies a file system location where the certificate is to be published.</maml:para>
<maml:para>To allow or disallow the publishing of certificates to the file system, see <maml:navigationLink><maml:linkText>Publish Certificates to the File System</maml:linkText><maml:uri href="mshelp://windows/?id=ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Send e-mail when a certification event occurs. You can configure the CA to send e-mail when a certification event occurs, such as the issuance of a certificate or when a certificate request is set to pending.</maml:para>
<maml:para>To configure options for sending e-mail, see <maml:navigationLink><maml:linkText>Send E-mail When a Certification Event Occurs</maml:linkText><maml:uri href="mshelp://windows/?id=b8d01da1-12ac-404b-8239-ff5b59679f02"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Policy and Exit Modules</maml:linkText><maml:uri href="mshelp://windows/?id=7f6f2678-440f-4d5f-bada-7953d9ffa6b7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Enhance Wireless Network Security by Requiring Certificates for Authentication and Encryption</maml:title><maml:introduction>
<maml:para>Wireless networks make it possible for network users to access data and resources from multiple locations without relying on a physical connection to the network. The large number and variety of wireless clients and the potential security risks that they pose make it important for administrators to enhance data protection and to prevent unwanted clients from accessing the network. Certificates issued and supported by a Microsoft certification authority (CA) can enhance the security of a wireless network with strong certificate-based authentication and encrypted communication between clients and network servers.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate CAs. (Optional)</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure certificate templates, including the RAS and IAS Server, Workstation Authentication, and User certificate templates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure certificate enrollment.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Set Up Automatic Certificate Enrollment (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142235</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142235"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Deploy RAS and IAS Server certificates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deploy a CA and NPS Server Certificate (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=141788</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=141788"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X wireless clients by using Group Policy.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure 802.1X Wireless Clients Running Windows Vista with Group Policy (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=141790</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=141790"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients in Network Policy Server (NPS).</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Add a New RADIUS Client (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=141791</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=141791"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>If you want to perform authorization by group, create a user group in Active Directory Domain Services (AD DS) that contains the users who are allowed to access the network through the wireless access points.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Create a Group for a Network Policy (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=141794</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=141794"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>In NPS, configure one or more network policies for 802.1X wireless access.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Add a Network Policy (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=141792</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=141792"></maml:uri></maml:navigationLink>)</maml:para>
<maml:para>Create Policies for 802.1X Wired or Wireless with a Wizard (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=141793</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=141793"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enterprise Certification Authorities</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Enterprise certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and logging on to a domain by using a smart card. </maml:para>
<maml:para>An enterprise CA has the following characteristics:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Requires access to Active Directory Domain Services (AD DS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Publishes user certificates and certificate revocation lists (CRLs) to AD DS. In order to publish certificates to AD DS, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. </maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You must be a member of the <maml:phrase>Domain Admins</maml:phrase> group or be an administrator with Write access to AD DS to install an enterprise root CA.</maml:para>
</maml:alertSet>
<maml:para>An enterprise CA issues certificates based on a certificate template. The following functionality is possible when you use certificate templates:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in AD DS that determines whether the certificate requester is authorized to receive the type of certificate they have requested.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The certificate subject name can be generated automatically from the information in AD DS or supplied explicitly by the requester.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Autoenrollment can be used to issue certificates. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Modify the Online Responder Web Proxy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The Online Responder Web proxy cache represents the service interface for the Online Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI) extension hosted by Internet Information Services (IIS), and it performs the following operations:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Request decoding</maml:phrase>. After a request is received by the Online Responder Web proxy, the decoder component will try to decode the request and extract the certificate serial number to be validated.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Response caching</maml:phrase>. After a request is received and a certificate serial number is extracted, the Online Responder Web proxy will check the local cache for a valid response. The cache item validity period is set by default to the certificate revocation list (CRL) validity period from which the response was generated.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You can modify the following Web proxy–related settings for an Online Responder:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Web proxy threads</maml:phrase>. This setting refers to the number of threads that will be allocated by the Online Responder ISAPI extension for handling requests. Increasing the number of threads will use more of the server's memory and reducing the number of threads will reduce the number of clients that can be served concurrently. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Cache entries allowed</maml:phrase>. The cache is implemented as part of the Online Responder's ISAPI extension and is an in-memory cache only. The recommended cache size is between 1,000 and 10,000 entries. The minimum cache entries allowed is five. A small cache size will cause more cache faults and will result in a higher load on the Online Responder service for lookup and signing operations; a large cache size will increase the Online Responder's memory usage. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>You must have <maml:ui>Manage Online Responder</maml:ui> permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To modify the Online Responder Web proxy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Online Responder snap-in, and select the Online Responder.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Responder Properties</maml:ui> on the <maml:ui>Action</maml:ui> menu, or click <maml:ui>Responder Properties</maml:ui> in the <maml:ui>Action</maml:ui> pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Web Proxy</maml:ui> tab, modify the Web proxy options that you want to change, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Online Responders</maml:linkText><maml:uri href="mshelp://windows/?id=2c78c461-1d3f-40f4-b435-1d87f03c299a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enable Credential Roaming</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>To use credential roaming, all of your organization's domain controllers should be running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 Service Pack 1 (SP1). In addition, clients used for credential roaming must also be running Windows 7, Windows Vista, Windows XP Service Pack 2 (SP2), Windows Server 2003 SP1, or Windows Server 2008.</maml:para>
<maml:para>If you have at least one domain controller running Windows Server 2008 R2 or Windows Server 2008 in your Active Directory environment, you can use Group Policy to configure credential roaming.</maml:para>
<maml:para>If you do not have a domain controller running Windows Server 2008 R2 or Windows Server 2008, you must complete the following steps before configuring credential roaming through Group Policy:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para><maml:phrase>Prepare Active Directory Domain Services (AD</maml:phrase> <maml:phrase>DS)</maml:phrase>. AD DS needs to be prepared to store users' certificates, keys, and Data Protection application programming interface (DPAPI) master keys.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Exclude directories in roaming profiles</maml:phrase>. If roaming profiles are used, certain directories have to be excluded from roaming to avoid conflicts with credential roaming.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Install the Group Policy ADM template</maml:phrase>. Credential roaming will be enabled through a Group Policy ADM template that sets the appropriate registry values on a client computer.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For assistance with these preparatory steps in networks with domain controllers that are still running Windows Server 2003, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85332</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85332"></maml:uri></maml:navigationLink>).</maml:para>
<maml:para>Membership in <maml:phrase>Enterprise Admins</maml:phrase> or <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure credential roaming for a domain by using Group Policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click<maml:ui> Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Group Policy Management Console (GPMC), go to <maml:ui>User Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click<maml:ui> Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Services Client - Credential Roaming</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Enabled </maml:ui>to configure credential roaming or<maml:ui> Disabled</maml:ui> to block its use.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you clicked <maml:ui>Enabled</maml:ui>, you can also customize the following options:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Maximum tombstone credentials lifetime in days</maml:ui>. Allows you to define how long a roaming credential will remain in AD DS for a certificate or key that has been deleted locally.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Maximum number of roaming credentials per user</maml:ui>. Allows you to define a maximum number of certificates and keys that can be used with credential roaming.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Maximum size (in bytes) of a roaming credential</maml:ui>. Allows you to restrict roaming for credentials that exceed a defined size.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Roam stored user names and passwords</maml:ui>. Allows you to include or exclude stored user names and passwords from the credential roaming policy.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to accept your changes.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The default options for credential roaming in step 7 will be acceptable to many organizations. However, credential roaming can affect the size of the Active Directory database if an organization has a large number of users and credentials. For information that can help you estimate the potential impact of credential roaming on your Active Directory database, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85332</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85332"></maml:uri></maml:navigationLink>). </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Policy to Manage Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=e22f74dc-82e6-4b3e-8429-5f1faf393f33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Uninstall a Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>There may be times when you need to uninstall a certification authority (CA). However, clients will not be able to send requests to this CA and some applications that depend on your public key infrastructure (PKI) may not function properly after a CA that is needed to verify the validity and revocation status of a certificate has been uninstalled.</maml:para>
<maml:para>If you are permanently decommissioning the CA before its expected expiration date, then the CA certificate should be revoked from its parent CA and you should list "Cease of operation" as the reason for the revocation. If the CA is a self-signed root CA, then all of the certificates issued by the CA that have not expired should be revoked and a certificate revocation list (CRL) should be generated that lists the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned.</maml:para>
<maml:para>Uninstalling an enterprise CA should be done properly to ensure that its CA enrollment object is removed from Active Directory Domain Services (AD DS). Failure to do so may cause Active Directory clients to continue attempts to enroll for certificates from that CA. If an enterprise CA cannot be uninstalled normally, use the Enterprise PKI snap-in to manually remove the CA objects from AD DS.</maml:para>
<maml:para>If you are uninstalling an enterprise CA, membership in <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To uninstall a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Roles Summary</maml:ui>, click <maml:ui>Remove Roles </maml:ui>to start the Remove Roles Wizard. Click <maml:ui>Next</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Clear the <maml:ui>Active Directory Certificate Services </maml:ui>check box, and click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Removal Options </maml:ui>page, review the information, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If Internet Information Services (IIS) is running and you are prompted to stop the service before proceeding with the uninstall process, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The procedure is slightly different if you have multiple Active Directory Certificate Services (AD CS) role services installed on a single server. You can use the following procedure to uninstall a CA but retain other AD CS role services.</maml:para>
<maml:para>You must log on with the same permissions as the user who installed the CA to complete this procedure. If you are uninstalling an enterprise CA, membership in <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To uninstall a CA role service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Roles Summary</maml:ui>, click <maml:ui>Active Directory Certificate Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Roles Services</maml:ui>, click <maml:ui>Remove Role Services</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Clear the <maml:ui>Certification Authority </maml:ui>check box, and click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Removal Options </maml:ui>page, review the information, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If IIS is running and you are prompted to stop the service before proceeding with the uninstall process, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the Remove Roles Wizard is finished, you must restart the server to complete the uninstall process.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>If the remaining role services, such as the Online Responder service, were configured to use data from the uninstalled CA, you must reconfigure these services to support a different CA.</maml:para>
<maml:para>After a CA has been uninstalled, the following information is left on the server: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The CA database</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA public and private keys</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA's certificates in the Personal store</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA's certificates in the shared folder, if a shared folder was specified during AD CS setup</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA chain's root certificate in the Trusted Root Certification Authorities store</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA chain's intermediate certificates in the Intermediate Certification Authorities store</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The CA's CRL</maml:para>
</maml:listItem>
</maml:list>
<maml:para>This information is kept on the server by default, in case you are uninstalling and then reinstalling the CA. For example, you might uninstall and reinstall the CA if you want to change a stand-alone CA to an enterprise CA.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Configure CAs to Issue and Manage Certificates</maml:title><maml:introduction>
<maml:para>Most organizations deploy an offline root certification authority (CA) and one or more subordinate CAs as a public key infrastructure (PKI). After these CAs have been installed on servers, additional steps must be completed before the PKI can be used to issue, support, and manage certificates. These steps include setting up certificate revocation options, configuring certificates or certificate templates, and configuring enrollment and issuance options. </maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Plan the PKI.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Set up a stand-alone or enterprise root CA.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate CAs. (Optional)</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Complete additional CA configuration tasks.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure certificate templates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure certificate enrollment.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing Policy and Exit Modules</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>Policy modules determine whether a certificate request should be automatically approved, denied, or marked as pending. Exit modules provide an opportunity to perform certain tasks after a certificate is issued.</maml:para>
<maml:para>Active Directory Certificate Services (AD CS) includes one policy module (Certpdef.dll) and one exit module (Certxds.dll). The policy module includes two separate policies: enterprise and stand-alone. To compare a certification authority (CA) that uses an enterprise policy and a CA that uses a stand-alone policy, see <maml:navigationLink><maml:linkText>Enterprise Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=70e5d64c-91ce-4355-a9c9-115fe0866911"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Stand-Alone Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=f4d0ff2c-e17f-4cf6-997b-413d844d71d0"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>As a CA administrator, you can replace these default modules with your own custom policy and exit modules or another vendor's policy and exit modules. In addition, if you have upgraded to AD CS in Windows Server 2008 R2 or Windows Server 2008 from Certificate Services in an earlier version of Windows, you can use the same policy module you used prior to upgrading. When you view the properties of the CA, the policy module will be listed either as a legacy policy module or with its original name, depending on how it was created.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Policy module</maml:title><maml:introduction>
<maml:para>The policy module provided with a Windows Server 2008 R2–based CA determines the default action of a CA upon receiving a certificate request: approve, deny, or mark as pending. </maml:para>
<maml:para>In the majority of instances, the administrator of a stand-alone CA should set all incoming certificate requests to pending. Otherwise, because the stand-alone CA does not verify the identity of requesters via Active Directory Domain Services (AD DS), there is no way to verify the identity and validity of the certificate requester.</maml:para>
<maml:para>The CA can have only one policy module loaded at a time. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Exit module</maml:title><maml:introduction>
<maml:para>The exit module that is provided with a Windows Server 2008 R2–based CA can be configured to perform the following functions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Send e-mail when a certification event occurs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Publish certificates to the file system. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>This is not an exhaustive list of the functions of the exit module. Unlike the policy module, multiple exit modules can be used by a CA simultaneously.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Customizing AD CS policy and exit modules</maml:title><maml:introduction>
<maml:para>To configure the settings of the default policy and exit modules, see <maml:navigationLink><maml:linkText>Configuring the Policy and Exit Modules</maml:linkText><maml:uri href="mshelp://windows/?id=698175c2-9ca5-4124-a851-937e659232e7"></maml:uri></maml:navigationLink>. </maml:para>
<maml:para>To configure options for sending e-mail, see <maml:navigationLink><maml:linkText>Send E-mail When a Certification Event Occurs</maml:linkText><maml:uri href="mshelp://windows/?id=b8d01da1-12ac-404b-8239-ff5b59679f02"></maml:uri></maml:navigationLink>. </maml:para>
<maml:para>Programmable interfaces are included in AD CS for developers to create customized policy modules. For more information, see Certificate Services Architecture (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91405</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91405"></maml:uri></maml:navigationLink>).</maml:para>
<maml:para>If you have created a customized policy module and you want to change the policy module, see <maml:navigationLink><maml:linkText>Select a Different Policy Module</maml:linkText><maml:uri href="mshelp://windows/?id=6517f2bf-bf39-4275-86f6-d579a26e3654"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>If you have created a customized exit module and you want to change or add an exit module, see <maml:navigationLink><maml:linkText>Select a Different Exit Module</maml:linkText><maml:uri href="mshelp://windows/?id=f0bb5698-e30a-46fc-92d2-10d1f949e970"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Renew OCSP Response Signing Certificates with an Existing Key</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Online Certificate Status Protocol (OCSP) Response Signing certificates need to be signed by the same certification authority (CA) key that was used to sign the end-entity certificates that they provide status for. </maml:para>
<maml:para>After a CA key is renewed, the CA will be using the new key to sign newly issued certificates. In the period between the time a CA certificate is renewed and the expiration date of the original CA certificate, the CA cannot issue or renew OCSP Response Signing certificates, which may prevent an Online Responder from signing OCSP responses. </maml:para>
<maml:para>To overcome this issue, Windows Server 2008 R2–based CAs and Windows Server 2008–based CAs can be configured to modify the default behavior and allow OCSP Response Signing certificates to be issued by using a renewed CA key.</maml:para>
<maml:para>You must be an administrator on the server hosting the CA to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To allow OCSP Response Signing certificates to be renewed by using existing CA keys</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the CA computer, open a command prompt, and type: </maml:para>
<maml:para><maml:codeInline>certutil -setreg ca\UseDefinedCACertInRequest 1 </maml:codeInline></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Restart the CA service.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Online Responders</maml:linkText><maml:uri href="mshelp://windows/?id=2c78c461-1d3f-40f4-b435-1d87f03c299a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Delegation Settings for the Certificate Enrollment Web Service Account</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:para>Depending on the installation options you selected for the Certificate Enrollment Web Service, you may also need to configure delegation for the Web service to submit certificate requests on behalf of domain users and computers.</maml:para>
<maml:para>If all of the following conditions are true, then you must configure delegation for the Web service account:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>The certification authority (CA) and the Certificate Enrollment Web Service are installed on separate computers.</maml:para></maml:listItem>
<maml:listItem><maml:para>The Web service authentication type is Windows integrated authentication or client certificate authentication.</maml:para></maml:listItem>
<maml:listItem><maml:para>The Web service is not configured for renewal-only mode.</maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:para>The Certificate Enrollment Web Service application pool can be configured to use a domain user account or a built-in account such as ApplicationPoolIdentity or Network Service. If a domain user account is specified, then complete the first step to add a service principal name (SPN) to the account object before configuring delegation.</maml:para>
<maml:procedure><maml:title>To configure delegation</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>(Domain user accounts only) To add an SPN for a domain user account, at a command prompt, type <maml:computerOutputInline>setspn –s http/</maml:computerOutputInline><maml:replaceable>Host Domain\Account</maml:replaceable>, where <maml:replaceable>Host</maml:replaceable> is the computer name of the Web server hosting the Certificate Enrollment Web Service and <maml:replaceable>Domain\Account</maml:replaceable> is the domain account used by the Web service application pool.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open Active Directory Users and Computers.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand the domain that contains the account used by the application pool.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If the application pool identity is Network Service, click <maml:ui>Computers</maml:ui>. Otherwise, click <maml:ui>Users</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the details pane, double-click the account, and then click the <maml:ui>Delegation</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Trust this user for delegation to specified services only</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If the Web service authentication type is Windows integrated authentication, select the <maml:ui>Use Kerberos only</maml:ui> check box. If the Web service authentication type is client certificate authentication, select the <maml:ui>Use any authentication protocol</maml:ui> check box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui>, and then click <maml:ui>Users or Computers</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Enter the name of the computer that hosts the CA, and then click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Available Services</maml:ui> list, click <maml:ui>HOST</maml:ui> and <maml:ui>rpcss</maml:ui>, and then click <maml:ui>OK</maml:ui>. Hold down the CTRL key to select multiple items.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the changes.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Setspn command reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143939</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143939"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Protect Encrypted Data from Loss by Enabling Key Archival and Recovery</maml:title><maml:introduction>
<maml:para>If a certificate that is used to encrypt data with Encrypting File System (EFS) is lost, the data cannot be recovered unless a key recovery agent has been configured. Establishing a key archival and recovery plan based on Microsoft certification authority (CA) certificates can help you protect your organization's data resources from becoming irretrievable if the original EFS key is no longer accessible.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate CAs. (Optional)</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure certificate templates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure key archival and recovery.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure certificate enrollment.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Strengthen Identity Management by Issuing Certificates for Smart Cards</maml:title><maml:introduction>
<maml:para>Smart cards and other physical authentication tokens improve upon basic password-based authentication by requiring users to supplement something they know—a password or personal identification number (PIN)—with something they have—the smart card or token. An obstacle to smart card deployments has been the cost and difficulty in managing smart card certificates. However, issuing and managing certificates with a Windows-based certification authority (CA) can be an efficient and cost-effective solution for deploying smart cards.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate CAs. (Optional)</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure certificate templates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure and implement a smart card enrollment station.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Set Up and Use a Smart Card Enrollment Station</maml:linkText><maml:uri href="mshelp://windows/?id=c3b0e476-4bec-411c-b6cc-6bed8a1c378d"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure smart card clients.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure Smart Card Clients (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=94261</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=94261"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Issue smart cards to users.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Issue Smart Cards (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=94262</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=94262"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Setting Up Active Directory Certificate Services</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) role services can be set up individually, with multiple role services on a single server, or with each role service installed on a separate server. For more information, see <maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>The following topics explain installation options for various AD CS role services:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Set Up Certification Authority Web Enrollment Support</maml:linkText><maml:uri href="mshelp://windows/?id=d6e60022-fcad-4192-b038-be51c15b8f6a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure the Network Device Enrollment Service</maml:linkText><maml:uri href="mshelp://windows/?id=281af9f9-b1cb-4efa-99d0-ba44e9b7ee21"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Administer an Online Responder from Another Computer</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>One advantage of Online Responders is that they can be deployed to provide revocation checking services at a remote location or even outside of the local intranet. However, this would frequently require the ability to manage the Online Responder from another computer. </maml:para>
<maml:para>By default, the Online Responder snap-in is installed automatically when an Online Responder is installed on a server. The Online Responder can be installed on a different server by using Server Manager to install Active Directory Certificate Services (AD CS) tools. </maml:para>
<maml:para>Before you can enable remote administration, you must configure Online Responder–related firewall settings on the computer hosting the Online Responder.</maml:para>
<maml:para>You must be a local administrator to configure firewall settings. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure firewall settings to enable remote administration of an Online Responder</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Server Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Configuration</maml:ui>, expand <maml:ui>Windows Firewall with Advanced Security</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Expand <maml:ui>Inbound Rules</maml:ui>, and click<maml:ui> Online Responder Service (DCOM-In)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Actions</maml:ui> pane, click<maml:ui> Enable Rule</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Online Responder Service (RPC-In)</maml:ui>, and in the <maml:ui>Action</maml:ui> pane, click <maml:ui>Enable Rule</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To identify authorized users or computers that can access the Online Responder through each inbound Online Responder firewall rule, in the <maml:ui>Actions</maml:ui> pane, click <maml:ui>Properties</maml:ui> for each of these rules, and then click the <maml:ui>Users and Computers</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You must be a local administrator on the remote computer to install the Remote Server Administration Tools. You must have <maml:ui>Manage Online Responder</maml:ui> permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a PKI, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To administer a remote Online Responder</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the remote computer, open Server Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Expand <maml:ui>Remote Server Administration Tools</maml:ui> and <maml:ui>Role Administration Tools</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Active Directory Certificate Services</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When the installation process is finished, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>mmc</maml:userInput>, and press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Online Responder</maml:ui> snap-in, click <maml:ui>Add</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the Online Responder.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Retarget Responder</maml:ui> to identify the Online Responder that you want to manage.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the computer you want to perform remote administration tasks from is running Windows Vista, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=89361</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=89361"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If there is a firewall between the Online Responder and the remote computer, the firewall must be configured to allow data to pass through port 80 between Internet Information Services (IIS) and the Online Responder. Similar results can be achieved by using the reverse-proxy capability of Microsoft Internet Security and Acceleration (ISA) Server. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>It may also be necessary to configure DCOM permissions to enable the Online Responders in an Array to authenticate to each other.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Online Responders</maml:linkText><maml:uri href="mshelp://windows/?id=2c78c461-1d3f-40f4-b435-1d87f03c299a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Creating a Revocation Configuration</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>An Online Responder can make revocation information available from multiple certification authorities (CAs) and multiple CA certificates. However, each CA and CA certificate served by an Online Responder requires a separate revocation configuration.</maml:para>
<maml:para>A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. These configuration settings include the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>CA certificate</maml:phrase>. This certificate can be located in Active Directory Domain Services (AD DS), in the local certificate store, or imported from a file. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Signing certificate for the Online Responder</maml:phrase>. This signing certificate can be selected automatically for you, selected manually (which involves a separate import step after you add the revocation configuration), or you can use the selected CA certificate to also serve as the signing certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Revocation provider</maml:phrase>. The revocation provider will provide the revocation data used by this configuration. For a Windows Server 2008 R2 or Windows Server 2008 provider, this information is entered as one or more URLs where valid base CRLs and delta CRLs can be obtained. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>Before you begin to add a new revocation configuration, make sure you have the information in the preceding list available.</maml:para>
<maml:para>You must have <maml:ui>Manage Online Responder</maml:ui> permissions on all of the Online Responders in the Array to complete this procedure. For more information about administering a public key infrastructure, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>. </maml:para>
<maml:procedure><maml:title>To add a revocation configuration to an Online Responder</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Online Responder snap-in. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Revocation Configuration</maml:ui>. </maml:para>
<maml:para>A list of existing revocation configurations appears in the details pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Actions</maml:ui> pane, click <maml:ui>Add Revocation Configuration </maml:ui>to start the Add Revocation Configuration Wizard.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the information requested in the wizard. </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>For information about the <maml:ui>Select CA Certificate Location</maml:ui> page, see <maml:navigationLink><maml:linkText>Revocation Configuration CA Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=4aaea26c-e132-4c04-9849-e5106f93d042"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For information about the <maml:ui>Select Signing Certificate</maml:ui> page, see <maml:navigationLink><maml:linkText>Revocation Configuration Signing Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=bb63e84f-9313-4b54-b3f2-5a3c8490f250"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When all the information has been entered, click <maml:ui>Finish</maml:ui>, and then click<maml:ui> Yes</maml:ui> to complete the setup process. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>You can modify the properties of an existing revocation configuration, view its CA certificate, or delete the revocation configuration, by selecting the revocation configuration and clicking <maml:ui>Edit Properties</maml:ui> in the <maml:ui>Actions</maml:ui> pane.</maml:para>
<maml:para>The following properties of a revocation configuration can be modified:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Local CRL.</maml:phrase> For more information, see <maml:navigationLink><maml:linkText>Manage Revocation Data Using Local CRLs</maml:linkText><maml:uri href="mshelp://windows/?id=16d5bc20-c781-481a-9dc4-36b7a706f651"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Revocation provider.</maml:phrase> For more information, see <maml:navigationLink><maml:linkText>Revocation Provider Properties</maml:linkText><maml:uri href="mshelp://windows/?id=cba53c53-a842-42b1-8de4-7235e0b3c5fc"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Signing.</maml:phrase> For more information, see <maml:navigationLink><maml:linkText>Revocation Provider Signing</maml:linkText><maml:uri href="mshelp://windows/?id=2979e21a-28f0-4e84-b978-e52514a86f90"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Install a Root Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>For most organizations, a root certification authority (CA) certificate is the first Active Directory Certificate Services (AD CS) role service that they install. In a basic public key infrastructure (PKI), a root CA may be the only CA that an organization deploys. </maml:para>
<maml:para>Whether you install just one CA or multiple CAs, the root CA certificate establishes the foundation and basic rules that govern certificate issuance and use for your entire PKI. Where the root certificate defines standards for what is acceptable and unacceptable in the PKI hierarchy, AD CS applies those standards to any other CAs and AD CS role services.</maml:para>
<maml:para>A root CA can be a stand-alone or enterprise CA. If there is more than one CA in the organization, many organizations minimize the exposure of their root CA by keeping it offline except when it is needed to process a request for a subordinate CA certificate.</maml:para>
<maml:para>Membership in local <maml:phrase>Administrators</maml:phrase>, or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To install a root CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Server Manager,<maml:ui> </maml:ui>click<maml:ui> Add Roles</maml:ui>, click<maml:ui> Next</maml:ui>,<maml:ui> </maml:ui>and click <maml:ui>Active Directory Certificate Services</maml:ui>. Click <maml:ui>Next </maml:ui>two times. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services </maml:ui>page, click <maml:ui>Certification Authority</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify Setup Type </maml:ui>page, click <maml:ui>Standalone </maml:ui>or <maml:ui>Enterprise</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You must have a network connection to a domain controller in order to install an enterprise CA. </maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify CA Type</maml:ui> page, click <maml:ui>Root CA</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Up Private Key </maml:ui>page, click <maml:ui>Create a new private key</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Cryptography </maml:ui>page, select a cryptographic service provider, key length, and hash algorithm. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Cryptographic Options for CAs</maml:linkText><maml:uri href="mshelp://windows/?id=b71c1373-6f1a-4c93-9eb4-875cc4a58bec"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure CA Name </maml:ui>page, create a unique name to identify the CA. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Certification Authority Naming</maml:linkText><maml:uri href="mshelp://windows/?id=0588b149-8413-421d-844c-9a53857eac65"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Validity Period </maml:ui>page, specify the number of years or months that the root CA certificate will be valid. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Certificate Database </maml:ui>page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Certificates Database</maml:linkText><maml:uri href="mshelp://windows/?id=0f428311-c433-460c-96be-ced456f7e016"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Installation Options </maml:ui>page, review all of the configuration settings that you have selected. If you want to accept all of these options, click <maml:ui>Install</maml:ui> and wait until the setup process has finished. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certification Authority Naming</maml:linkText><maml:uri href="mshelp://windows/?id=0588b149-8413-421d-844c-9a53857eac65"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Cryptographic Options for CAs</maml:linkText><maml:uri href="mshelp://windows/?id=b71c1373-6f1a-4c93-9eb4-875cc4a58bec"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificates Database</maml:linkText><maml:uri href="mshelp://windows/?id=0f428311-c433-460c-96be-ced456f7e016"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Enrollment Web Service Overview</maml:title><maml:introduction><maml:para>The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.</maml:para>
<maml:para>The Certificate Enrollment Web Service uses the HTTPS protocol to accept certificate requests from and return issued certificates to network client computers. The Certificate Enrollment Web Service uses the DCOM protocol to connect to the certification authority (CA) and complete certificate enrollment on behalf of the requester. In previous versions of AD CS, policy-based certificate enrollment can be completed only by domain member client computers that are using the DCOM protocol. This limits certificate issuance to the trust boundaries established by Active Directory domains and forests.</maml:para>
<maml:para>Certificate enrollment over HTTPS enables the following new deployment scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Certificate enrollment across forest boundaries to reduce the number of CAs in an enterprise.</maml:para></maml:listItem>
<maml:listItem><maml:para>Extranet deployment to issue certificates to mobile workers and business partners.</maml:para></maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Group Policy to Support the Certificate Enrollment Policy Web Service</maml:title><maml:introduction>
<maml:para>Before client computers can use the Certificate Enrollment Policy Web Service, a Group Policy setting must be configured to provide the location of Web service to domain members.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:procedure><maml:title>To configure certificate enrollment policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the Web server that hosts the Certificate Enrollment Policy Web Service, open Server Manager.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand <maml:ui>Roles</maml:ui>, and then expand <maml:ui>Web Server (IIS)</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Internet Information Services (IIS) Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand <maml:ui>Sites</maml:ui>, and click the Web service application that begins with <maml:ui>ADPolicyProvider_CEP</maml:ui>.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The name of the application is ADPolicyProvider_CEP_<maml:replaceable>AuthenticationType</maml:replaceable> where <maml:replaceable>AuthenticationType</maml:replaceable> is the authentication type of the Web service.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Under <maml:ui>ASP.NET</maml:ui>, double-click <maml:ui>Application Settings</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Double-click <maml:ui>URI</maml:ui>, and copy the URI value.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpmc.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and press ENTER.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand the forest and domain that contain the policy that you want to edit, and click <maml:ui>Group Policy Objects</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the policy that you want to edit, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree under <maml:ui>Computer Configuration\Policies\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Double-click <maml:ui>Certificate Services Client – Certificate Enrollment Policy</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui> to open the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Enter enrollment policy server URI</maml:ui> box, type or paste the certificate enrollment policy server URI obtained earlier.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Authentication type</maml:ui> list, select the authentication type required by the enrollment policy server.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Validate</maml:ui>, and review the messages in the <maml:ui>Certificate enrollment policy server properties</maml:ui> area. The <maml:ui>Add</maml:ui> button is available only when the enrollment policy server URI and authentication type are valid.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Installing the Certificate Enrollment Policy Web Service</maml:title><maml:introduction>
<maml:para>This topic provides step-by-step procedures to install the Certificate Enrollment Policy Web Service.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>Before beginning installation, review the requirements and configuration options for this role service in <maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To install the Certificate Enrollment Policy Web Service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open Server Manager.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, click <maml:ui>Roles</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If <maml:ui>Active Directory Certificate Services</maml:ui> is displayed on the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Role Services</maml:ui>, and continue to the next step. If it is not displayed, complete the following steps before continuing:</maml:para>
<maml:list class="ordered"><maml:listItem><maml:para>On the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Roles</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>On the <maml:ui>Before You Begin</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>On the <maml:ui>Select Server Roles</maml:ui> page, click <maml:ui>Active Directory Certificate Services</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem>
<maml:listItem><maml:para>Review the information on the <maml:ui>Introduction to Active Directory Certificate Services</maml:ui> page, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, select the <maml:ui>Certificate Enrollment Policy Web Service</maml:ui> check box.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The Certification Authority (CA) role service is automatically selected when the AD CS role is added, but it is not required. Clear the <maml:ui>Certification Authority</maml:ui> check box unless you intend to install both the CA and the Certificate Enrollment Policy Web Service. See <maml:navigationLink><maml:linkText>Setting Up Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add Required Role Services</maml:ui> when prompted to install required role services and features, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select the authentication type that the Certificate Enrollment Policy Web Service will use to authenticate client requests, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Specify Account Credentials</maml:ui> page, select either <maml:ui>Specify service account</maml:ui> or <maml:ui>Use built-in application pool identity</maml:ui>. To specify a service account, click <maml:ui>Select</maml:ui>, type a domain user account and password and click <maml:ui>OK</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select an existing server certificate, click <maml:ui>Import</maml:ui> to import a certificate file or select <maml:ui>Choose and assign a server certificate later</maml:ui>, and then click <maml:ui>Next</maml:ui>. See <maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink> for details.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Introduction to Web Server (IIS)</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, review the selected role services, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the information on the <maml:ui>Confirm Installation Selections</maml:ui> page, and then click <maml:ui>Install</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the <maml:ui>Installation Results</maml:ui> page for messages. Additional tasks may be required to configure the Certificate Enrollment Policy Web Service before users can submit requests.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Group Policy to Support the Certificate Enrollment Policy Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=98cde842-f281-4892-9da4-1e467199ea14"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set the Default Action Upon Receipt of a Certificate Request</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can configure the policy module to automatically approve all certificate requests or to mark requests as pending until an administrator can review and act upon the request. The choice will likely depend on the security implications of the certificates being issued, the intended recipients of the certificates, and other factors.</maml:para>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To set the default action upon receipt of a certificate request</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Policy Module </maml:ui>tab, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the option you want:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To have the CA administrator review every certificate request before issuing a certificate, click <maml:ui>Set the certificate request status to pending</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To have the CA issue certificates based on the configuration of the certificate template, click <maml:ui>Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Stop and restart the CA.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>In most cases, for security reasons, it is recommended that all incoming certificate requests to a stand-alone CA be marked as pending. Unlike enterprise CAs, stand-alone CAs do not use Active Directory Domain Services (AD DS), even if it is available, to verify that an individual or computer is authorized to be issued a certificate from the CA automatically. For stand-alone CAs, the CA administrator is responsible for verifying the identity of the certificate requester.</maml:para>
</maml:alertSet>
<maml:para>If you change the setting from <maml:ui>Set the certificate request status to pending </maml:ui>to <maml:ui>Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate</maml:ui>, this will apply only to certificate requests submitted to the CA after the default action has been changed. If there are pending requests held by the CA, these requests will remain pending until the CA administrator issues the certificates or denies the requests.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Review Pending Certificate Requests</maml:linkText><maml:uri href="mshelp://windows/?id=fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure CRL and Delta CRL Overlap Periods</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can adjust the relationship between a certificate revocation list (CRL) and delta CRL by configuring an overlap period between the two. This setting is particularly useful when publication of the next base or delta CRL is delayed or the client is unable to obtain a new CRL or delta CRL at the scheduled publication time.</maml:para>
<maml:para>The overlap period for CRLs is the amount of time at the end of a published CRL's lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10 percent of the CRL's lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The maximum value for either the CRL or delta CRL overlap period is 12 hours.</maml:para>
</maml:alertSet>
<maml:para>When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both CRLs. This is because the newer delta CRL may still point to the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.</maml:para>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure a CRL and delta CRL overlap period</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<maml:para><maml:codeInline>certutil -setreg ca\CRLOverlapUnits </maml:codeInline><maml:replaceable>Value</maml:replaceable></maml:para>
<maml:para><maml:codeInline>certutil -setreg ca\CRLOverlapPeriod </maml:codeInline><maml:replaceable>Units</maml:replaceable></maml:para>
<maml:para><maml:codeInline>certutil -setreg ca\CRLDeltaOverlapUnits </maml:codeInline><maml:replaceable>Value</maml:replaceable></maml:para>
<maml:para><maml:codeInline>certutil -setreg ca\DeltaOverlapPeriod </maml:codeInline><maml:replaceable>Units</maml:replaceable></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Stop Service</maml:ui> to stop the service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and click <maml:ui>Start Service</maml:ui> to start the service.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.</maml:para>
</maml:alertSet>
<maml:para>The following table lists the values that can be used in the Certutil syntax described in this procedure.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Certutil</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the name of the command-line tool.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>-setreg</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Modifies the registry.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ca\CRLOverlapUnits</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates the registry value that stores the value for the CRL overlap setting.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ca\CRLDelataOverlapUnits</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates the registry value that stores the value for the delta CRL overlap setting.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Provides the numerical value to set this option to.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ca\CRLOverlapPeriod</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates the registry value that stores the value for the CRL overlap unit type setting.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ca\DeltaOverlapPeriod</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates the registry value that stores the value for the delta CRL overlap unit type setting.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Units</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Provides the type of units for the overlap period. Valid values are Minutes, Hours, and Days.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If your environment is not configured to issue delta CRLs, the settings for CRLDeltaOverlapUnits and DeltaOverlapPeriod will have no effect.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Schedule Publication of Certificate Revocation Lists</maml:linkText><maml:uri href="mshelp://windows/?id=b3cbf5d7-d1f6-4454-8194-48a3afc87b59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Certificate Autoenrollment</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users. </maml:para>
<maml:para>To automatically enroll clients for certificates in a domain environment, you must:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure a certificate template with Autoenroll permissions. For more information, see Issuing Certificates Based on Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142333</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142333"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure an autoenrollment policy for the domain.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure autoenrollment Group Policy for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click<maml:ui> Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the<maml:ui> Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Group Policy Management Console (GPMC), go to <maml:ui>User Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click<maml:ui> Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Services Client - Auto-Enrollment</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Enroll certificates automatically</maml:ui> check box to enable autoenrollment. If you want to block autoenrollment from occurring, select the <maml:ui>Do not enroll certificates automatically </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are enabling certificate autoenrollment, you can select the following check boxes:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Renew expired certificates, update pending certificates, and remove revoked certificates</maml:ui> enables autoenrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user's certificate store.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Update certificates that use certificate templates</maml:ui> enables autoenrollment for issuance of certificates that supersede issued certificates.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui> to accept your changes.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Troubleshoot Active Directory Certificate Services</maml:title><maml:introduction>
<maml:para>This section lists a few common issues you may encounter when using the Certification Authority snap-in or working with certification authorities (CAs). For more information about troubleshooting and resolving problems with CAs, see Active Directory Certificate Services Troubleshooting (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=89215</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=89215"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>What problem are you having?</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Clients do not automatically enroll for certificates after autoenrollment is configured</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>A CA could not be installed as an enterprise CA, or CA Web enrollment support could not be installed to recognize a stand-alone CA</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Error when accessing the CA Web pages</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following message appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>An enrollment agent cannot enroll on behalf of a user for a specific certificate template</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_6"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Restricted certificate manager or enrollment agent operations cannot be completed after a domain is renamed</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I cannot add a new version 2 or version 3 certificate template to my CA</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I have a problem that is not listed here</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5#BKMK_8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_1">
<maml:title>Clients do not automatically enroll for certificates after autoenrollment is configured.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The Group Policy information used for autoenrollment has not yet replicated to the client computers. By default, this information can take up to two hours to replicate to all computers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Wait for Group Policy to complete replication or use the Gpupdate command-line tool to force replication to occur immediately. For more information, see Gpupdate (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=94248</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=94248"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_2">
<maml:title>A CA could not be installed as an enterprise CA, or CA Web enrollment support could not be installed to recognize a stand-alone CA.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The CA was installed by a user who is not a member of the <maml:phrase>Enterprise Admins</maml:phrase> or <maml:phrase>Domain Admins</maml:phrase> group; therefore, the enterprise CA option was not available and information about the CA cannot be published to Active Directory Domain Services (AD DS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Log on as a user who is a member of the <maml:phrase>Enterprise Admins</maml:phrase> or <maml:phrase>Domain Admins</maml:phrase> group to install the CA and CA Web enrollment support.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The domain was not accessible during CA setup.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Ensure that you have network connectivity to a domain controller during CA setup.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_3">
<maml:title>Error when accessing the CA Web pages.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The user accessing the Web pages is not a member of the <maml:phrase>Administrators</maml:phrase> or <maml:phrase>Power Users</maml:phrase> group on the local computer. When a newer version of the Web enrollment software is available on the CA, the client computer must install that software. The user must be a member of the <maml:phrase>Administrators</maml:phrase> or <maml:phrase>Power Users</maml:phrase> group to install the software.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Log on as a user who is a member of the <maml:phrase>Administrators</maml:phrase> or <maml:phrase>Power Users</maml:phrase> group to access the Web enrollment pages and download the newer version of the software.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Web pages aren't installed on the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: From a command prompt on the CA, run <maml:computerOutputInline>certutil -vroot</maml:computerOutputInline> to install the Web enrollment pages.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_4">
<maml:title>A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The computer account may be disabled, or the CA that issued the smart card certificate is not trusted by the computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: </maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Verify that the computer account is enabled in the domain.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Use the Certificates snap-in to verify that the root CA's certificate is in the Trusted Root Certification Authorities store on the user's computer.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Use the Certificates snap-in to verify that the domain controller has been issued a domain controller certificate that can be verified to a trusted root.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_5">
<maml:title>When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The necessary security permissions are not set on the certificate templates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Modify the security permissions for the certificate templates to include the child domain accounts from which you want to allow enrollment. To set access control for certificate templates, see Issuing Certificates Based on Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=142333</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=142333"></maml:uri></maml:navigationLink>).</maml:para>
<maml:para>Some access control caches must time out after changes are made to security permissions, so you might have to wait a short period of time before the new security permissions are replicated through the network.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_6">
<maml:title>An enrollment agent cannot enroll on behalf of a user for a specific certificate template.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Enrollment agent restrictions may have been configured to prevent the enrollment agent from enrolling for certificates based on the certificate template for this user group.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: This behavior may be by design, if you do intend for the enrollment agent to enroll for certificates based on this certificate template or for this group of users. If it is not by design, follow the steps in <maml:navigationLink><maml:linkText>Establish Restricted Enrollment Agents</maml:linkText><maml:uri href="mshelp://windows/?id=5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2"></maml:uri></maml:navigationLink> to configure the correct enrollment agent permissions for this group and certificate template.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The enrollment agent certificate is configured with a Cryptography Next Generation (CNG) key, and the certificate is being requested from a Windows Server 2003–based CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Use an enrollment agent certificate that is compatible with Windows Server 2003–based CAs, or request the certificate from a CA on a computer running Windows Server 2008 R2 or Windows Server 2008.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_7">
<maml:title>Restricted certificate manager or enrollment agent operations cannot be completed after a domain is renamed.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: For restricted officer operations, a CA relies on the Security Accounts Manager (SAM) name of the requester that is stored in the Active Directory database to verify that the officer has rights to manage the request. However, the SAM name contains the domain name and the restricted officer operation will fail if the domain name is changed (instead of just the DNS portion of the name).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Disable or reconfigure the restricted officer permissions before attempting the enrollment operation again. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_9">
<maml:title>I cannot add a new version 2 or version 3 certificate template to my CA.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause:</maml:phrase> The CA is installed on a server running Windows Server 2008 R2 Standard or Windows Server 2008 Standard. Version 2 and version 3 certificate templates and certificate autoenrollment can only be used with CAs installed on Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution:</maml:phrase> Upgrade to Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_8">
<maml:title>I have a problem that is not listed here.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Check the event log of the server. It often contains more detailed error messages that can help you diagnose and solve the problem you are having.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: For more information about events that are logged by Active Directory Certificate Services, see Active Directory Certificate Services Troubleshooting (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=89215</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=89215"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Audit Online Responder Operations</maml:title><maml:introduction>
<maml:para>You can monitor the operations of an Online Responder by logging events to the Windows security event log. The Online Responder allows the configuration of the following audit events:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Start/Stop the Online Responder Service</maml:phrase>. Every Start/Stop event of the Online Responder service will be logged.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Changes to the Online Responder configuration. </maml:phrase>All Online Responder configuration changes, including audit settings changes, will be logged.<maml:phrase> </maml:phrase></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Changes to the Online Responder security settings.</maml:phrase> All changes to the Online Responder service request and management interfaces access control list (ACL) will be logged.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Requests submitted to the Online Responder</maml:phrase>. All requests processed by the Online Responder service will be logged. This option can create a high load on the service and should be evaluated on an individual basis. Note that only requests that require a signing operation by the Online Responder will generate and audit events; requests for previously cached responses will not be logged.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You must have <maml:ui>Manage Online Responder</maml:ui> permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To enable auditing of Online Responder operations</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Online Responder snap-in, and select the Online Responder.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Responder Properties</maml:ui> on the <maml:ui>Action</maml:ui> menu, or click <maml:ui>Responder Properties</maml:ui> in the <maml:ui>Action</maml:ui> pane.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Audit</maml:ui> tab, select the Online Responder audit options that you want to have logged, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>Audit events will be logged to the Windows security log only if the <maml:ui>Audit object access</maml:ui> policy is enabled.</maml:para>
<maml:para>You must be an administrator on the server hosting the Online Responder to complete this procedure. For more information about administering a PKI, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To enable the Audit object access policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Local Group Policy Editor.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Computer Configuration</maml:ui>, expand <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and <maml:ui>Local Policies</maml:ui>, and then click <maml:ui>Audit Policy</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click the <maml:ui>Audit object access</maml:ui> policy.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Success</maml:ui> and <maml:ui>Failure</maml:ui> check boxes, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Online Responders</maml:linkText><maml:uri href="mshelp://windows/?id=2c78c461-1d3f-40f4-b435-1d87f03c299a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Audit Revocation Configuration Changes</maml:linkText><maml:uri href="mshelp://windows/?id=b1cb8a2b-db02-4713-803e-50dfae5df354"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Certificate Path Validation</maml:title><maml:introduction>
<maml:para>Certificate path validation settings in Windows Server 2008 R2 and Windows Server 2008 allow you to manage the settings for certificate path discovery and validation for all users in a domain. You can use Group Policy to easily configure and manage these certificate validation settings. The following are some of the tasks you can perform with these settings:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Deploy intermediate certification authority (CA) certificates. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Block certificates that are not trusted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Manage certificates used for code signing. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure retrieval settings for certificates and certificate revocation lists (CRLs).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Certificate path validation settings are available in Group Policy at the following location: <maml:ui>Computer Configuration</maml:ui>\<maml:ui>Windows Settings</maml:ui>\<maml:ui>Security Settings</maml:ui>\<maml:ui>Public Key Policies</maml:ui>. </maml:para>
<maml:para>When you double-click <maml:ui>Certificate Path Validation Settings </maml:ui>at this location, additional options are available by selecting the following tabs:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Stores</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Trusted Publishers</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Network Retrieval </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Revocation </maml:para>
</maml:listItem>
</maml:list>
<maml:para>The following procedure describes how to configure certificate path validation settings. The sections following the procedure will describe the settings in each of these areas.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>. </maml:para>
<maml:procedure><maml:title>To configure path validation Group Policy for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On a domain controller, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Group Policy Management Console (GPMC), go to <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Stores</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Configure the optional settings that you need to apply.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When you are finished making changes, you can select a different tab to modify additional settings, or click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Stores tab</maml:title><maml:introduction>
<maml:para>Some organizations want to prevent users in the domain from configuring their own set of trusted root certificates and to decide which root certificates within the organization can be trusted. The <maml:ui>Stores</maml:ui> tab can be used to accomplish this.</maml:para>
<maml:para>The following options are available on the <maml:ui>Stores</maml:ui> tab:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Allow user trusted root CAs to be used to validate certificates</maml:ui>. Clearing this check box prevents users from deciding which root CA certificates to use to validate certificates. Although this option can help prevent users from trusting and validating certificates from a chain that is not secure, it can also result in application failures or lead users to disregard root certificate trust as a means of validating a certificate that is presented to them.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Allow users to trust peer trust certificates</maml:ui>. Clearing this check box prevents users from deciding which peer certificates to trust. Although this option can help prevent users from trusting certificates from a source that is not secure, it can also result in application failures or lead users to disregard certificates as a means of establishing trust. You can also select the certificate purposes, such as signing or encryption, for which peer trust certificates can be used.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Root CAs the client computer can trust</maml:ui>. In this section, you can identify specific root CAs that can be trusted by users in the domain:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Third-Party Root CAs and Enterprise Root CAs</maml:ui>. By including both non-Microsoft and enterprise root CAs, you broaden the range of root CA certificates that a user can trust. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Only Enterprise Root CAs</maml:ui>. By restricting trust to only enterprise root CAs, you effectively restrict trust to certificates issued by an internal enterprise CA that obtains authentication information from and publishes certificates to Active Directory Domain Services (AD DS).</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>CAs must also be compliant with User Principal Name constraints</maml:ui>. These settings also restrict trust to internal enterprise CAs. In addition, the user principal name constraint would prevent them from trusting authentication-related certificates that do not conform to conditions related to user principal names.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, some organizations may want to identify and distribute specific trusted root certificates to enable business scenarios where additional trust relationships are needed. To identify the trusted root certificates that you would like to distribute to clients in your domain, see <maml:navigationLink><maml:linkText>Use Policy to Distribute Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=fbe9a9e0-ae87-4134-9dec-48bfda4266df"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Trusted Publishers tab</maml:title><maml:introduction>
<maml:para>Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or ignore the signing certificates associated with applications that they install.</maml:para>
<maml:para>The policy options on the <maml:ui>Trusted Publishers</maml:ui> tab of the certificate path validation policy allow you to control who can make decisions about trusted publishers:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Administrators and users</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Only administrators</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Only enterprise administrators</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, policy options on this tab allow you to require that trusted publisher certificates be checked that they:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Have not been revoked</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Have valid time stamps</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Network Retrieval tab</maml:title><maml:introduction>
<maml:para>To be effective, certificate-related data such as certificate revocation lists (CRLs) and certificates in the Microsoft Root Certificate Program must be updated regularly. However, problems can arise if validation checking and retrieval of certificate revocation data and cross-certificates are interrupted because more data is being transferred than originally anticipated.</maml:para>
<maml:para>Network retrieval settings allow administrators to:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Automatically update certificates in the Microsoft Root Certificate Program.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure retrieval timeout values for CRLs and path validation (larger default values may be useful if network conditions are not optimal).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable issuer certificate retrieval during path validation.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Define how frequently cross-certificates are downloaded.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Revocation tab</maml:title><maml:introduction>
<maml:para>To support revocation checking, Active Directory Certificate Services (AD CS) supports the use of CRLs and delta CRLs as well as Online Certificate Status Protocol (OCSP) responses distributed by Online Responders. </maml:para>
<maml:para>Path validation Group Policy settings allow administrators to optimize the use of CRLs and Online Responders, particularly in situations where extremely large CRLs or network conditions detract from performance.</maml:para>
<maml:para>The following settings are available:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Always prefer Certificate Revocation Lists (CRLs) over Online Certificate Status Protocol (OCSP) responses</maml:ui>. In general, clients should use the most recent revocation data that is available, regardless of whether it comes from a CRL or Online Responder. If this option is selected, a revocation check from an Online Responder will only be used if a valid CRL or delta CRL is not available.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Allow CRL and OCSP responses to be valid longer than their lifetime</maml:ui>. It is generally not recommended to allow CRLs and OCSP responses to be valid beyond their validity period. However, this option might be needed in situations where clients are unable to connect to a CRL distribution point or Online Responder for an extended amount of time. However, the length of time beyond the stated validity period that a CRL or OCSP response can be used is also configurable under this policy setting.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Policy to Manage Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=e22f74dc-82e6-4b3e-8429-5f1faf393f33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Securing Active Directory Certificate Services</maml:title><maml:introduction>
<maml:para>It is important to define and implement an Active Directory Certificate Services (AD CS) management model when you develop a certification authority (CA) infrastructure. This management model should complement your existing security management delegation plan and, if necessary, can help you meet Common Criteria requirements for role separation. </maml:para>
<maml:para>To ensure that a single individual cannot compromise public key infrastructure (PKI) services, it is best to distribute management roles across different individuals in your organization. </maml:para>
<maml:para>To understand the roles and activities associated with managing AD CS, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>For additional important security and management role-related tasks, see:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Restrict Certificate Managers</maml:linkText><maml:uri href="mshelp://windows/?id=1b396c19-25ca-4855-bc60-fb06af1ea3d4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Establish Restricted Enrollment Agents</maml:linkText><maml:uri href="mshelp://windows/?id=5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure CA Event Auditing</maml:linkText><maml:uri href="mshelp://windows/?id=f9e48956-7408-4ec8-8907-b2b5b075ad77"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Send E-mail When a Certification Event Occurs</maml:linkText><maml:uri href="mshelp://windows/?id=b8d01da1-12ac-404b-8239-ff5b59679f02"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set Up a Certification Authority by Using a Hardware Security Module</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Using a hardware security module (HSM) can enhance the security of a certification authority (CA) and public key infrastructure (PKI).</maml:para>
<maml:para>An HSM is a dedicated hardware device that is managed separately from the operating system. These modules provide a secure hardware store for CA keys, as well as a dedicated cryptographic processor to accelerate signing and encrypting operations. Windows utilizes the HSM through the CryptoAPI interfaces—the HSM functions as a cryptographic service provider (CSP) device. </maml:para>
<maml:para>HSMs typically are PCI adapters but are also available as network-based appliances. If an organization plans to implement two or more CAs, you can install a single network-based HSM and share it among multiple CAs. </maml:para>
<maml:para>In order to set up a CA by using an HSM, the HSM must be installed and configured before you set up any CAs whose keys will be stored on the HSM.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Schedule Publication of Certificate Revocation Lists</maml:title><maml:introduction>
<maml:para>You must establish a regular publication schedule for certificate revocation data so that a highly accurate certificate revocation list (CRL) is always available to clients. When establishing this schedule, the need for accurate, up-to-date data must be balanced against the impact that frequent downloads of new CRLs can have on clients. </maml:para>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To schedule the publication of the CRL</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Revoked Certificates</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>CRL publication interval</maml:ui>, type the increment and click the unit of time to use for the automatic publishing of the CRL. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>At the defined interval, a new CRL will be published by default in the following folder: <maml:replaceable>systemroot</maml:replaceable>\system32\CertSrv\CertEnroll\. If the computer is a domain member and has permission to write to Active Directory Domain Services (AD DS), then the CRL is also published to AD DS.</maml:para>
<maml:para>The publishing period for a CRL is not the same as the validity period for a CRL. By default, the validity period of a CRL exceeds the publishing period of a CRL by 10 percent (up to a 12-hour maximum) to allow for directory replication. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Scheduling publication of delta CRLs</maml:title><maml:introduction>
<maml:para>You can extend your CRL publication schedule by also establishing a schedule for the publication of delta CRLs.</maml:para>
<maml:para>You must be a CA administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To schedule the publication of the delta CRL</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Revoked Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Publish Delta CRLs</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Publication interval</maml:ui>, type the increment and click the unit of time to use for the automatic publishing of the delta CRL.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure CRL and Delta CRL Overlap Periods</maml:linkText><maml:uri href="mshelp://windows/?id=9b2626dc-5d07-4619-a0cc-be44f9682fb2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add OCSP Locations to Issued Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The location of an Online Responder is specified as a URL in the authority information access extension in a certificate. When a certification authority (CA) issues a certificate, it adds the authority information access extension to the certificate; when a client needs to check the revocation status of a certificate, it will send the certificate status request to this URL. </maml:para>
<maml:para>The <maml:ui>OCSP Properties</maml:ui> tab allows you to add Online Responder URLs to previously issued certificates that did not contain an authority information access extension. If an organization adds an Online Responder to an existing public key infrastructure (PKI), this setting allows you to use Online Certificate Status Protocol (OCSP) responses for existing certificates, eliminating the need to reissue the certificates. When you add an OCSP download location for a root or intermediate CA certificate, that location will be used to retrieve the OCSP response for all certificates issued by that particular CA.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The OCSP download locations added through the <maml:ui>OCSP Properties</maml:ui> tab are checked before any download locations that already exist in a certificate. If you need to add a placeholder URL, use the following address: http://localhost.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Online Responders</maml:linkText><maml:uri href="mshelp://windows/?id=2c78c461-1d3f-40f4-b435-1d87f03c299a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries</maml:title><maml:introduction><maml:para>The certificate enrollment Web services can be deployed in multiple-forest environments to enable policy-based certificate enrollment across forest boundaries. In previous versions of Active Directory Certificate Services (AD CS), policy-based certificate enrollment can be completed only by domain member client computers that are using the DCOM protocol. This limits certificate enrollment to the trust boundaries established by Active Directory forests and results in the deployment of per-forest PKI.</maml:para>
<maml:para>Organizations with multiple forests and per-forest PKI deployments can benefit from certification authority (CA) consolidation by deploying the certificate enrollment Web services to enable enrollment across forest boundaries. Guidance for the design and deployment of this type of scenario is available at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143457</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143457"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Cryptographic Options for CAs</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Selecting cryptographic options for a certification authority (CA) can have significant security, performance, and compatibility implications for that CA. Although the default cryptographic options may be suitable for most CAs, the ability to implement custom options can be useful to administrators and application developers with a more advanced understanding of cryptography and a need for this flexibility. Cryptographic options can be implemented by using cryptographic service providers (CSPs) or key storage providers.</maml:para>
<maml:para>CSPs are hardware and software components of Windows operating systems that provide generic cryptographic functions. CSPs can be written to provide a variety of encryption and signature algorithms.</maml:para>
<maml:para>Key storage providers can provide strong key protection on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.</maml:para>
<maml:para>On the <maml:ui>Configure Cryptography</maml:ui> page of the CA setup process, you can configure the following options:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Select a cryptographic service provider</maml:ui>. Windows Server 2008 R2 and Windows Server 2008 include a number of CSPs, and additional CSPs or key storage providers can be added. In Windows Server 2008 R2 and Windows Server 2008, the provider list includes the name of the algorithm. All providers with a number sign (#) in the name are Cryptography Next Generation (CNG) providers. CNG providers can support multiple asymmetric algorithms. CSPs can implement only a single algorithm.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para> For more information, see Cryptography Next Generation (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85480</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85480"></maml:uri></maml:navigationLink>).</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Key character length</maml:ui>. Each CSP supports different character lengths for cryptographic keys. Configuring a longer key character length can enhance security by making it more difficult for a malicious user to decrypt the key, but it can also slow down the performance of cryptographic operations. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Select the hash algorithm for signing certificates issued by this CA</maml:ui>. Hash algorithms are used to sign CA certificates and certificates issued by a CA to ensure that they have not been tampered with. Each CSP can support different hash algorithms.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The list of available hash algorithms can be restricted further if the <maml:phrase>DiscreteAlgorithm</maml:phrase> option has been configured in a CAPolicy.inf file installed on the computer before CA setup begins. </maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA)</maml:ui>. This option can be used to help prevent unapproved use of the CA and its private key by requiring the administrator to enter a password before every cryptographic operation.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Send E-mail When a Certification Event Occurs</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The following procedure configures a certification authority (CA) to send e-mail when a certification event occurs.</maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or local <maml:phrase>Administrators</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To send e-mail when a certification event occurs</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At an elevated command prompt, type:</maml:para>
<maml:para><maml:codeInline>certutil -setreg exit\smtp\<smtpserverServerName></maml:codeInline></maml:para>
<maml:para><maml:codeInline>certutil -setreg exit\smtp\<eventfilter +Event></maml:codeInline></maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up data on your computer.</maml:para>
</maml:alertSet>
<maml:para>The following tables explain the command values and options available for this procedure.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>certutil</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The name of the command-line tool.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>-setreg</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Modifies the registry.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>exit\smtp\smtpserver</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The registry value that contains the name of the Simple Mail Transfer Protocol (SMTP) server.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>exit\smtp\eventfilter</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The registry value that contains the list of events that the CA should monitor. When any of these events occur, the CA will send e-mail.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>+</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates that, if there are current entries stored in this registry value, this entry should be appended to them.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Event</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the event to add to the list of events for the CA to monitor. An event can be any value in the following table.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Event value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_CertIssued</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of issuing a certificate.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_CertPending</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of a certificate request being received by the CA and set to pending.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_CertDenied</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of a certificate request being received by the CA and that request being denied.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_CertRevoked</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of a revocation of an existing certificate.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_CRLIssued</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of a certificate revocation list (CRL) being issued.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_Startup</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of the CA during startup.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>ExitEvent_Shutdown</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the action of the CA during shutdown.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When the ExitEvent_CRLIssued, ExitEvent_Startup, and ExitEvent_Shutdown events occur, the CA does not contain an e-mail address because there is no user associated with this event. Therefore, an e-mail address must be configured when using these events. To configure the e-mail address to send e-mail when these events occur, type the following certutil commands at a command prompt: </maml:para>
<dev:code>certutil -setreg exit\smtp\CRLIssued\To<E-mailString>
certutil -setreg exit\smtp\Startup\To<E-mailString>
certutil -setreg exit\smtp\Shutdown\To<E-mailString></dev:code>
<maml:para><maml:replaceable>E-mailString</maml:replaceable> specifies an e-mail address or a string of e-mail addresses that are separated by semicolons. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the SMTP server is not set to accept anonymous connections, the CA must be configured to provide a user name and password when it connects. To configure the CA to authenticate with the SMTP server, type the following certutil commands at a command prompt: </maml:para>
<dev:code>certutil -setreg exit\smtp\SMTPAuthenticate 1
certutil -setsmtpinfo<UserName></dev:code>
<maml:para><maml:replaceable>UserName</maml:replaceable> specifies the user name of a valid account on the SMTP server. You will be prompted to provide the password for this user name. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To view the complete syntax for this command, at a command prompt, type:</maml:para>
<dev:code>certutil -setreg -?</dev:code>
</maml:listItem>
<maml:listItem>
<maml:para>For more information about the certutil command-line tool, see the certutil command reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=81249</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=81249"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Securing Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Enrollment Policy Web Service Overview</maml:title><maml:introduction><maml:para>The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.</maml:para>
<maml:para>The Certificate Enrollment Policy Web Service uses the HTTPS protocol to communicate certificate policy information to network client computers. The Web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services (AD DS) and caches the policy information to service client requests. In previous versions of AD CS, certificate policy information can be accessed only by domain client computers that are using the LDAP protocol. This limits policy-based certificate issuance to the trust boundaries established by AD DS forests.</maml:para>
<maml:para>Publishing enrollment policy over HTTPS enables the following new deployment scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Certificate enrollment across forest boundaries to reduce the number of certification authorities (CAs) in an enterprise.</maml:para></maml:listItem>
<maml:listItem><maml:para>Extranet deployment to issue certificates to mobile workers and business partners.</maml:para></maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Types of Certification Authorities</maml:title><maml:introduction>
<maml:para>A certification authority (CA) accepts a certificate request, verifies the requester's information according to the policy of the CA, and then uses its private key to apply its digital signature to the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a public key infrastructure (PKI). A CA is also responsible for revoking certificates and publishing a certificate revocation list (CRL).</maml:para>
<maml:para>A CA can be an outside entity, such as VeriSign, or it can be a CA that you create for use by your organization by installing Active Directory Certificate Services (AD CS). Each CA can have distinct proof-of-identity requirements for certificate requesters, such as a domain account, employee badge, driver's license, notarized request, or physical address. Identification checks such as this often warrant an onsite CA, so that organizations can validate their own employees or members.</maml:para>
<maml:para>Microsoft enterprise CAs use a person's user account credentials as proof of identity. In other words, if you are logged on to a domain and request a certificate from an enterprise CA, the CA can authenticate your identity based on your account in Active Directory Domain Services (AD DS).</maml:para>
<maml:para>Every CA also has a certificate to confirm its own identity, issued by another trusted CA or, in the case of root CAs, issued by itself. It is important to remember that anyone can create a CA. Therefore, a user or administrator must decide whether to trust that CA and, by extension, the policies and procedures that the CA has in place for confirming the identity of the entities that are issued certificates by that CA.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Root and subordinate CAs</maml:title><maml:introduction>
<maml:para>A root CA is meant to be the most trusted type of CA in an organization's PKI. If the root CA is compromised or issues a certificate to an unauthorized entity, then any certificate-based security in your organization becomes vulnerable. Therefore, both the physical security and the certificate issuance policy of a root CA are normally more rigorous than those for subordinate CAs. While root CAs can be used to issue certificates to end users for such tasks as sending secure e-mail, in most organizations they will only be used to issue certificates to other CAs, called subordinate CAs.</maml:para>
<maml:para>A subordinate CA is a CA that has been issued a certificate by another CA in your organization. Typically, a subordinate CA will issue certificates for specific uses, such as secure e-mail, Web-based authentication, or smart card authentication. Subordinate CAs can also issue certificates to other CAs that are more subordinate. Together, a root CA, the subordinate CAs that have been certified by the root, and subordinate CAs that have been certified by other subordinate CAs form a certification hierarchy.</maml:para>
<maml:para>For more information about certification hierarchies, see <maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Enterprise and stand-alone CAs</maml:title><maml:introduction>
<maml:para>This version of AD CS supports the installation of stand-alone CAs and enterprise CAs. For information about the operational characteristics of enterprise CAs and stand-alone CAs, see <maml:navigationLink><maml:linkText>Enterprise Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=70e5d64c-91ce-4355-a9c9-115fe0866911"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Stand-Alone Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=f4d0ff2c-e17f-4cf6-997b-413d844d71d0"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Revocation Configuration Signing Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The following options are available for selecting a revocation configuration signing certificate:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The default option, <maml:ui>Automatically select a signing certificate</maml:ui>, will generally meet most organization's needs. This option allows the revocation configuration setup process to identify a suitable signing certificate in the local certificate store. However, if you also enable an option to automatically enroll for a signing certificate, the Online Responder service will enroll for and use that signing certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When selecting <maml:ui>Manually select a signing certificate</maml:ui>, the Online Responder will not assign any signing certificate and the user will have to manually select a signing certificates for each of the Online Responder Array members.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Use the CA certificate for the revocation configuration</maml:ui> can be selected if the Online Responder is installed on the same computer as the certification authority (CA).</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The default installation of Online Responder services does not allow for automatic enrollment of the Online Certificate Status Protocol (OCSP) Response Signing certificate from a hardware security module (HSM) that requires interaction from the user. If you need to use an HSM to distribute OCSP Response Signing certificates, you must modify the Online Responder service to run as Local System with interaction enabled. In addition, on the <maml:ui>Signing </maml:ui>tab of the <maml:ui>Online Responder Properties</maml:ui> page, the <maml:ui>Do not display UI for cryptographic operations </maml:ui>check box must be cleared. </maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set Up and Use a Smart Card Enrollment Station</maml:title><maml:introduction>
<maml:para>A smart card enrollment station allows a designated employee or agent to issue smart cards from one centralized workstation or from one of any number of designated workstations. Designating enrollment stations and agents simplifies the physical preparation of the card to be issued, reduces the chance for certificate service interruption, and prevents users and managers from validating their own identification and issuing their own certificates, especially for organizations or environments in which different levels of security and access exist.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Prepare a smart card certificate enrollment station</maml:title><maml:introduction>
<maml:para>Before requesting smart card logon certificates for users:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The enrollment agent and smart card logon or smart card user certificates must be configured and enabled for the certification authority (CA).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If desired, enrollment agent restrictions must be configured.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The enrollment agent has to be enrolled on behalf of other users for the enrollment agent certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>On the computer that you will use to set up smart cards, follow the manufacturer's instructions to install a smart card reader. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>The following procedures explain how to enroll for smart card certificates on behalf of other users and how to prepare the enrollment station once the enrollment agent certificate is available. These procedures can be completed on any computer running Windows 7 or Windows Vista, or on a Windows Server 2008 R2 or Windows Server 2008 member server that you want to use as a smart card certificate enrollment station.</maml:para>
<maml:para>Membership in the <maml:phrase>Users</maml:phrase> group and an enrollment agent certificate are the minimum requirements to complete this procedure. </maml:para>
<maml:procedure><maml:title>To enroll for a certificate on behalf of other users</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To confirm that you are in <maml:ui>Logical certificate stores </maml:ui>view, right-click <maml:ui>Certificates - Current User</maml:ui>, point to <maml:ui>View</maml:ui>, click <maml:ui>Options</maml:ui>, verify that <maml:ui>Logical certificate stores</maml:ui> is selected, and then click <maml:ui>OK</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, expand the <maml:ui>Personal </maml:ui>store, and then click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, click <maml:ui>Advanced Operations</maml:ui>, and then click <maml:ui>Enroll on behalf of </maml:ui>to open the Certificate Enrollment Wizard. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Browse to the enrollment agent certificate that you will use to sign the certificate request that you are processing. Click <maml:ui>Next</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click <maml:ui>Enroll</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the Certificate Enrollment Wizard has successfully finished, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>To complete the following procedure, you must be logged on as a domain user with appropriate privileges to add snap-ins.</maml:para>
<maml:procedure><maml:title>To prepare a smart card certificate enrollment station</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>mmc</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Snap-in</maml:ui>, double-click <maml:ui>Certificates</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>My user account</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Close</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificates - Current User</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Personal</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Request New Certificate</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certificate Enrollment Wizard, click the <maml:ui>Enrollment Agent</maml:ui> certificate template and provide the requested information. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When prompted by the Certificate Enrollment Wizard, click <maml:ui>Install Certificate</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>You can install the enrollment agent certificate on a smart card. To do this, you must use the smart card manufacturer's cryptographic service provider (CSP) when requesting the certificate. (In the Certificate Request Wizard, click <maml:ui>Advanced Options</maml:ui> to select a smart card CSP for the enrollment agent certificate.)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Once someone has an enrollment agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Therefore, it is recommended that your organization maintain very strong security policies to restrict the use of enrollment agent certificates.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To configure an enrollment agent certificate template for issuance from a CA, see Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To configure a restricted enrollment agent, see <maml:navigationLink><maml:linkText>Establish Restricted Enrollment Agents</maml:linkText><maml:uri href="mshelp://windows/?id=5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Implement Role-Based Administration</maml:title><maml:introduction>
<maml:para>You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform. </maml:para>
<maml:para>The following table describes the roles, users, and groups that can be used to implement role-based administration. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Roles and groups</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Security permission</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>CA administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Manage CA </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Certificate manager</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Issue and Manage Certificates </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Backup operator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Back up file and directories </maml:para>
<maml:para>Restore file and directories </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Perform system backup and recovery. Backup is an operating system feature.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Auditor</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Manage auditing and security log </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Enrollees</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Read<maml:ui> </maml:ui></maml:para>
<maml:para>Enroll</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para>All CA roles are assigned and modified by members of local <maml:phrase>Administrators</maml:phrase>, <maml:phrase>Enterprise Admins</maml:phrase>, or <maml:phrase>Domain Admins</maml:phrase>. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA. If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.</maml:para>
<maml:para>The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.</maml:para>
<maml:para>Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.</maml:para>
<maml:para>Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.</maml:para>
<maml:procedure><maml:title>To set CA administrator and certificate manager security permissions for a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab, and specify the security permissions.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Roles and activities</maml:title><maml:introduction>
<maml:para>Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Activity</maml:para>
</maml:entry>
<maml:entry>
<maml:para>CA administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificate manager</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Auditor</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Backup operator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Local administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Notes</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Install CAs</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure policy and exit modules</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Stop and start the Active Directory Certificate Services (AD CS) service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure extensions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure roles</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Renew CA keys</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Define key recovery agents</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure certificate manager restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Delete a single row in the CA database</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Delete multiple rows in the CA database (bulk deletion)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>The user must be both a CA administrator and a certificate manager. This activity cannot be performed when role separation is enforced.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Enable role separation</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Issue and approve certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Deny certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Revoke certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Reactivate certificates that are placed on hold</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Renew certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Enable, publish, or configure certificate revocation list (CRL) schedules</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Recover archived keys</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Only a certificate manager can retrieve the encrypted key data structure from the CA database. The private key of a valid key recovery agent is required to decrypt the key data structure and generate a PKCS #12 file.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure audit parameters</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Audit logs</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Back up the system</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system backup</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Restore the system</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system backup</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Read the CA database</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit </maml:phrase>and<maml:phrase> system backup</maml:phrase> user rights.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Read CA configuration information</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit </maml:phrase>and<maml:phrase> system backup</maml:phrase> user rights.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Enrollees are allowed to read CA properties and CRLs, and they can request certificates. On an enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. CA administrators, certificate managers, auditors, and backup operators have implicit Read permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>An auditor holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>A backup operator holds the <maml:phrase>system backup</maml:phrase> user right. In addition, the backup operator has the ability to start and stop the Active Directory Certificate Services (AD CS) service.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section address="assign_RBA_roles">
<maml:title>Assigning roles</maml:title><maml:introduction>
<maml:para>The CA administrator for a CA assigns users to the separate roles of role-based administration by applying the security settings required by a role to the user's account. The CA administrator can assign a user to more than one role, but the CA is more secure when each user is assigned to only one role. When this delegation strategy is used, fewer CA tasks can be compromised if a user's account becomes compromised.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Administrator concerns</maml:title><maml:introduction>
<maml:para>The default installation setting for a stand-alone CA is to have members of the local <maml:phrase>Administrators</maml:phrase> group as CA administrators. The default installation setting for an enterprise CA is to have members of the local <maml:phrase>Administrators</maml:phrase>, <maml:phrase>Enterprise Admins</maml:phrase>, and <maml:phrase>Domain Admins</maml:phrase> groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.</maml:para>
<maml:para>As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local <maml:phrase>Administrators</maml:phrase> group. Also, CA roles should only be assigned to group accounts and not individual user accounts. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure a CA to Support OCSP Responders</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP) Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.</maml:para>
<maml:para>Configuring a certification authority (CA) to support OCSP responder services includes the following steps:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>Configure certificate templates and issuance properties for OCSP Response Signing certificates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure enrollment permissions for any computers that will be hosting Online Responders.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the OCSP Response Signing certificate template for the CA.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The certificate template used to issue an OCSP Response Signing certificate must contain an extension titled "OCSP No Revocation Checking" and the OCSP Signing application policy. Permissions must also be configured to allow the computer that will host the Online Responder to enroll for this certificate.</maml:para>
<maml:para>The following procedure is for a CA that is installed on a computer running Windows Server 2008 R2 or Windows Server 2008. </maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins </maml:phrase>or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure the certificate template for an OCSP Response Signing certificate issued by a Windows Server 2008 R2–based CA or a Windows Server 2008–based CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you are completing this procedure on a computer that does not have a CA or Online Responder installed, you may need to install the Active Directory Certificate Services (AD CS) Remote Server Administration Tools in order to use the Certificate Templates snap-in. For more information about the Remote Server Administration Tools, see <maml:navigationLink><maml:linkText>Administer an Online Responder from Another Computer</maml:linkText><maml:uri href="mshelp://windows/?id=8d3dcbf1-d83e-4be6-866a-a1e9449b3adc"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>OCSP Response Signing </maml:ui>template, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab. Under <maml:ui>Group or user name</maml:ui>, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Object Types</maml:ui>, select the <maml:ui>Computers</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click <maml:ui>OK</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Group or user names </maml:ui>dialog box, click the computer name, and in the <maml:ui>Permissions</maml:ui> dialog box, select the <maml:ui>Read</maml:ui> and <maml:ui>Enroll</maml:ui> check boxes. Then click <maml:ui>OK</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The following procedure is for a CA that is installed on a computer running Windows Server 2003. The procedure must be completed on a computer running Windows Server 2008 R2 or Windows Server 2008. </maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins </maml:phrase>or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information about administering a PKI, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>. </maml:para>
<maml:procedure><maml:title>To configure the certificate template for an OCSP Response Signing certificate issued by a Windows Server 2003–based CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>OCSP Response Signing </maml:ui>template, and then click <maml:ui>Duplicate</maml:ui>. Click <maml:ui>Windows 2003 Server, Enterprise Edition</maml:ui>, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab. Under <maml:ui>Group or user name</maml:ui>, click <maml:ui>Add</maml:ui>, and then type the name of or browse to select the computer hosting the Online Responder or OCSP responder services. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Object Types</maml:ui>, select the <maml:ui>Computers</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click <maml:ui>OK</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Group or user names </maml:ui>dialog box, click the computer name, and in the <maml:ui>Permissions</maml:ui> dialog box, select the <maml:ui>Read</maml:ui> and <maml:ui>Enroll</maml:ui> check boxes. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The default OCSP Response Signing certificate template contains an extension titled "OCSP No Revocation Checking." Do not remove this extension, which is used by many clients to verify that responses signed with the signing certificate are valid.</maml:para>
</maml:alertSet>
<maml:para>If the CA is installed on a computer running Windows Server 2003, you must complete the following procedure in order to configure the policy module on the CA to issue certificates that include this extension.</maml:para>
<maml:para>You must be a local administrator to complete this procedure. For more information about administering a PKI, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To prepare a computer running Windows Server 2003 to issue OCSP Response Signing certificates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the server hosting the CA, open a command prompt, and type:</maml:para>
<dev:code>certutil -v -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5</dev:code>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Stop and restart the CA. You can do this at a command prompt by running the following commands:</maml:para>
<dev:code>net stop certsvc
net start certsvc</dev:code>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>To configure your CA for OCSP, you must use the Certification Authority snap-in to complete the following CA configuration steps:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Add the location of the Online Responder or OCSP responder to the authority information access extension.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable the certificate template for the CA. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>You must be a CA administrator to complete this procedure. For more information about administering a PKI, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>. </maml:para>
<maml:procedure><maml:title>To configure a CA to support an Online Responder or OCSP responder services</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Extensions </maml:ui>tab. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Select extension </maml:ui>list, click <maml:ui>Authority Information Access (AIA)</maml:ui>, and then click<maml:ui> Add</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Specify the locations from which users can obtain certificate revocation data, such as <maml:replaceable>http://computername/ocsp</maml:replaceable>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Include in the online certificate status protocol (OCSP) extension </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree of the Certification Authority snap-in, right-click <maml:ui>Certificate Templates</maml:ui>, and then click <maml:ui>New Certificate Templates to Issue</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Enable Certificate Templates</maml:ui>, select the <maml:ui>OCSP Response Signing</maml:ui> template and any other certificate templates that you configured previously, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Templates</maml:ui>, and verify that the modified certificate templates appear in the list.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Renew OCSP Response Signing Certificates with an Existing Key</maml:linkText><maml:uri href="mshelp://windows/?id=82ad05ce-4f9f-4cb0-889b-b0e21bb4766c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Certificate Services</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing certificates in software security systems that use public key technologies. For background information about public key cryptography and the benefits of having a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>You can use AD CS to create one or more certification authorities (CA) to receive certificate requests, verify the information in the requests and the identity of the requester, issue certificates, revoke certificates, and publish certificate revocation data. </maml:para>
<maml:para>With AD CS, you can also:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Set up Web enrollment, the Network Device Enrollment Service, and the Online Responder service.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Manage enrollment and revocation of certificates for users, computers, services, and network devices such as routers.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Use Group Policy to distribute and manage certificates.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Common Scenarios for Using Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=637ff3b3-6881-4ffb-b4f9-ea56171527e0"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Use the Network Device Enrollment Service</maml:linkText><maml:uri href="mshelp://windows/?id=f3911350-ab45-494d-a07e-d0b9696a651e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Policy to Manage Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=e22f74dc-82e6-4b3e-8429-5f1faf393f33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshoot Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Resources</maml:linkText><maml:uri href="mshelp://windows/?id=e2d10a64-83c5-4a2b-bcca-e6984de16fdf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Revocation Provider Properties</maml:title><maml:introduction>
<maml:para>The revocation provider retrieves the certificate revocation list (CRL) from a certification authority (CA) and uses the revocation list to determine the revocation status of a certificate. Use the <maml:ui>Revocation Provider</maml:ui> property sheet to specify one or more locations for a CRL and optional delta CRL, and to define the refresh interval for retrieving updated CRLs.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Base CRL and delta CRL locations</maml:title>
<maml:introduction>
<maml:para>The location of CRLs and delta CRLs can be specified in the formats described in the table below. Any CRL locations defined in the CRL distribution point extension of the CA certificate are added to the revocation provider during installation of the Online Responder service.</maml:para>
<maml:table><maml:tableHeader><maml:row><maml:entry><maml:para>Location format</maml:para></maml:entry><maml:entry><maml:para>Example</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para>HTTP</maml:para></maml:entry><maml:entry><maml:para>http://OnlineResponderHost/OCSP/CRLFile.crl</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para>LDAP</maml:para></maml:entry><maml:entry><maml:para>ldap:///CN=CACommonName,CN=CAHostName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Fabrikam,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint</maml:para></maml:entry></maml:row>
</maml:table>
<maml:para></maml:para>
<maml:para>Multiple locations can be provided for a CRL. The order of the list defines the order of precedence. A CRL listed at a higher position is used if any two CRLs do not contain the same revocation list.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Refresh interval</maml:title><maml:introduction>
<maml:para>The default refresh interval is defined as the CRL validity period. The interval can also be defined in minutes to refresh the CRLs more frequently.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Installing the Certificate Enrollment Web Service</maml:title><maml:introduction><maml:para>This topic provides step-by-step procedures to install the Certificate Enrollment Web Service.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>Before beginning installation, review the requirements and configuration options for this role service in <maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To install the Certificate Enrollment Web Service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open Server Manager.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, click <maml:ui>Roles</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If <maml:ui>Active Directory Certificate Services</maml:ui> is displayed on the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Role Services</maml:ui>, and continue to the next step. If it is not displayed, complete the following steps before continuing:</maml:para><maml:list class="ordered"><maml:listItem><maml:para>On the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Roles</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>On the <maml:ui>Before You Begin</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>On the <maml:ui>Select Server Roles</maml:ui> page, click <maml:ui>Active Directory Certificate Services</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>Review the information on the <maml:ui>Introduction to Active Directory Certificate Services</maml:ui> page, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, select the <maml:ui>Certificate Enrollment Web Service</maml:ui> check box.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The Certification Authority role service is automatically selected when the AD CS role is added, but it cannot be installed at the same time as the Certificate Enrollment Web Service. If you intend to install both the CA and the Certificate Enrollment Web Service, complete the CA installation first. See <maml:navigationLink><maml:linkText>Setting Up Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add Required Role Services</maml:ui> when prompted to install required role services and features, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify a CA, click either <maml:ui>CA name</maml:ui> or <maml:ui>Computer name</maml:ui>, and then click <maml:ui>Browse</maml:ui>. Select a CA or type a computer name, and then click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select the <maml:ui>Configure the Certificate Enrollment Web Service for renewal-only mode</maml:ui> check box if you want to configure the Web service to accept only certificate renewal requests and reject enrollment requests for new certificates. See <maml:navigationLink><maml:linkText>Configuring the Certificate Enrollment Web Service for Renewal Only Mode</maml:linkText><maml:uri href="mshelp://windows/?id=d762c3f4-f7ac-4af2-8e2d-331d33dc0583"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select the authentication type that the Certificate Enrollment Web Service will use to authenticate client requests, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Specify Account Credentials</maml:ui> page, click either <maml:ui>Specify service account</maml:ui> or <maml:ui>Use built-in application pool identity</maml:ui>. To specify a service account, click <maml:ui>Select</maml:ui>, type a domain account user name and password, and click <maml:ui>OK</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select an existing server certificate, click <maml:ui>Import</maml:ui> to import a certificate file or click <maml:ui>Choose and assign a server certificate later</maml:ui>, and then click <maml:ui>Next</maml:ui>. See <maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink> for details.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Introduction to Web Server (IIS)</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, review the selected role services, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the information on the <maml:ui>Confirm Installation Selections</maml:ui> page, and then click <maml:ui>Install</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the <maml:ui>Installation Results</maml:ui> page for messages. Additional tasks may be required to configure the Certificate Enrollment Web Service before users can submit requests.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring the Certificate Enrollment Web Service for Renewal Only Mode</maml:linkText><maml:uri href="mshelp://windows/?id=d762c3f4-f7ac-4af2-8e2d-331d33dc0583"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Policy Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=99dc782e-81fa-4f86-909b-87489465a650"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Setting Up Certificate Enrollment Web Services</maml:title><maml:introduction><maml:para>Use Server Manager to install and configure the certificate enrollment Web services, which include the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service. See "Additional references" for installation and configuration procedures.</maml:para></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Installation requirements</maml:title>
<maml:introduction>
<maml:para>Before installing the certificate enrollment Web services, ensure that your environment meets these requirements:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>A host computer as a domain member running Windows Server 2008 R2.</maml:para></maml:listItem>
<maml:listItem><maml:para>An Active Directory forest with a Windows Server 2008 R2 schema. See Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=93242</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=93242"></maml:uri></maml:navigationLink>).</maml:para></maml:listItem>
<maml:listItem><maml:para>An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.</maml:para><maml:list class="unordered"><maml:listItem><maml:para>If the Certificate Enrollment Web Service is configured for client certificate authentication, the CA must be running Windows Server 2008 R2 or Windows Server 2008.</maml:para></maml:listItem><maml:listItem><maml:para>For enrollment across forests, the CA must be installed on a computer running Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter. See <maml:navigationLink><maml:linkText>Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries</maml:linkText><maml:uri href="mshelp://windows/?id=b5af94a1-4caf-4c05-b344-d996fdb9e2eb"></maml:uri></maml:navigationLink>.</maml:para></maml:listItem></maml:list></maml:listItem>
<maml:listItem><maml:para>Client computers running Windows 7 or Windows Server 2008 R2.</maml:para></maml:listItem>
<maml:listItem><maml:para>A Server Authentication certificate installed for HTTPS.</maml:para></maml:listItem>
</maml:list>
<maml:para>During installation of certificate enrollment Web services, the following server roles and features will be installed if they are not already installed:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Web Server (IIS)</maml:para></maml:listItem>
<maml:listItem><maml:para>Microsoft .NET Framework version 3.5</maml:para></maml:listItem></maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Installation options</maml:title>
<maml:introduction>
<maml:para>The following installation options are available for the certificate enrollment Web services: </maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>The Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service should be installed on different computers.</maml:para></maml:listItem>
<maml:listItem><maml:para>The CA can be installed on the same computer as the Certificate Enrollment Web Service or the Certificate Enrollment Policy Web Service.</maml:para></maml:listItem>
<maml:listItem><maml:para>The Certificate Enrollment Web Service or the Certificate Enrollment Policy Web Service can be installed on the same computer as these other Web-based AD CS role services:</maml:para><maml:list class="unordered">
<maml:listItem><maml:para>CA Web Enrollment</maml:para></maml:listItem>
<maml:listItem><maml:para>Network Device Enrollment Service</maml:para></maml:listItem>
<maml:listItem><maml:para>Online Responder</maml:para></maml:listItem>
</maml:list></maml:listItem>
<maml:listItem><maml:para>The Certificate Enrollment Policy Web Service can be installed on multiple computers in an enterprise; however, only a single instance of this service can be installed on each computer.</maml:para></maml:listItem>
<maml:listItem><maml:para>Multiple instances of the Certificate Enrollment Web Service can be installed on a single computer in order to support multiple CAs.</maml:para></maml:listItem>
<maml:listItem><maml:para>The certificate enrollment Web services are not supported on the Server Core installation option of Windows Server 2008 R2.</maml:para></maml:listItem>
</maml:list></maml:introduction></maml:section><maml:section><maml:title>Authentication options</maml:title>
<maml:introduction><maml:para>The following authentication options are available for the certificate enrollment Web services:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Windows integrated authentication</maml:para></maml:listItem>
<maml:listItem><maml:para>User name and password</maml:para></maml:listItem>
<maml:listItem><maml:para>Client certificate</maml:para></maml:listItem></maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30"></maml:uri></maml:navigationLink></maml:para></maml:listItem><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Policy Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=99dc782e-81fa-4f86-909b-87489465a650"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Group Policy to Support the Certificate Enrollment Policy Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=98cde842-f281-4892-9da4-1e467199ea14"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Delegation Settings for the Certificate Enrollment Web Service Account</maml:linkText><maml:uri href="mshelp://windows/?id=855f7a2f-429f-40c2-b297-09a55047cc4c"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring the Certificate Enrollment Web Service for Renewal Only Mode</maml:linkText><maml:uri href="mshelp://windows/?id=d762c3f4-f7ac-4af2-8e2d-331d33dc0583"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries</maml:linkText><maml:uri href="mshelp://windows/?id=b5af94a1-4caf-4c05-b344-d996fdb9e2eb"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Advanced Configuration Options for the Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=419159e1-a432-4169-a4cd-45612fbf3266"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para>Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=93242</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=93242"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Recover a Lost Key</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Users who lose a private key will be unable to recover data that is encrypted with that key. By recovering a key and restoring it to the client computer, the data can be decrypted and used.</maml:para>
<maml:para>The complete recovery process includes three procedures:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Obtain the serial number of the archived certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Perform the key recovery.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Restore the key to the client's computer.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To obtain the serial number of an archived certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Log on to the computer hosting the certification authority (CA).</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the CA name, and then click <maml:ui>Issued Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>View </maml:ui>menu, click<maml:ui> Add/Remove Columns</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under<maml:ui> Available Column</maml:ui>, click<maml:ui> Archived Key</maml:ui>, and then click <maml:ui>Add</maml:ui>.<maml:ui> </maml:ui></maml:para>
<maml:para><maml:ui>Archived Key </maml:ui>should<maml:ui> </maml:ui>now appear in<maml:ui> Displayed Columns</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click<maml:ui> OK</maml:ui>, and then, in the details pane, scroll to the right and confirm that the last certificate issued to the user has a <maml:ui>Yes</maml:ui> value in the <maml:ui>Archived Key</maml:ui> column.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click the certificate.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Details</maml:ui> tab. Record the serial number of the certificate. (Do not include spacing between digit pairs.) You will need this information to complete the recovery procedure.</maml:para>
<maml:para>The serial number will be a hexadecimal string that is 20 characters long. The serial number of the private key is the same as the serial number of the certificate. For the purposes of this procedure, the serial number will be referred to as <maml:replaceable>serialnumber</maml:replaceable>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>, and close the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<dev:code>Certutil -getkey <serialnumber> outputblob</dev:code>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Recipient Info section in the output of this command identifies the serial numbers of the key recovery agent certificates whose private keys are needed to decrypt the blob and recover the key.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<dev:code>dir outputblob<maml:replaceable> </maml:replaceable></dev:code>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If the file <maml:replaceable>outputblob</maml:replaceable> does not exist, you might have typed the serial number incorrectly for the certificate. The <maml:replaceable>outputblob</maml:replaceable> file is a PKCS #7 file containing the key recovery agent certificates and the user certificate and chain. The inner content is an encrypted PKCS #7 file containing the private key (encrypted to the key recovery agent certificates).</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>The domain administrator must transfer the output file to the key recovery agent, who performs the actual recovery procedure. </maml:para>
<maml:para>You must be a user with a key recovery agent certificate registered with the CA to complete this procedure. The key recovery agent must be stored in the key recovery agent's Personal certificate store on the computer where the key recovery procedure will take place. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To recover the archived certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>At a command prompt, type:</maml:para>
<dev:code>Certutil -recoverkey outputblob <filename>.pfx</dev:code>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When prompted, enter a new password. When requested, confirm the new password by typing it a second time.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Copy the saved .pfx file to the computer where recovery is to be completed.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Close all windows and log off the computer. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>After the key has been recovered, it must be imported on the computer where the data is stored.</maml:para>
<maml:para>You must be the client to whom the certificate was issued or an administrator on the client computer to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To import the recovered key</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for the user to whom the certificate was issued.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Personal</maml:ui>, click <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Import</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certificate Import Wizard, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>File name</maml:ui>, type the path and file name of the .pfx file, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Password</maml:ui>, type the password you entered in the previous procedure, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Certificate Store</maml:ui> page, click <maml:ui>Automatically select the certificate store based on the type of certificate</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Completing the Certificate Import Wizard</maml:ui> page, click <maml:ui>Finish</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To verify that the recovered certificate has been imported successfully, in the console tree, double-click <maml:ui>Personal</maml:ui>,<maml:ui> </maml:ui>and then click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click the certificate. Click the <maml:ui>Details </maml:ui>tab, and then verify that the serial number matches the original.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open a command prompt, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, and then click <maml:ui>Command Prompt</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Key Archival and Recovery</maml:linkText><maml:uri href="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>CA Certificates</maml:title><maml:introduction>
<maml:para>Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs. </maml:para>
<maml:para>A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy. </maml:para>
<maml:para>Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf. </maml:para>
<maml:para>CA certificates can also be used to establish trust relationships between CAs in two different public key infrastructure (PKI) hierarchies.</maml:para>
<maml:para>In all of these cases, the CA certificate is critical to defining the certificate path and usage restrictions for all end-entity certificates issued for use in the PKI.</maml:para>
<maml:para>The appropriate configuration of CA certificates for the organization's needs is one of the most powerful tools that an organization has to implement appropriate PKI security. CA certificates contain special configuration data that regulate the CAs to which they are issued. These configuration options can:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Define the organizational namespace in which certificates issued by the subordinate CA can be issued and trusted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Specify the acceptable uses of certificates issued by the subordinate CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Define the issuance guidelines that must be followed in order for a certificate issued by the subordinate CA to be considered valid.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Create a managed trust between separate certification hierarchies.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set Up Certification Authority Web Enrollment Support</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) Web enrollment support can be installed on any computer running Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Standard, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter. The certificate enrollment data can come from a certification authority (CA) on a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003, or from a non-Microsoft CA.</maml:para>
<maml:para>The following procedure can be used if none of the AD CS role services (such as a CA) have been installed on this computer. </maml:para>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To install Web enrollment support</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Server Manager</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Manage Roles</maml:ui>. Under <maml:ui>Active Directory Certificate Services</maml:ui>, click <maml:ui>Add role services</maml:ui>. If a different AD CS role service has already been installed on this computer, select the <maml:ui>Active Directory Certificate Services</maml:ui> check box in the <maml:ui>Role Summary</maml:ui> pane, and then click <maml:ui>Add role services</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services</maml:ui> page, select the <maml:ui>Certification Authority Web Enrollment</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Add required role services</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify CA</maml:ui> page, if a CA is not installed on this computer, click <maml:ui>Browse</maml:ui> to select the CA that you want to associate with Web enrollment, click <maml:ui>OK</maml:ui>, and then <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Next</maml:ui>, review the information listed, and click <maml:ui>Next</maml:ui> again.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Installation Options </maml:ui>page, click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When the installation is complete, review the status page to verify that the installation was successful.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para><maml:list class="unordered">
<maml:listItem>
<maml:para>Installation of the Web enrollment pages configures the computer as a registration authority. This computer is also known as a "CA Web proxy" or a "Web enrollment station."</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para><maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list></maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring the Certificate Enrollment Web Service for Renewal Only Mode</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction><maml:para>The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.</maml:para>
<maml:para>The Certificate Enrollment Web Service accepting requests from the Internet presents an increased security risk, and some organizations may choose not to trust the Web service account for delegation. The Certificate Enrollment Web Service can be configured for renewal-only mode to mitigate the risk of accepting requests from the Internet.</maml:para>
<maml:para>In renewal-only mode, the Web service will accept only certificate renewal requests, and requests for new certificates will be rejected. To support renewal-only mode, the CA must be configured to authenticate the client computer by using the signature on the renewal request and the client computer's existing certificate. In this configuration, there is no requirement to trust the Web service account for delegation.</maml:para></maml:introduction></maml:section><maml:section><maml:title></maml:title>
<maml:introduction><maml:para>Renewal-only mode has these requirements:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Enterprise CA running Windows Server 2008 R2.</maml:para></maml:listItem>
<maml:listItem><maml:para>Client computers running Windows 7 or Windows Server 2008 R2.</maml:para></maml:listItem>
<maml:listItem><maml:para>Client computers requesting certificate renewal must have a certificate that is not expired and can be verified by the issuing CA.</maml:para></maml:listItem>
</maml:list></maml:introduction></maml:section><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure the Certificate Enrollment Web Service for renewal-only mode</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open Server Manager.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, click <maml:ui>Roles</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If <maml:ui>Active Directory Certificate Services</maml:ui> is displayed on the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Role Services</maml:ui>, and continue to the next step. If it is not displayed, complete the following steps before continuing:</maml:para><maml:list class="ordered"><maml:listItem><maml:para>On the <maml:ui>Roles Summary</maml:ui> page, click <maml:ui>Add Roles</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>On the <maml:ui>Before You Begin</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>On the <maml:ui>Select Server Roles</maml:ui> page, click <maml:ui>Active Directory Certificate Services</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>Review the information on the <maml:ui>Introduction to Active Directory Certificate Services</maml:ui> page, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, select the <maml:ui>Certificate Enrollment Web Service</maml:ui> check box.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The Certification Authority role service is automatically selected when the AD CS role is added, but it cannot be installed at the same time as the Certificate Enrollment Web Service. If you intend to install both the CA and the Certificate Enrollment Web Service, complete the CA installation first. See <maml:navigationLink><maml:linkText>Setting Up Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d"></maml:uri></maml:navigationLink>.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add Required Role Services</maml:ui> when prompted to install required role services and features, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>To specify a CA, click either <maml:ui>CA name</maml:ui> or <maml:ui>Computer name</maml:ui>, and then click <maml:ui>Browse</maml:ui>. Select a CA or type a computer name, and then click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select the <maml:ui>Configure the Certificate Enrollment Web Service for renewal-only mode</maml:ui> check box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Authentication Type</maml:ui> page, click <maml:ui>Username and password</maml:ui> or <maml:ui>Client certificate authentication</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Specify Account Credentials</maml:ui> page, click either <maml:ui>Specify service account</maml:ui> or <maml:ui>Use built-in application pool identity</maml:ui>. To specify a service account, click <maml:ui>Select</maml:ui>, type a domain account user name and password, and click <maml:ui>OK</maml:ui>. Click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select an existing server certificate, click <maml:ui>Import</maml:ui> to import a certificate file or click <maml:ui>Choose and assign a server certificate later</maml:ui>, and then click <maml:ui>Next</maml:ui>. See <maml:navigationLink><maml:linkText>Configuring Server Certificates for Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2"></maml:uri></maml:navigationLink> for details.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Introduction to Web Server (IIS)</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Role Services</maml:ui> page, review the selected role services, and then click <maml:ui>Next</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the information on the <maml:ui>Confirm Installation Selections</maml:ui> page, and then click <maml:ui>Install</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Review the <maml:ui>Installation Results</maml:ui> page for messages. Additional tasks may be required to configure the Certificate Enrollment Web Service before users can submit requests.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section><maml:title></maml:title>
<maml:introduction><maml:para>Use these commands to configure and restart Active Directory Certificate Services. In this configuration, the CA can also process requests for new certificates.</maml:para>
<maml:procedure><maml:title>To configure the CA to support renewal-only mode </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the CA at a command prompt, type <maml:userInput>certutil –setreg policy\editflags +enablerenewonbehalfof</maml:userInput>, and press ENTER.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open the Certification Authority snap-in.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, right-click the CA, and then click <maml:ui>Properties</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Security</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If the Web service account is displayed in <maml:ui>Group or user names</maml:ui>, verify that the <maml:ui>Read</maml:ui> permission is selected. If the Web service account is not displayed, complete the following steps:</maml:para><maml:list class="ordered"><maml:listItem><maml:para>Click <maml:ui>Add</maml:ui>.</maml:para></maml:listItem><maml:listItem><maml:para>Type the account name, and click <maml:ui>Check Names</maml:ui>. If the name is not found, click <maml:ui>Object Types</maml:ui>, and ensure that the correct account type is selected. Click <maml:ui>OK</maml:ui> after the correct account name is found.</maml:para></maml:listItem><maml:listItem><maml:para>Select the <maml:ui>Read</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type <maml:userInput>sc stop certsvc</maml:userInput>, and press ENTER.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type <maml:userInput>sc start certsvc</maml:userInput>, and press ENTER.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Installing the Certificate Enrollment Web Service</maml:linkText><maml:uri href="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Setting Up Certificate Enrollment Web Services</maml:linkText><maml:uri href="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using Policy to Manage Active Directory Certificate Services</maml:title><maml:introduction>
<maml:para>Domain Group Policy can be used to manage the following types of certificate-related activities in an Active Directory Domain Services (AD DS) environment:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Credential roaming</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Autoenrollment of certificates</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate path validation</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate distribution</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Credential roaming</maml:title><maml:introduction>
<maml:para>Credential roaming allows X.509 certificates, certificate requests, and private keys specific to a user in AD DS to be stored independently from the user profile and used on any computer on the network.</maml:para>
<maml:para>Digital certificates and private keys involve comparatively small amounts of data that need to be stored in a secure manner. Credential roaming policy provides a means for managing the use of these credentials on multiple computers in a manner that addresses the secure storage and size requirements of digital certificates and private keys. In Windows Server 2008 R2 and Windows Server 2008, credential roaming policy includes stored user names and passwords as well as certificates and keys.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Enable Credential Roaming</maml:linkText><maml:uri href="mshelp://windows/?id=78f85b75-f12b-4408-913e-8add44aeb750"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>For more information about credential roaming and significant differences between its implementation in Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85332</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85332"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Certificate autoenrollment</maml:title><maml:introduction>
<maml:para>Many organizations use Group Policy to automatically enroll users, computers, or services for certificates. </maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Configure Certificate Autoenrollment</maml:linkText><maml:uri href="mshelp://windows/?id=a24a23a7-b723-42fc-8295-2641e6fc5de3"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Certificate path validation</maml:title><maml:introduction>
<maml:para>As certificate use for secure communication and data protection is increasing, administrators can use certificate trust policy to enhance their control of certificate use and public key infrastructure performance by using certificate path validation options. </maml:para>
<maml:para>Certificate path validation settings in Group Policy allow administrators to manage stores, trusted publishers, network retrieval, and revocation checking. </maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Manage Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=aab315d6-7dad-4d5c-bf0f-a766e8ad0d21"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Certificate distribution</maml:title><maml:introduction>
<maml:para>The certificate distribution capabilities in Group Policy are useful for managing certificate-related trust in an organization. It allows you to ensure that certain certificates are trusted and that certificate chain building occurs with little or no user intervention. You can also block the use of certificates that you cannot directly revoke because they were issued by an external certification authority (CA). </maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Use Policy to Distribute Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=fbe9a9e0-ae87-4134-9dec-48bfda4266df"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Certificate Services Resources</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>For extensive evaluation, design, deployment, troubleshooting, and technical reference information, including white papers and Knowledge Base (KB) articles, see Active Directory Certificate Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85613</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85613"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For information about developing applications that use Active Directory Certificate Services (AD CS), see Win32 and COM Security Development (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=92771</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=92771"></maml:uri></maml:navigationLink>). </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For public information about public key infrastructures (PKIs), see the National Institute of Standards and Technology (NIST) PKI Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=92772</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=92772"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For information about the PKI X.509 (pkix) working group, see the Internet Engineering Task Force (IETF) Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=29885</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=29885"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing a Certification Authority</maml:title><maml:introduction>
<maml:para>Management of a certification authority (CA) involves two broad categories of tasks: infrequent tasks, which include key configuration tasks and implementing a management framework, and recurring tasks, which include the common daily operations of a CA, such as issuing and revoking certificates and publishing revocation data.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install and Use the Certification Authority Snap-In</maml:linkText><maml:uri href="mshelp://windows/?id=026bba14-e615-409f-a480-01ef71375fbf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Infrequent Management Tasks</maml:linkText><maml:uri href="mshelp://windows/?id=1227bc23-4eea-478e-921b-9c805f3925b9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Recurring Management Tasks</maml:linkText><maml:uri href="mshelp://windows/?id=f5ae6b2c-a94f-4e74-a3b9-59cdcf195575"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Verify an Online Responder Installation</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>After you have completed setting up an Online Responder, you can verify that it is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Online Responder.</maml:para>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information about administering a public key infrastructure (PKI), see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To verify that the Online Responder functions properly</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the CA, configure several certificate templates for autoenrollment by computers and users. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the new certificate templates have been published to Active Directory Domain Services (AD DS), open a command prompt on the client computer and enter the following command to start certificate autoenrollment:</maml:para>
<maml:para><maml:codeInline>certutil -pulse</maml:codeInline></maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>It can take several hours for information about new certificates to be replicated to all domain controllers.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the client computer, use the Certificates snap-in to verify that the new certificates have been issued. If they have not been issued, repeat step 2. You can also restart the client computer to start certificate autoenrollment.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking <maml:ui>Certification Authority (Computer)\CA name\Issued Certificates</maml:ui> and selecting the certificate you want to revoke. On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Revoke Certificate</maml:ui>. Select the reason for revoking the certificate, and click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certification Authority snap-in, publish a new certificate revocation list (CRL) by clicking <maml:ui>Certification Authority (Computer)\CA name\Revoked Certificates</maml:ui> in the console tree. Then, on the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Publish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the client computer, use the Certificates snap-in to export one of the issued certificates and save it as an X.509 file.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open a command prompt, and type the following command:
</maml:para><maml:para><maml:codeInline>certutil –url <exportedcert.cer></maml:codeInline></maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>URL Retrieval Tool</maml:ui> dialog box, select <maml:ui>OCSP (from AIA)</maml:ui>, and then click <maml:ui>Retrieve</maml:ui>. After the CRL is retrieved, the status will display <maml:ui>Verified</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up Online Responder Services in a Network</maml:linkText><maml:uri href="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Install a Subordinate Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>After a root certification authority (CA) has been installed, many organizations will install one or more subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure. </maml:para>
<maml:para>If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory domain, installing the subordinate CA as an enterprise CA allows you to use the client's existing account data in Active Directory Domain Services (AD DS) to issue and manage certificates and to publish certificates to AD DS.</maml:para>
<maml:para>Membership in local <maml:phrase>Administrators</maml:phrase>, or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To install a subordinate CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Server Manager, click<maml:ui> Add Roles</maml:ui>, click<maml:ui> Next</maml:ui>,<maml:ui> </maml:ui>and click <maml:ui>Active Directory Certificate Services</maml:ui>. Click <maml:ui>Next </maml:ui>two times. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Select Role Services </maml:ui>page, click <maml:ui>Certification Authority</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify Setup Type </maml:ui>page, click <maml:ui>Standalone </maml:ui>or<maml:ui> Enterprise</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You must have a network connection to a domain controller in order to install an enterprise CA. </maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Specify CA Type</maml:ui> page, click <maml:ui>Subordinate CA</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Up Private Key </maml:ui>page, click <maml:ui>Create a new private key</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Cryptography </maml:ui>page, select a cryptographic service provider, key length, and hash algorithm. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Cryptographic Options for CAs</maml:linkText><maml:uri href="mshelp://windows/?id=b71c1373-6f1a-4c93-9eb4-875cc4a58bec"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Request Certificate </maml:ui>page, browse to locate the root CA, or if the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The subordinate CA cannot be used until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA. </maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure CA Name </maml:ui>page, create a unique name to identify the CA. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Certification Authority Naming</maml:linkText><maml:uri href="mshelp://windows/?id=0588b149-8413-421d-844c-9a53857eac65"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Set Validity Period </maml:ui>page, specify the number of years or months that the CA certificate will be valid. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Configure Certificate Database </maml:ui>page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click <maml:ui>Next</maml:ui>.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Certificates Database</maml:linkText><maml:uri href="mshelp://windows/?id=0f428311-c433-460c-96be-ced456f7e016"></maml:uri></maml:navigationLink>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Confirm Installation Options </maml:ui>page, review all of the configuration settings that you have selected. If you want to accept all of these options, click <maml:ui>Install</maml:ui> and wait until the setup process has finished. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting Up a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install a Root Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Certificate Services Overview</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) role services can be set up on servers running operating systems including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root CAs, policy CAs, and issuing CAs, and other servers configured as Online Responders. </maml:para>
<maml:para>The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Components</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Web edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Standard edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Datacenter edition</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>CA</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Network Device Enrollment Service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Online Responder service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CA Web Enrollment</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Certificate Enrollment Web Service</maml:para></maml:entry><maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Certificate Enrollment Policy Web Service</maml:para></maml:entry><maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:para>The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>AD CS features</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Web edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Standard edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Datacenter edition</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Customizable version 2 and version 3 certificate templates</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Key archival</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Role separation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Certificate manager restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Delegated enrollment agent restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Certificate enrollment across forest boundaries</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections><maml:section address="H2_54174995">
<maml:title>Customizing AD CS</maml:title><maml:introduction>
<maml:para>AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91405</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91405"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Managing AD CS</maml:title><maml:introduction>
<maml:para>The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Certification Authority</maml:phrase>. The primary tool for managing a CA, certificate revocation, and certificate enrollment. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Certificate Templates</maml:phrase>. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Online Responder</maml:phrase>. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Enterprise PKI</maml:phrase>. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Certificates</maml:phrase>. Used to view and manage certificate stores for a computer, user, or service.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries</maml:linkText><maml:uri href="mshelp://windows/?id=b5af94a1-4caf-4c05-b344-d996fdb9e2eb"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Publish Certificates to the File System</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The following procedure can be used to publish issued certificates to the file system. </maml:para>
<maml:para>To request a certificate and have it published to the file system, certificate requestors must include a <maml:computerOutputInline>certfile:true</maml:computerOutputInline> attribute in their request. After the certificate is issued, it is copied to <maml:replaceable>FileName</maml:replaceable>.cer, where <maml:replaceable>FileName</maml:replaceable> is the request ID of the certificate request.</maml:para>
<maml:para>The file is copied to the CertEnroll folder on the certification authority (CA).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You cannot use this method to overwrite files.</maml:para>
</maml:alertSet>
<maml:para>You must be a CA administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To publish certificates to the file system</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Exit Module</maml:ui> tab, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Publication Settings</maml:ui> tab, select the <maml:ui>Allow certificates to be published to the file system</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Stop and restart the CA.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Checklist: Enhance Certificate Revocation Checking in Diverse Environments by Setting Up an Online Responder Array</maml:title><maml:introduction>
<maml:para>Unlike certificate revocation lists (CRLs), which are distributed periodically, contain information about all certificates that have been revoked or suspended, and can become quite large, an Online Responder responds to client requests for information about the status of individual certificates. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be, which makes it easier to provide current status information to large numbers of clients when it might take an unacceptable amount of time for clients to download a CRL. Setting up multiple linked Online Responders in an Array can provide flexibility and scalability to revocation checking in diverse network environments.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Task</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Set up additional subordinate certification authorities (CAs).</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Install a Subordinate Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure certificate templates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing Certificate Templates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Configure the issuing CA to issue Online Certificate Status Protocol (OCSP) Response Signing certificates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configure a CA to Support OCSP Responders</maml:linkText><maml:uri href="mshelp://windows/?id=c6fde0cd-3964-42ef-b3af-de1ef683f534"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Install and configure the Online Responder.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Set Up an Online Responder</maml:linkText><maml:uri href="mshelp://windows/?id=3d31dd67-df01-4e8e-809e-22e5bd0a4a32"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Create a revocation configuration for the Online Responder.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Creating a Revocation Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Create an Online Responder Array.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Managing an Online Responder Array (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142234</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142234"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Select a Different Exit Module</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>An exit module provides an opportunity to perform certain tasks after a certificate is issued. You can replace the default exit module with a different exit module. To register a new exit module so that it is available in the list of exit modules, see Exit Modules (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91407</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91407"></maml:uri></maml:navigationLink>).</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Multiple exit modules can be enabled at the same time.</maml:para>
</maml:alertSet>
<maml:para>You must be a certification authority (CA) administrator to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To select a different exit module</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Exit Module </maml:ui>tab, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the new exit module, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the exit module has its own configuration interface, you can configure it by clicking <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Stop and restart Active Directory Certificate Services (AD CS).</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Policy and Exit Modules</maml:linkText><maml:uri href="mshelp://windows/?id=7f6f2678-440f-4d5f-bada-7953d9ffa6b7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Use the Network Device Enrollment Service</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing certification authorities (CAs). The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries.</maml:para>
</maml:alertSet>
<maml:para>The Network Device Enrollment Service performs the following functions:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Generates and provides one-time enrollment passwords to administrators.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Submits SCEP enrollment requests to the CA. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Retrieves enrolled certificates from the CA and forwards them to the network device.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Enrolling for a certificate with the Network Device Enrollment Service involves the software used to manage the network device, the registration authority, the computer hosting the Network Device Enrollment Service, and the CA.</maml:para>
<maml:para>You must be a registration authority for the CA and an administrator on the network device to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To request and enroll for a certificate by using the Network Device Enrollment Service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Run the software used to manage the network device, and use this software to generate an RSA public/private key pair configured for one of the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Signing and signature verification</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Encryption and decryption</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Signing, signature verification, encryption, and decryption</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Use the device software to forward this key pair to the registration authority on the computer hosting the Network Device Enrollment Service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser, and go to http://localhost/certsrv/mscep_admin.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the password table is not full, the Network Device Enrollment Service will create a random password and embed it in an HTML page that is returned to the caller. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Every time you connect to this URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can only be used once. </maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Use the device software, along with the password, to submit a certificate request through the Network Device Enrollment Service, which relays the request to the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If the enrollment request is successful, the requested certificate is returned to the device from the CA through the Network Device Enrollment Service.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>By default, the Network Device Enrollment Service can only cache five passwords at a time. If the password cache is full when you submit a password request, you must do one of the following before resubmitting your request:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Wait until one of the passwords has expired before submitting a new request.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Stop and restart Internet Information Services (IIS) to delete all passwords stored in the cache.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure the service to cache more than five passwords at a time. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure the Network Device Enrollment Service</maml:linkText><maml:uri href="mshelp://windows/?id=281af9f9-b1cb-4efa-99d0-ba44e9b7ee21"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Stand-Alone Certification Authorities</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Stand-alone certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), and authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).</maml:para>
<maml:para>A stand-alone CA has the following characteristics:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Unlike an enterprise CA, a stand-alone CA does not require the use of Active Directory Domain Services (AD DS). Even if you are using AD DS, stand-alone CAs can be used as offline trusted root CAs in a CA hierarchy or to issue certificates to clients over an extranet or the Internet. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When users submit a certificate request to a stand-alone CA, they must provide their identifying information and specify the type of certificate they need. (This does not need to be done when submitting a request to an enterprise CA because the enterprise user's information is already in AD DS and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>By default, all certificate requests sent to the stand-alone CA are set to pending until the administrator of the stand-alone CA verifies the submitted information and approves the request. The administrator has to perform these tasks because the certificate requester's credentials are not verified by the stand-alone CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate templates are not used.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store, or users must perform that task themselves.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If a cryptographic provider supporting elliptic curve cryptography (ECC) is used, a stand-alone CA will honor every key usage for the ECC key. For more information, see Cryptography Next Generation (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85480</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85480"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>When a stand-alone CA uses AD DS, the CA has these additional features: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If a member of the Domain Admins group or an administrator with Write access to a domain controller installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If a stand-alone CA is installed by a member of the Domain Admins group of the parent domain in the enterprise, or by an administrator with Write access to AD DS, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to AD DS.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Recurring Management Tasks</maml:title><maml:introduction>
<maml:para>The following tasks will likely be performed on a daily, weekly, or other frequent basis.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificate Revocation</maml:linkText><maml:uri href="mshelp://windows/?id=5531ecb5-3073-490f-80f9-5d263e60b07a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure CA Event Auditing</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can audit a variety of events relating to the management and activities of a certification authority (CA):</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Back up and restore the CA database.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change the CA configuration.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Change CA security settings.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Issue and manage certificate requests.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Revoke certificates and publish certificate revocation lists (CRLs).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Store and retrieve archived keys.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Start and stop Active Directory Certificate Services (AD CS).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>You must be a CA administrator or a CA auditor to complete this procedure. The CA auditor must perform this procedure if the CA has been configured to enforce role-based administration. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To configure CA event auditing</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Auditing</maml:ui> tab, click the events that you want to audit, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Stop Service</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Start Service</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under <maml:phrase>Computer Configuration\Windows Settings\Security Settings\Local Policies</maml:phrase>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Securing Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Protecting a CA from Data Loss</maml:linkText><maml:uri href="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Use Policy to Distribute Certificates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Certificates are important credentials. Administrators may not want to let users decide which certificates to trust and which not to trust. Often the decision to trust or not trust a particular certificate should be made by an administrator or individual who is knowledgeable about the particular certificate and its trust implications for the organization.</maml:para>
<maml:para>You can use Group Policy to distribute the following types of certificates to clients.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Type of certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description </maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Trusted Root Certification Authorities</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your own organization and Microsoft.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Enterprise Trust</maml:para>
<maml:para></maml:para>
</maml:entry>
<maml:entry>
<maml:para>A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Intermediate Certification Authorities</maml:para>
<maml:para></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates issued to subordinate CAs.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Trusted Publishers</maml:para>
<maml:para></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates from CAs that are trusted.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Untrusted Certificates</maml:para>
<maml:para></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates that you have explicitly decided not to trust because they are no longer valid for their intended purpose or because they are from a source that domain clients should not trust.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Trusted People</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>. </maml:para>
<maml:procedure><maml:title>To add certificates to the Trusted Root Certification Authorities store for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Group Policy Management Console (GPMC), go to <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Trusted Root Certification Authorities</maml:ui> store.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Import</maml:ui> and follow the steps in the Certificate Import Wizard to import the certificates.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Policy to Manage Active Directory Certificate Services</maml:linkText><maml:uri href="mshelp://windows/?id=e22f74dc-82e6-4b3e-8429-5f1faf393f33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Review Pending Certificate Requests</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>One of the most important and common duties of a certification authority (CA) administrator or certificate manager is to review pending certificate requests to decide whether the requested certificate should be issued or not. </maml:para>
<maml:para>In most cases, for security reasons, it is strongly recommended that all incoming certificate requests to a stand-alone CA be marked as pending. Unlike enterprise CAs, stand-alone CAs do not use Active Directory Domain Services (AD DS), even if it is available, to verify that an individual or computer is authorized to be issued a certificate from the CA automatically. For stand-alone CAs, the CA administrator is responsible for verifying the identity of the certificate requester. </maml:para>
<maml:para>You must be a CA administrator or certificate manager to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>
<maml:procedure><maml:title>To review pending certificate requests</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Pending Requests</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, examine each certificate request by noting the values for requester name, requester e-mail address, and any other fields that you consider critical information for issuing the certificate.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Failed certificate requests can also be issued by using the same procedure in the Failed Requests container. However, not all of the security requirements for the certificate can be verified when issuing a failed request. Caution should be used.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Set the Default Action Upon Receipt of a Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=9ab7283a-533f-4eef-a243-9acbf85cbfbd"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="certsvr" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Certification Authority" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
<IncludeFile File="certsvr.H1F" />
</CompilerOptions>
<TOCDef File="certsvr.H1T" Id="certsvr_TOC" />
<VTopicDef File="certsvr.H1V" />
<KeywordIndexDef File="certsvr_AssetId.H1K" />
<KeywordIndexDef File="certsvr_BestBet.H1K" />
<KeywordIndexDef File="certsvr_LinkTerm.H1K" />
<KeywordIndexDef File="certsvr_SubjectTerm.H1K" />
<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
<File Url="assets\026bba14-e615-409f-a480-01ef71375fbf.xml" />
<File Url="assets\0588b149-8413-421d-844c-9a53857eac65.xml" />
<File Url="assets\05c491e0-99e3-4a33-aab8-8b00c32c5bdf.xml" />
<File Url="assets\07a53b9e-c593-4264-8126-508e743dc155.xml" />
<File Url="assets\0e22c650-0bdd-4807-8a90-68dbf4f39dc2.xml" />
<File Url="assets\0f428311-c433-460c-96be-ced456f7e016.xml" />
<File Url="assets\11b65839-a8fb-47cf-aaec-687e5428e8cc.xml" />
<File Url="assets\1227bc23-4eea-478e-921b-9c805f3925b9.xml" />
<File Url="assets\12afc6dc-7e94-471f-953b-9ed9271a1b85.xml" />
<File Url="assets\18656667-17b6-4e81-af4c-4ff1b767c8b8.xml" />
<File Url="assets\1b396c19-25ca-4855-bc60-fb06af1ea3d4.xml" />
<File Url="assets\1b4c0f44-d488-41e8-afb3-80408014c64f.xml" />
<File Url="assets\1e4b6432-977c-4e21-a245-5ce30ae80cc4.xml" />
<File Url="assets\1eb5a9e3-de04-44a0-8972-bc744ca43320.xml" />
<File Url="assets\24bce8a3-bf9b-48b9-adfa-b523d393038c.xml" />
<File Url="assets\25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40.xml" />
<File Url="assets\26af007f-65e7-4f2b-a154-2bdcc7af2657.xml" />
<File Url="assets\281af9f9-b1cb-4efa-99d0-ba44e9b7ee21.xml" />
<File Url="assets\2979e21a-28f0-4e84-b978-e52514a86f90.xml" />
<File Url="assets\2c78c461-1d3f-40f4-b435-1d87f03c299a.xml" />
<File Url="assets\336d3a6a-33c6-4083-8606-c0a4fdca9a25.xml" />
<File Url="assets\3435d75d-3bec-41c9-8ba2-dc16511d4e12.xml" />
<File Url="assets\3d31dd67-df01-4e8e-809e-22e5bd0a4a32.xml" />
<File Url="assets\419159e1-a432-4169-a4cd-45612fbf3266.xml" />
<File Url="assets\47cd6246-68d0-4579-8b76-5b5b0998d11d.xml" />
<File Url="assets\49e21964-dc6f-444b-a97f-e7fb70dfbcde.xml" />
<File Url="assets\4aaea26c-e132-4c04-9849-e5106f93d042.xml" />
<File Url="assets\51842149-feee-43d7-8813-38a64d1f4caa.xml" />
<File Url="assets\5531ecb5-3073-490f-80f9-5d263e60b07a.xml" />
<File Url="assets\5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2.xml" />
<File Url="assets\637ff3b3-6881-4ffb-b4f9-ea56171527e0.xml" />
<File Url="assets\6517f2bf-bf39-4275-86f6-d579a26e3654.xml" />
<File Url="assets\698175c2-9ca5-4124-a851-937e659232e7.xml" />
<File Url="assets\6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0.xml" />
<File Url="assets\70e5d64c-91ce-4355-a9c9-115fe0866911.xml" />
<File Url="assets\74abcd5f-c2c7-474b-b154-8cfe285a1754.xml" />
<File Url="assets\78f85b75-f12b-4408-913e-8add44aeb750.xml" />
<File Url="assets\7b561f6e-d9a8-43ed-b790-f612482c99f7.xml" />
<File Url="assets\7b886752-8d1f-4594-90ee-14686f79fb22.xml" />
<File Url="assets\7f6f2678-440f-4d5f-bada-7953d9ffa6b7.xml" />
<File Url="assets\82ad05ce-4f9f-4cb0-889b-b0e21bb4766c.xml" />
<File Url="assets\855f7a2f-429f-40c2-b297-09a55047cc4c.xml" />
<File Url="assets\86a959c3-88f5-48ab-8457-21bc8755d205.xml" />
<File Url="assets\89610b23-0af5-4bc7-8eb9-2e2584d3f0a2.xml" />
<File Url="assets\8cb0540b-a5c2-47e5-913c-4d995a4adc2d.xml" />
<File Url="assets\8d3dcbf1-d83e-4be6-866a-a1e9449b3adc.xml" />
<File Url="assets\910c18a2-6b51-4bc5-8f02-9ff32ffc3087.xml" />
<File Url="assets\928ede4c-c06d-4e5b-8d6e-fda1334627ed.xml" />
<File Url="assets\964edfbd-d935-4352-b054-5e3dfe6c547e.xml" />
<File Url="assets\98cde842-f281-4892-9da4-1e467199ea14.xml" />
<File Url="assets\99dc782e-81fa-4f86-909b-87489465a650.xml" />
<File Url="assets\9ab7283a-533f-4eef-a243-9acbf85cbfbd.xml" />
<File Url="assets\9b2626dc-5d07-4619-a0cc-be44f9682fb2.xml" />
<File Url="assets\a24a23a7-b723-42fc-8295-2641e6fc5de3.xml" />
<File Url="assets\a6445362-7927-492f-9e82-0d7058e599f5.xml" />
<File Url="assets\a793d37c-717c-4b41-ab67-87bf559f4d80.xml" />
<File Url="assets\aab315d6-7dad-4d5c-bf0f-a766e8ad0d21.xml" />
<File Url="assets\afc1d704-3d8f-43de-b4b3-51a062878d14.xml" />
<File Url="assets\b19a07e1-9984-444d-b968-a330c7a8a60c.xml" />
<File Url="assets\b3cbf5d7-d1f6-4454-8194-48a3afc87b59.xml" />
<File Url="assets\b3d53f51-56f6-4031-8aad-ebdc4c71cb56.xml" />
<File Url="assets\b5af94a1-4caf-4c05-b344-d996fdb9e2eb.xml" />
<File Url="assets\b71c1373-6f1a-4c93-9eb4-875cc4a58bec.xml" />
<File Url="assets\b8d01da1-12ac-404b-8239-ff5b59679f02.xml" />
<File Url="assets\b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml" />
<File Url="assets\bac506b2-57be-45c2-bdf6-1f976eeeb475.xml" />
<File Url="assets\bb63e84f-9313-4b54-b3f2-5a3c8490f250.xml" />
<File Url="assets\c3b0e476-4bec-411c-b6cc-6bed8a1c378d.xml" />
<File Url="assets\c651f8cf-5c84-42c0-9a61-37e0000e6989.xml" />
<File Url="assets\c6fde0cd-3964-42ef-b3af-de1ef683f534.xml" />
<File Url="assets\c8955f83-fed9-4a18-80ea-31e865435f73.xml" />
<File Url="assets\cba53c53-a842-42b1-8de4-7235e0b3c5fc.xml" />
<File Url="assets\cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30.xml" />
<File Url="assets\cf5622e1-daa9-42cc-8b43-14953e34f8b6.xml" />
<File Url="assets\d6267265-af06-47c2-a2aa-f61695eb4084.xml" />
<File Url="assets\d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml" />
<File Url="assets\d6e60022-fcad-4192-b038-be51c15b8f6a.xml" />
<File Url="assets\d762c3f4-f7ac-4af2-8e2d-331d33dc0583.xml" />
<File Url="assets\e22f74dc-82e6-4b3e-8429-5f1faf393f33.xml" />
<File Url="assets\e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml" />
<File Url="assets\e3990c59-f588-45ad-b3fd-3052e0b4f659.xml" />
<File Url="assets\e8c88a49-84e8-48a8-a303-9aab2e68a1db.xml" />
<File Url="assets\e9bd1194-e088-4671-840f-0847cf5ee2a0.xml" />
<File Url="assets\ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml" />
<File Url="assets\ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd.xml" />
<File Url="assets\f07ac4f6-269b-41d7-9d09-06ca4930bff4.xml" />
<File Url="assets\f0bb5698-e30a-46fc-92d2-10d1f949e970.xml" />
<File Url="assets\f3911350-ab45-494d-a07e-d0b9696a651e.xml" />
<File Url="assets\f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml" />
<File Url="assets\f5ae6b2c-a94f-4e74-a3b9-59cdcf195575.xml" />
<File Url="assets\f9e48956-7408-4ec8-8907-b2b5b075ad77.xml" />
<File Url="assets\fbe9a9e0-ae87-4134-9dec-48bfda4266df.xml" />
<File Url="assets\fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
<Vtopic Url="assets\026bba14-e615-409f-a480-01ef71375fbf.xml" RLTitle="Install and Use the Certification Authority Snap-In">
<Attr Name="assetid" Value="026bba14-e615-409f-a480-01ef71375fbf" />
<Keyword Index="AssetId" Term="026bba14-e615-409f-a480-01ef71375fbf" />
<Keyword Index="AssetId" Term="026bba14-e615-409f-a480-01ef71375fbf1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="026bba14-e615-409f-a480-01ef71375fbf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0588b149-8413-421d-844c-9a53857eac65.xml" RLTitle="Certification Authority Naming">
<Attr Name="assetid" Value="0588b149-8413-421d-844c-9a53857eac65" />
<Keyword Index="AssetId" Term="0588b149-8413-421d-844c-9a53857eac65" />
<Keyword Index="AssetId" Term="0588b149-8413-421d-844c-9a53857eac651033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0588b149-8413-421d-844c-9a53857eac65" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\05c491e0-99e3-4a33-aab8-8b00c32c5bdf.xml" RLTitle="Checklist: Authenticate Web Servers with Certificates Issued by a Windows-Based CA">
<Attr Name="assetid" Value="05c491e0-99e3-4a33-aab8-8b00c32c5bdf" />
<Keyword Index="AssetId" Term="05c491e0-99e3-4a33-aab8-8b00c32c5bdf" />
<Keyword Index="AssetId" Term="05c491e0-99e3-4a33-aab8-8b00c32c5bdf1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="05c491e0-99e3-4a33-aab8-8b00c32c5bdf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\07a53b9e-c593-4264-8126-508e743dc155.xml" RLTitle="Enable Key Archival for a CA">
<Attr Name="assetid" Value="07a53b9e-c593-4264-8126-508e743dc155" />
<Keyword Index="AssetId" Term="07a53b9e-c593-4264-8126-508e743dc155" />
<Keyword Index="AssetId" Term="07a53b9e-c593-4264-8126-508e743dc1551033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="07a53b9e-c593-4264-8126-508e743dc155" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0e22c650-0bdd-4807-8a90-68dbf4f39dc2.xml" RLTitle="Configuring Server Certificates for Certificate Enrollment Web Services">
<Attr Name="assetid" Value="0e22c650-0bdd-4807-8a90-68dbf4f39dc2" />
<Keyword Index="AssetId" Term="0e22c650-0bdd-4807-8a90-68dbf4f39dc2" />
<Keyword Index="AssetId" Term="0e22c650-0bdd-4807-8a90-68dbf4f39dc21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0e22c650-0bdd-4807-8a90-68dbf4f39dc2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0f428311-c433-460c-96be-ced456f7e016.xml" RLTitle="Certificates Database">
<Attr Name="assetid" Value="0f428311-c433-460c-96be-ced456f7e016" />
<Keyword Index="AssetId" Term="0f428311-c433-460c-96be-ced456f7e016" />
<Keyword Index="AssetId" Term="0f428311-c433-460c-96be-ced456f7e0161033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0f428311-c433-460c-96be-ced456f7e016" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\11b65839-a8fb-47cf-aaec-687e5428e8cc.xml" RLTitle="Protecting a CA from Data Loss">
<Attr Name="assetid" Value="11b65839-a8fb-47cf-aaec-687e5428e8cc" />
<Keyword Index="AssetId" Term="11b65839-a8fb-47cf-aaec-687e5428e8cc" />
<Keyword Index="AssetId" Term="11b65839-a8fb-47cf-aaec-687e5428e8cc1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="11b65839-a8fb-47cf-aaec-687e5428e8cc" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1227bc23-4eea-478e-921b-9c805f3925b9.xml" RLTitle="Infrequent Management Tasks">
<Attr Name="assetid" Value="1227bc23-4eea-478e-921b-9c805f3925b9" />
<Keyword Index="AssetId" Term="1227bc23-4eea-478e-921b-9c805f3925b9" />
<Keyword Index="AssetId" Term="1227bc23-4eea-478e-921b-9c805f3925b91033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1227bc23-4eea-478e-921b-9c805f3925b9" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\12afc6dc-7e94-471f-953b-9ed9271a1b85.xml" RLTitle="Identify a Key Recovery Agent">
<Attr Name="assetid" Value="12afc6dc-7e94-471f-953b-9ed9271a1b85" />
<Keyword Index="AssetId" Term="12afc6dc-7e94-471f-953b-9ed9271a1b85" />
<Keyword Index="AssetId" Term="12afc6dc-7e94-471f-953b-9ed9271a1b851033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="12afc6dc-7e94-471f-953b-9ed9271a1b85" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\18656667-17b6-4e81-af4c-4ff1b767c8b8.xml" RLTitle="Specify CRL Distribution Points">
<Attr Name="assetid" Value="18656667-17b6-4e81-af4c-4ff1b767c8b8" />
<Keyword Index="AssetId" Term="18656667-17b6-4e81-af4c-4ff1b767c8b8" />
<Keyword Index="AssetId" Term="18656667-17b6-4e81-af4c-4ff1b767c8b81033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="18656667-17b6-4e81-af4c-4ff1b767c8b8" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1b396c19-25ca-4855-bc60-fb06af1ea3d4.xml" RLTitle="Restrict Certificate Managers">
<Attr Name="assetid" Value="1b396c19-25ca-4855-bc60-fb06af1ea3d4" />
<Keyword Index="AssetId" Term="1b396c19-25ca-4855-bc60-fb06af1ea3d4" />
<Keyword Index="AssetId" Term="1b396c19-25ca-4855-bc60-fb06af1ea3d41033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1b396c19-25ca-4855-bc60-fb06af1ea3d4" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1b4c0f44-d488-41e8-afb3-80408014c64f.xml" RLTitle="Restore a CA from a Backup Copy">
<Attr Name="assetid" Value="1b4c0f44-d488-41e8-afb3-80408014c64f" />
<Keyword Index="AssetId" Term="1b4c0f44-d488-41e8-afb3-80408014c64f" />
<Keyword Index="AssetId" Term="1b4c0f44-d488-41e8-afb3-80408014c64f1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1b4c0f44-d488-41e8-afb3-80408014c64f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1e4b6432-977c-4e21-a245-5ce30ae80cc4.xml" RLTitle="Add the Online Responder Snap-in to a Console">
<Attr Name="assetid" Value="1e4b6432-977c-4e21-a245-5ce30ae80cc4" />
<Keyword Index="AssetId" Term="1e4b6432-977c-4e21-a245-5ce30ae80cc4" />
<Keyword Index="AssetId" Term="1e4b6432-977c-4e21-a245-5ce30ae80cc41033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1e4b6432-977c-4e21-a245-5ce30ae80cc4" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1eb5a9e3-de04-44a0-8972-bc744ca43320.xml" RLTitle="Setting Up Online Responder Services in a Network">
<Attr Name="assetid" Value="1eb5a9e3-de04-44a0-8972-bc744ca43320" />
<Keyword Index="AssetId" Term="1eb5a9e3-de04-44a0-8972-bc744ca43320" />
<Keyword Index="AssetId" Term="1eb5a9e3-de04-44a0-8972-bc744ca433201033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1eb5a9e3-de04-44a0-8972-bc744ca43320" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\24bce8a3-bf9b-48b9-adfa-b523d393038c.xml" RLTitle="Setting Up a Certification Authority">
<Attr Name="assetid" Value="24bce8a3-bf9b-48b9-adfa-b523d393038c" />
<Keyword Index="AssetId" Term="24bce8a3-bf9b-48b9-adfa-b523d393038c" />
<Keyword Index="AssetId" Term="24bce8a3-bf9b-48b9-adfa-b523d393038c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="24bce8a3-bf9b-48b9-adfa-b523d393038c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40.xml" RLTitle="Back Up a Certification Authority">
<Attr Name="assetid" Value="25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40" />
<Keyword Index="AssetId" Term="25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40" />
<Keyword Index="AssetId" Term="25fbd545-9aa8-4e2a-a9bc-eac92cf8bd401033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\26af007f-65e7-4f2b-a154-2bdcc7af2657.xml" RLTitle="Public Key Infrastructures">
<Attr Name="assetid" Value="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Keyword Index="AssetId" Term="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Keyword Index="AssetId" Term="26af007f-65e7-4f2b-a154-2bdcc7af26571033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\281af9f9-b1cb-4efa-99d0-ba44e9b7ee21.xml" RLTitle="Configure the Network Device Enrollment Service">
<Attr Name="assetid" Value="281af9f9-b1cb-4efa-99d0-ba44e9b7ee21" />
<Keyword Index="AssetId" Term="281af9f9-b1cb-4efa-99d0-ba44e9b7ee21" />
<Keyword Index="AssetId" Term="281af9f9-b1cb-4efa-99d0-ba44e9b7ee211033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="281af9f9-b1cb-4efa-99d0-ba44e9b7ee21" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\2979e21a-28f0-4e84-b978-e52514a86f90.xml" RLTitle="Revocation Provider Signing">
<Attr Name="assetid" Value="2979e21a-28f0-4e84-b978-e52514a86f90" />
<Keyword Index="AssetId" Term="2979e21a-28f0-4e84-b978-e52514a86f90" />
<Keyword Index="AssetId" Term="2979e21a-28f0-4e84-b978-e52514a86f901033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="2979e21a-28f0-4e84-b978-e52514a86f90" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\2c78c461-1d3f-40f4-b435-1d87f03c299a.xml" RLTitle="Managing Online Responders">
<Attr Name="assetid" Value="2c78c461-1d3f-40f4-b435-1d87f03c299a" />
<Keyword Index="AssetId" Term="2c78c461-1d3f-40f4-b435-1d87f03c299a" />
<Keyword Index="AssetId" Term="2c78c461-1d3f-40f4-b435-1d87f03c299a1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="2c78c461-1d3f-40f4-b435-1d87f03c299a" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\336d3a6a-33c6-4083-8606-c0a4fdca9a25.xml" RLTitle="Configuring Certificate Revocation">
<Attr Name="assetid" Value="336d3a6a-33c6-4083-8606-c0a4fdca9a25" />
<Keyword Index="AssetId" Term="336d3a6a-33c6-4083-8606-c0a4fdca9a25" />
<Keyword Index="AssetId" Term="336d3a6a-33c6-4083-8606-c0a4fdca9a251033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="336d3a6a-33c6-4083-8606-c0a4fdca9a25" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3435d75d-3bec-41c9-8ba2-dc16511d4e12.xml" RLTitle="Managing Certificate Enrollment">
<Attr Name="assetid" Value="3435d75d-3bec-41c9-8ba2-dc16511d4e12" />
<Keyword Index="AssetId" Term="3435d75d-3bec-41c9-8ba2-dc16511d4e12" />
<Keyword Index="AssetId" Term="3435d75d-3bec-41c9-8ba2-dc16511d4e121033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3435d75d-3bec-41c9-8ba2-dc16511d4e12" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3d31dd67-df01-4e8e-809e-22e5bd0a4a32.xml" RLTitle="Set Up an Online Responder">
<Attr Name="assetid" Value="3d31dd67-df01-4e8e-809e-22e5bd0a4a32" />
<Keyword Index="AssetId" Term="3d31dd67-df01-4e8e-809e-22e5bd0a4a32" />
<Keyword Index="AssetId" Term="3d31dd67-df01-4e8e-809e-22e5bd0a4a321033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3d31dd67-df01-4e8e-809e-22e5bd0a4a32" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\419159e1-a432-4169-a4cd-45612fbf3266.xml" RLTitle="Advanced Configuration Options for the Certificate Enrollment Web Services">
<Attr Name="assetid" Value="419159e1-a432-4169-a4cd-45612fbf3266" />
<Keyword Index="AssetId" Term="419159e1-a432-4169-a4cd-45612fbf3266" />
<Keyword Index="AssetId" Term="419159e1-a432-4169-a4cd-45612fbf32661033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="419159e1-a432-4169-a4cd-45612fbf3266" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\47cd6246-68d0-4579-8b76-5b5b0998d11d.xml" RLTitle="Configure a Certificate Template for Key Archival">
<Attr Name="assetid" Value="47cd6246-68d0-4579-8b76-5b5b0998d11d" />
<Keyword Index="AssetId" Term="47cd6246-68d0-4579-8b76-5b5b0998d11d" />
<Keyword Index="AssetId" Term="47cd6246-68d0-4579-8b76-5b5b0998d11d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="47cd6246-68d0-4579-8b76-5b5b0998d11d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\49e21964-dc6f-444b-a97f-e7fb70dfbcde.xml" RLTitle="Certification Authorities">
<Attr Name="assetid" Value="49e21964-dc6f-444b-a97f-e7fb70dfbcde" />
<Keyword Index="AssetId" Term="49e21964-dc6f-444b-a97f-e7fb70dfbcde" />
<Keyword Index="AssetId" Term="49e21964-dc6f-444b-a97f-e7fb70dfbcde1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="49e21964-dc6f-444b-a97f-e7fb70dfbcde" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4aaea26c-e132-4c04-9849-e5106f93d042.xml" RLTitle="Revocation Configuration CA Certificates">
<Attr Name="assetid" Value="4aaea26c-e132-4c04-9849-e5106f93d042" />
<Keyword Index="AssetId" Term="4aaea26c-e132-4c04-9849-e5106f93d042" />
<Keyword Index="AssetId" Term="4aaea26c-e132-4c04-9849-e5106f93d0421033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4aaea26c-e132-4c04-9849-e5106f93d042" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\51842149-feee-43d7-8813-38a64d1f4caa.xml" RLTitle="Managing Key Archival and Recovery">
<Attr Name="assetid" Value="51842149-feee-43d7-8813-38a64d1f4caa" />
<Keyword Index="AssetId" Term="51842149-feee-43d7-8813-38a64d1f4caa" />
<Keyword Index="AssetId" Term="51842149-feee-43d7-8813-38a64d1f4caa1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="51842149-feee-43d7-8813-38a64d1f4caa" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5531ecb5-3073-490f-80f9-5d263e60b07a.xml" RLTitle="Manage Certificate Revocation">
<Attr Name="assetid" Value="5531ecb5-3073-490f-80f9-5d263e60b07a" />
<Keyword Index="AssetId" Term="5531ecb5-3073-490f-80f9-5d263e60b07a" />
<Keyword Index="AssetId" Term="5531ecb5-3073-490f-80f9-5d263e60b07a1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5531ecb5-3073-490f-80f9-5d263e60b07a" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2.xml" RLTitle="Establish Restricted Enrollment Agents">
<Attr Name="assetid" Value="5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2" />
<Keyword Index="AssetId" Term="5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2" />
<Keyword Index="AssetId" Term="5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\637ff3b3-6881-4ffb-b4f9-ea56171527e0.xml" RLTitle="Common Scenarios for Using Active Directory Certificate Services">
<Attr Name="assetid" Value="637ff3b3-6881-4ffb-b4f9-ea56171527e0" />
<Keyword Index="AssetId" Term="637ff3b3-6881-4ffb-b4f9-ea56171527e0" />
<Keyword Index="AssetId" Term="637ff3b3-6881-4ffb-b4f9-ea56171527e01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="637ff3b3-6881-4ffb-b4f9-ea56171527e0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6517f2bf-bf39-4275-86f6-d579a26e3654.xml" RLTitle="Select a Different Policy Module">
<Attr Name="assetid" Value="6517f2bf-bf39-4275-86f6-d579a26e3654" />
<Keyword Index="AssetId" Term="6517f2bf-bf39-4275-86f6-d579a26e3654" />
<Keyword Index="AssetId" Term="6517f2bf-bf39-4275-86f6-d579a26e36541033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6517f2bf-bf39-4275-86f6-d579a26e3654" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\698175c2-9ca5-4124-a851-937e659232e7.xml" RLTitle="Configuring the Policy and Exit Modules">
<Attr Name="assetid" Value="698175c2-9ca5-4124-a851-937e659232e7" />
<Keyword Index="AssetId" Term="698175c2-9ca5-4124-a851-937e659232e7" />
<Keyword Index="AssetId" Term="698175c2-9ca5-4124-a851-937e659232e71033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="698175c2-9ca5-4124-a851-937e659232e7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0.xml" RLTitle="Checklist: Enhance Wireless Network Security by Requiring Certificates for Authentication and Encryption">
<Attr Name="assetid" Value="6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0" />
<Keyword Index="AssetId" Term="6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0" />
<Keyword Index="AssetId" Term="6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\70e5d64c-91ce-4355-a9c9-115fe0866911.xml" RLTitle="Enterprise Certification Authorities">
<Attr Name="assetid" Value="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Keyword Index="AssetId" Term="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Keyword Index="AssetId" Term="70e5d64c-91ce-4355-a9c9-115fe08669111033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\74abcd5f-c2c7-474b-b154-8cfe285a1754.xml" RLTitle="Modify the Online Responder Web Proxy">
<Attr Name="assetid" Value="74abcd5f-c2c7-474b-b154-8cfe285a1754" />
<Keyword Index="AssetId" Term="74abcd5f-c2c7-474b-b154-8cfe285a1754" />
<Keyword Index="AssetId" Term="74abcd5f-c2c7-474b-b154-8cfe285a17541033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="74abcd5f-c2c7-474b-b154-8cfe285a1754" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\78f85b75-f12b-4408-913e-8add44aeb750.xml" RLTitle="Enable Credential Roaming">
<Attr Name="assetid" Value="78f85b75-f12b-4408-913e-8add44aeb750" />
<Keyword Index="AssetId" Term="78f85b75-f12b-4408-913e-8add44aeb750" />
<Keyword Index="AssetId" Term="78f85b75-f12b-4408-913e-8add44aeb7501033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="78f85b75-f12b-4408-913e-8add44aeb750" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7b561f6e-d9a8-43ed-b790-f612482c99f7.xml" RLTitle="Uninstall a Certification Authority">
<Attr Name="assetid" Value="7b561f6e-d9a8-43ed-b790-f612482c99f7" />
<Keyword Index="AssetId" Term="7b561f6e-d9a8-43ed-b790-f612482c99f7" />
<Keyword Index="AssetId" Term="7b561f6e-d9a8-43ed-b790-f612482c99f71033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7b561f6e-d9a8-43ed-b790-f612482c99f7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7b886752-8d1f-4594-90ee-14686f79fb22.xml" RLTitle="Checklist: Configure CAs to Issue and Manage Certificates">
<Attr Name="assetid" Value="7b886752-8d1f-4594-90ee-14686f79fb22" />
<Keyword Index="AssetId" Term="7b886752-8d1f-4594-90ee-14686f79fb22" />
<Keyword Index="AssetId" Term="7b886752-8d1f-4594-90ee-14686f79fb221033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7b886752-8d1f-4594-90ee-14686f79fb22" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7f6f2678-440f-4d5f-bada-7953d9ffa6b7.xml" RLTitle="Managing Policy and Exit Modules">
<Attr Name="assetid" Value="7f6f2678-440f-4d5f-bada-7953d9ffa6b7" />
<Keyword Index="AssetId" Term="7f6f2678-440f-4d5f-bada-7953d9ffa6b7" />
<Keyword Index="AssetId" Term="7f6f2678-440f-4d5f-bada-7953d9ffa6b71033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7f6f2678-440f-4d5f-bada-7953d9ffa6b7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\82ad05ce-4f9f-4cb0-889b-b0e21bb4766c.xml" RLTitle="Renew OCSP Response Signing Certificates with an Existing Key">
<Attr Name="assetid" Value="82ad05ce-4f9f-4cb0-889b-b0e21bb4766c" />
<Keyword Index="AssetId" Term="82ad05ce-4f9f-4cb0-889b-b0e21bb4766c" />
<Keyword Index="AssetId" Term="82ad05ce-4f9f-4cb0-889b-b0e21bb4766c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="82ad05ce-4f9f-4cb0-889b-b0e21bb4766c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\855f7a2f-429f-40c2-b297-09a55047cc4c.xml" RLTitle="Configuring Delegation Settings for the Certificate Enrollment Web Service Account">
<Attr Name="assetid" Value="855f7a2f-429f-40c2-b297-09a55047cc4c" />
<Keyword Index="AssetId" Term="855f7a2f-429f-40c2-b297-09a55047cc4c" />
<Keyword Index="AssetId" Term="855f7a2f-429f-40c2-b297-09a55047cc4c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="855f7a2f-429f-40c2-b297-09a55047cc4c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\86a959c3-88f5-48ab-8457-21bc8755d205.xml" RLTitle="Checklist: Protect Encrypted Data from Loss by Enabling Key Archival and Recovery">
<Attr Name="assetid" Value="86a959c3-88f5-48ab-8457-21bc8755d205" />
<Keyword Index="AssetId" Term="86a959c3-88f5-48ab-8457-21bc8755d205" />
<Keyword Index="AssetId" Term="86a959c3-88f5-48ab-8457-21bc8755d2051033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="86a959c3-88f5-48ab-8457-21bc8755d205" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\89610b23-0af5-4bc7-8eb9-2e2584d3f0a2.xml" RLTitle="Checklist: Strengthen Identity Management by Issuing Certificates for Smart Cards">
<Attr Name="assetid" Value="89610b23-0af5-4bc7-8eb9-2e2584d3f0a2" />
<Keyword Index="AssetId" Term="89610b23-0af5-4bc7-8eb9-2e2584d3f0a2" />
<Keyword Index="AssetId" Term="89610b23-0af5-4bc7-8eb9-2e2584d3f0a21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="89610b23-0af5-4bc7-8eb9-2e2584d3f0a2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\8cb0540b-a5c2-47e5-913c-4d995a4adc2d.xml" RLTitle="Setting Up Active Directory Certificate Services">
<Attr Name="assetid" Value="8cb0540b-a5c2-47e5-913c-4d995a4adc2d" />
<Keyword Index="AssetId" Term="8cb0540b-a5c2-47e5-913c-4d995a4adc2d" />
<Keyword Index="AssetId" Term="8cb0540b-a5c2-47e5-913c-4d995a4adc2d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="8cb0540b-a5c2-47e5-913c-4d995a4adc2d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\8d3dcbf1-d83e-4be6-866a-a1e9449b3adc.xml" RLTitle="Administer an Online Responder from Another Computer">
<Attr Name="assetid" Value="8d3dcbf1-d83e-4be6-866a-a1e9449b3adc" />
<Keyword Index="AssetId" Term="8d3dcbf1-d83e-4be6-866a-a1e9449b3adc" />
<Keyword Index="AssetId" Term="8d3dcbf1-d83e-4be6-866a-a1e9449b3adc1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="8d3dcbf1-d83e-4be6-866a-a1e9449b3adc" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\910c18a2-6b51-4bc5-8f02-9ff32ffc3087.xml" RLTitle="Creating a Revocation Configuration">
<Attr Name="assetid" Value="910c18a2-6b51-4bc5-8f02-9ff32ffc3087" />
<Keyword Index="AssetId" Term="910c18a2-6b51-4bc5-8f02-9ff32ffc3087" />
<Keyword Index="AssetId" Term="910c18a2-6b51-4bc5-8f02-9ff32ffc30871033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="910c18a2-6b51-4bc5-8f02-9ff32ffc3087" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\928ede4c-c06d-4e5b-8d6e-fda1334627ed.xml" RLTitle="Install a Root Certification Authority">
<Attr Name="assetid" Value="928ede4c-c06d-4e5b-8d6e-fda1334627ed" />
<Keyword Index="AssetId" Term="928ede4c-c06d-4e5b-8d6e-fda1334627ed" />
<Keyword Index="AssetId" Term="928ede4c-c06d-4e5b-8d6e-fda1334627ed1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="928ede4c-c06d-4e5b-8d6e-fda1334627ed" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\964edfbd-d935-4352-b054-5e3dfe6c547e.xml" RLTitle="Certificate Enrollment Web Service Overview">
<Attr Name="assetid" Value="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Keyword Index="AssetId" Term="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Keyword Index="AssetId" Term="964edfbd-d935-4352-b054-5e3dfe6c547e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\98cde842-f281-4892-9da4-1e467199ea14.xml" RLTitle="Configuring Group Policy to Support the Certificate Enrollment Policy Web Service">
<Attr Name="assetid" Value="98cde842-f281-4892-9da4-1e467199ea14" />
<Keyword Index="AssetId" Term="98cde842-f281-4892-9da4-1e467199ea14" />
<Keyword Index="AssetId" Term="98cde842-f281-4892-9da4-1e467199ea141033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="98cde842-f281-4892-9da4-1e467199ea14" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\99dc782e-81fa-4f86-909b-87489465a650.xml" RLTitle="Installing the Certificate Enrollment Policy Web Service">
<Attr Name="assetid" Value="99dc782e-81fa-4f86-909b-87489465a650" />
<Keyword Index="AssetId" Term="99dc782e-81fa-4f86-909b-87489465a650" />
<Keyword Index="AssetId" Term="99dc782e-81fa-4f86-909b-87489465a6501033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="99dc782e-81fa-4f86-909b-87489465a650" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9ab7283a-533f-4eef-a243-9acbf85cbfbd.xml" RLTitle="Set the Default Action Upon Receipt of a Certificate Request">
<Attr Name="assetid" Value="9ab7283a-533f-4eef-a243-9acbf85cbfbd" />
<Keyword Index="AssetId" Term="9ab7283a-533f-4eef-a243-9acbf85cbfbd" />
<Keyword Index="AssetId" Term="9ab7283a-533f-4eef-a243-9acbf85cbfbd1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9ab7283a-533f-4eef-a243-9acbf85cbfbd" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9b2626dc-5d07-4619-a0cc-be44f9682fb2.xml" RLTitle="Configure CRL and Delta CRL Overlap Periods">
<Attr Name="assetid" Value="9b2626dc-5d07-4619-a0cc-be44f9682fb2" />
<Keyword Index="AssetId" Term="9b2626dc-5d07-4619-a0cc-be44f9682fb2" />
<Keyword Index="AssetId" Term="9b2626dc-5d07-4619-a0cc-be44f9682fb21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9b2626dc-5d07-4619-a0cc-be44f9682fb2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a24a23a7-b723-42fc-8295-2641e6fc5de3.xml" RLTitle="Configure Certificate Autoenrollment">
<Attr Name="assetid" Value="a24a23a7-b723-42fc-8295-2641e6fc5de3" />
<Keyword Index="AssetId" Term="a24a23a7-b723-42fc-8295-2641e6fc5de3" />
<Keyword Index="AssetId" Term="a24a23a7-b723-42fc-8295-2641e6fc5de31033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a24a23a7-b723-42fc-8295-2641e6fc5de3" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a6445362-7927-492f-9e82-0d7058e599f5.xml" RLTitle="Troubleshoot Active Directory Certificate Services">
<Attr Name="assetid" Value="a6445362-7927-492f-9e82-0d7058e599f5" />
<Keyword Index="AssetId" Term="a6445362-7927-492f-9e82-0d7058e599f5" />
<Keyword Index="AssetId" Term="a6445362-7927-492f-9e82-0d7058e599f51033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a6445362-7927-492f-9e82-0d7058e599f5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\a793d37c-717c-4b41-ab67-87bf559f4d80.xml" RLTitle="Audit Online Responder Operations">
<Attr Name="assetid" Value="a793d37c-717c-4b41-ab67-87bf559f4d80" />
<Keyword Index="AssetId" Term="a793d37c-717c-4b41-ab67-87bf559f4d80" />
<Keyword Index="AssetId" Term="a793d37c-717c-4b41-ab67-87bf559f4d801033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="a793d37c-717c-4b41-ab67-87bf559f4d80" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\aab315d6-7dad-4d5c-bf0f-a766e8ad0d21.xml" RLTitle="Manage Certificate Path Validation">
<Attr Name="assetid" Value="aab315d6-7dad-4d5c-bf0f-a766e8ad0d21" />
<Keyword Index="AssetId" Term="aab315d6-7dad-4d5c-bf0f-a766e8ad0d21" />
<Keyword Index="AssetId" Term="aab315d6-7dad-4d5c-bf0f-a766e8ad0d211033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="aab315d6-7dad-4d5c-bf0f-a766e8ad0d21" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\afc1d704-3d8f-43de-b4b3-51a062878d14.xml" RLTitle="Securing Active Directory Certificate Services">
<Attr Name="assetid" Value="afc1d704-3d8f-43de-b4b3-51a062878d14" />
<Keyword Index="AssetId" Term="afc1d704-3d8f-43de-b4b3-51a062878d14" />
<Keyword Index="AssetId" Term="afc1d704-3d8f-43de-b4b3-51a062878d141033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="afc1d704-3d8f-43de-b4b3-51a062878d14" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b19a07e1-9984-444d-b968-a330c7a8a60c.xml" RLTitle="Set Up a Certification Authority by Using a Hardware Security Module">
<Attr Name="assetid" Value="b19a07e1-9984-444d-b968-a330c7a8a60c" />
<Keyword Index="AssetId" Term="b19a07e1-9984-444d-b968-a330c7a8a60c" />
<Keyword Index="AssetId" Term="b19a07e1-9984-444d-b968-a330c7a8a60c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b19a07e1-9984-444d-b968-a330c7a8a60c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b3cbf5d7-d1f6-4454-8194-48a3afc87b59.xml" RLTitle="Schedule Publication of Certificate Revocation Lists">
<Attr Name="assetid" Value="b3cbf5d7-d1f6-4454-8194-48a3afc87b59" />
<Keyword Index="AssetId" Term="b3cbf5d7-d1f6-4454-8194-48a3afc87b59" />
<Keyword Index="AssetId" Term="b3cbf5d7-d1f6-4454-8194-48a3afc87b591033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b3cbf5d7-d1f6-4454-8194-48a3afc87b59" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b3d53f51-56f6-4031-8aad-ebdc4c71cb56.xml" RLTitle="Add OCSP Locations to Issued Certificates">
<Attr Name="assetid" Value="b3d53f51-56f6-4031-8aad-ebdc4c71cb56" />
<Keyword Index="AssetId" Term="b3d53f51-56f6-4031-8aad-ebdc4c71cb56" />
<Keyword Index="AssetId" Term="b3d53f51-56f6-4031-8aad-ebdc4c71cb561033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b3d53f51-56f6-4031-8aad-ebdc4c71cb56" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b5af94a1-4caf-4c05-b344-d996fdb9e2eb.xml" RLTitle="Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries">
<Attr Name="assetid" Value="b5af94a1-4caf-4c05-b344-d996fdb9e2eb" />
<Keyword Index="AssetId" Term="b5af94a1-4caf-4c05-b344-d996fdb9e2eb" />
<Keyword Index="AssetId" Term="b5af94a1-4caf-4c05-b344-d996fdb9e2eb1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b5af94a1-4caf-4c05-b344-d996fdb9e2eb" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b71c1373-6f1a-4c93-9eb4-875cc4a58bec.xml" RLTitle="Cryptographic Options for CAs">
<Attr Name="assetid" Value="b71c1373-6f1a-4c93-9eb4-875cc4a58bec" />
<Keyword Index="AssetId" Term="b71c1373-6f1a-4c93-9eb4-875cc4a58bec" />
<Keyword Index="AssetId" Term="b71c1373-6f1a-4c93-9eb4-875cc4a58bec1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b71c1373-6f1a-4c93-9eb4-875cc4a58bec" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b8d01da1-12ac-404b-8239-ff5b59679f02.xml" RLTitle="Send E-mail When a Certification Event Occurs">
<Attr Name="assetid" Value="b8d01da1-12ac-404b-8239-ff5b59679f02" />
<Keyword Index="AssetId" Term="b8d01da1-12ac-404b-8239-ff5b59679f02" />
<Keyword Index="AssetId" Term="b8d01da1-12ac-404b-8239-ff5b59679f021033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b8d01da1-12ac-404b-8239-ff5b59679f02" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml" RLTitle="Certificate Enrollment Policy Web Service Overview">
<Attr Name="assetid" Value="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Keyword Index="AssetId" Term="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Keyword Index="AssetId" Term="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b11033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\bac506b2-57be-45c2-bdf6-1f976eeeb475.xml" RLTitle="Types of Certification Authorities">
<Attr Name="assetid" Value="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Keyword Index="AssetId" Term="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Keyword Index="AssetId" Term="bac506b2-57be-45c2-bdf6-1f976eeeb4751033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\bb63e84f-9313-4b54-b3f2-5a3c8490f250.xml" RLTitle="Revocation Configuration Signing Certificates">
<Attr Name="assetid" Value="bb63e84f-9313-4b54-b3f2-5a3c8490f250" />
<Keyword Index="AssetId" Term="bb63e84f-9313-4b54-b3f2-5a3c8490f250" />
<Keyword Index="AssetId" Term="bb63e84f-9313-4b54-b3f2-5a3c8490f2501033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="bb63e84f-9313-4b54-b3f2-5a3c8490f250" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c3b0e476-4bec-411c-b6cc-6bed8a1c378d.xml" RLTitle="Set Up and Use a Smart Card Enrollment Station">
<Attr Name="assetid" Value="c3b0e476-4bec-411c-b6cc-6bed8a1c378d" />
<Keyword Index="AssetId" Term="c3b0e476-4bec-411c-b6cc-6bed8a1c378d" />
<Keyword Index="AssetId" Term="c3b0e476-4bec-411c-b6cc-6bed8a1c378d1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c3b0e476-4bec-411c-b6cc-6bed8a1c378d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c651f8cf-5c84-42c0-9a61-37e0000e6989.xml" RLTitle="Implement Role-Based Administration">
<Attr Name="assetid" Value="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
<Keyword Index="AssetId" Term="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
<Keyword Index="AssetId" Term="c651f8cf-5c84-42c0-9a61-37e0000e69891033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c6fde0cd-3964-42ef-b3af-de1ef683f534.xml" RLTitle="Configure a CA to Support OCSP Responders">
<Attr Name="assetid" Value="c6fde0cd-3964-42ef-b3af-de1ef683f534" />
<Keyword Index="AssetId" Term="c6fde0cd-3964-42ef-b3af-de1ef683f534" />
<Keyword Index="AssetId" Term="c6fde0cd-3964-42ef-b3af-de1ef683f5341033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c6fde0cd-3964-42ef-b3af-de1ef683f534" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c8955f83-fed9-4a18-80ea-31e865435f73.xml" RLTitle="Active Directory Certificate Services">
<Attr Name="assetid" Value="c8955f83-fed9-4a18-80ea-31e865435f73" />
<Keyword Index="AssetId" Term="c8955f83-fed9-4a18-80ea-31e865435f73" />
<Keyword Index="AssetId" Term="c8955f83-fed9-4a18-80ea-31e865435f731033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c8955f83-fed9-4a18-80ea-31e865435f73" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\cba53c53-a842-42b1-8de4-7235e0b3c5fc.xml" RLTitle="Revocation Provider Properties">
<Attr Name="assetid" Value="cba53c53-a842-42b1-8de4-7235e0b3c5fc" />
<Keyword Index="AssetId" Term="cba53c53-a842-42b1-8de4-7235e0b3c5fc" />
<Keyword Index="AssetId" Term="cba53c53-a842-42b1-8de4-7235e0b3c5fc1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="cba53c53-a842-42b1-8de4-7235e0b3c5fc" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30.xml" RLTitle="Installing the Certificate Enrollment Web Service">
<Attr Name="assetid" Value="cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30" />
<Keyword Index="AssetId" Term="cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30" />
<Keyword Index="AssetId" Term="cd1b5f71-5273-4abb-9ed3-f4ff30e9cf301033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\cf5622e1-daa9-42cc-8b43-14953e34f8b6.xml" RLTitle="Setting Up Certificate Enrollment Web Services">
<Attr Name="assetid" Value="cf5622e1-daa9-42cc-8b43-14953e34f8b6" />
<Keyword Index="AssetId" Term="cf5622e1-daa9-42cc-8b43-14953e34f8b6" />
<Keyword Index="AssetId" Term="cf5622e1-daa9-42cc-8b43-14953e34f8b61033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="cf5622e1-daa9-42cc-8b43-14953e34f8b6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d6267265-af06-47c2-a2aa-f61695eb4084.xml" RLTitle="Recover a Lost Key">
<Attr Name="assetid" Value="d6267265-af06-47c2-a2aa-f61695eb4084" />
<Keyword Index="AssetId" Term="d6267265-af06-47c2-a2aa-f61695eb4084" />
<Keyword Index="AssetId" Term="d6267265-af06-47c2-a2aa-f61695eb40841033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d6267265-af06-47c2-a2aa-f61695eb4084" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml" RLTitle="CA Certificates">
<Attr Name="assetid" Value="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Keyword Index="AssetId" Term="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Keyword Index="AssetId" Term="d6d69e62-0640-4055-bee9-8b4a993c6ac81033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d6e60022-fcad-4192-b038-be51c15b8f6a.xml" RLTitle="Set Up Certification Authority Web Enrollment Support">
<Attr Name="assetid" Value="d6e60022-fcad-4192-b038-be51c15b8f6a" />
<Keyword Index="AssetId" Term="d6e60022-fcad-4192-b038-be51c15b8f6a" />
<Keyword Index="AssetId" Term="d6e60022-fcad-4192-b038-be51c15b8f6a1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d6e60022-fcad-4192-b038-be51c15b8f6a" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d762c3f4-f7ac-4af2-8e2d-331d33dc0583.xml" RLTitle="Configuring the Certificate Enrollment Web Service for Renewal Only Mode">
<Attr Name="assetid" Value="d762c3f4-f7ac-4af2-8e2d-331d33dc0583" />
<Keyword Index="AssetId" Term="d762c3f4-f7ac-4af2-8e2d-331d33dc0583" />
<Keyword Index="AssetId" Term="d762c3f4-f7ac-4af2-8e2d-331d33dc05831033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d762c3f4-f7ac-4af2-8e2d-331d33dc0583" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e22f74dc-82e6-4b3e-8429-5f1faf393f33.xml" RLTitle="Using Policy to Manage Active Directory Certificate Services">
<Attr Name="assetid" Value="e22f74dc-82e6-4b3e-8429-5f1faf393f33" />
<Keyword Index="AssetId" Term="e22f74dc-82e6-4b3e-8429-5f1faf393f33" />
<Keyword Index="AssetId" Term="e22f74dc-82e6-4b3e-8429-5f1faf393f331033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e22f74dc-82e6-4b3e-8429-5f1faf393f33" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml" RLTitle="Active Directory Certificate Services Resources">
<Attr Name="assetid" Value="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Keyword Index="AssetId" Term="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Keyword Index="AssetId" Term="e2d10a64-83c5-4a2b-bcca-e6984de16fdf1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e3990c59-f588-45ad-b3fd-3052e0b4f659.xml" RLTitle="Managing a Certification Authority">
<Attr Name="assetid" Value="e3990c59-f588-45ad-b3fd-3052e0b4f659" />
<Keyword Index="AssetId" Term="e3990c59-f588-45ad-b3fd-3052e0b4f659" />
<Keyword Index="AssetId" Term="e3990c59-f588-45ad-b3fd-3052e0b4f6591033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e3990c59-f588-45ad-b3fd-3052e0b4f659" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e8c88a49-84e8-48a8-a303-9aab2e68a1db.xml" RLTitle="Verify an Online Responder Installation">
<Attr Name="assetid" Value="e8c88a49-84e8-48a8-a303-9aab2e68a1db" />
<Keyword Index="AssetId" Term="e8c88a49-84e8-48a8-a303-9aab2e68a1db" />
<Keyword Index="AssetId" Term="e8c88a49-84e8-48a8-a303-9aab2e68a1db1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="PreLaunchTest" Value="Longhorn" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e8c88a49-84e8-48a8-a303-9aab2e68a1db" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e9bd1194-e088-4671-840f-0847cf5ee2a0.xml" RLTitle="Install a Subordinate Certification Authority">
<Attr Name="assetid" Value="e9bd1194-e088-4671-840f-0847cf5ee2a0" />
<Keyword Index="AssetId" Term="e9bd1194-e088-4671-840f-0847cf5ee2a0" />
<Keyword Index="AssetId" Term="e9bd1194-e088-4671-840f-0847cf5ee2a01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e9bd1194-e088-4671-840f-0847cf5ee2a0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml" RLTitle="Active Directory Certificate Services Overview">
<Attr Name="assetid" Value="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Keyword Index="AssetId" Term="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Keyword Index="AssetId" Term="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd.xml" RLTitle="Publish Certificates to the File System">
<Attr Name="assetid" Value="ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd" />
<Keyword Index="AssetId" Term="ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd" />
<Keyword Index="AssetId" Term="ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f07ac4f6-269b-41d7-9d09-06ca4930bff4.xml" RLTitle="Checklist: Enhance Certificate Revocation Checking in Diverse Environments by Setting Up an Online Responder Array">
<Attr Name="assetid" Value="f07ac4f6-269b-41d7-9d09-06ca4930bff4" />
<Keyword Index="AssetId" Term="f07ac4f6-269b-41d7-9d09-06ca4930bff4" />
<Keyword Index="AssetId" Term="f07ac4f6-269b-41d7-9d09-06ca4930bff41033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f07ac4f6-269b-41d7-9d09-06ca4930bff4" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f0bb5698-e30a-46fc-92d2-10d1f949e970.xml" RLTitle="Select a Different Exit Module">
<Attr Name="assetid" Value="f0bb5698-e30a-46fc-92d2-10d1f949e970" />
<Keyword Index="AssetId" Term="f0bb5698-e30a-46fc-92d2-10d1f949e970" />
<Keyword Index="AssetId" Term="f0bb5698-e30a-46fc-92d2-10d1f949e9701033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f0bb5698-e30a-46fc-92d2-10d1f949e970" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f3911350-ab45-494d-a07e-d0b9696a651e.xml" RLTitle="Use the Network Device Enrollment Service">
<Attr Name="assetid" Value="f3911350-ab45-494d-a07e-d0b9696a651e" />
<Keyword Index="AssetId" Term="f3911350-ab45-494d-a07e-d0b9696a651e" />
<Keyword Index="AssetId" Term="f3911350-ab45-494d-a07e-d0b9696a651e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f3911350-ab45-494d-a07e-d0b9696a651e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml" RLTitle="Stand-Alone Certification Authorities">
<Attr Name="assetid" Value="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Keyword Index="AssetId" Term="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Keyword Index="AssetId" Term="f4d0ff2c-e17f-4cf6-997b-413d844d71d01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f5ae6b2c-a94f-4e74-a3b9-59cdcf195575.xml" RLTitle="Recurring Management Tasks">
<Attr Name="assetid" Value="f5ae6b2c-a94f-4e74-a3b9-59cdcf195575" />
<Keyword Index="AssetId" Term="f5ae6b2c-a94f-4e74-a3b9-59cdcf195575" />
<Keyword Index="AssetId" Term="f5ae6b2c-a94f-4e74-a3b9-59cdcf1955751033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f5ae6b2c-a94f-4e74-a3b9-59cdcf195575" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f9e48956-7408-4ec8-8907-b2b5b075ad77.xml" RLTitle="Configure CA Event Auditing">
<Attr Name="assetid" Value="f9e48956-7408-4ec8-8907-b2b5b075ad77" />
<Keyword Index="AssetId" Term="f9e48956-7408-4ec8-8907-b2b5b075ad77" />
<Keyword Index="AssetId" Term="f9e48956-7408-4ec8-8907-b2b5b075ad771033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f9e48956-7408-4ec8-8907-b2b5b075ad77" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\fbe9a9e0-ae87-4134-9dec-48bfda4266df.xml" RLTitle="Use Policy to Distribute Certificates">
<Attr Name="assetid" Value="fbe9a9e0-ae87-4134-9dec-48bfda4266df" />
<Keyword Index="AssetId" Term="fbe9a9e0-ae87-4134-9dec-48bfda4266df" />
<Keyword Index="AssetId" Term="fbe9a9e0-ae87-4134-9dec-48bfda4266df1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="fbe9a9e0-ae87-4134-9dec-48bfda4266df" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c.xml" RLTitle="Review Pending Certificate Requests">
<Attr Name="assetid" Value="fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c" />
<Keyword Index="AssetId" Term="fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c" />
<Keyword Index="AssetId" Term="fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1718" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="certsvr_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
<HelpTOCNode Url="mshelp://windows/?tocid=973f8f06-f1f1-4c42-865f-ce321fc56919" Title="">
<HelpTOCNode Url="mshelp://windows/?id=c8955f83-fed9-4a18-80ea-31e865435f73" Title="Active Directory Certificate Services">
<HelpTOCNode Url="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" Title="Active Directory Certificate Services Overview">
<HelpTOCNode Url="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657" Title="Public Key Infrastructures" />
<HelpTOCNode Url="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475" Title="Types of Certification Authorities">
<HelpTOCNode Url="mshelp://windows/?id=70e5d64c-91ce-4355-a9c9-115fe0866911" Title="Enterprise Certification Authorities" />
<HelpTOCNode Url="mshelp://windows/?id=f4d0ff2c-e17f-4cf6-997b-413d844d71d0" Title="Stand-Alone Certification Authorities" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e" Title="Certificate Enrollment Web Service Overview" />
<HelpTOCNode Url="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" Title="Certificate Enrollment Policy Web Service Overview" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=637ff3b3-6881-4ffb-b4f9-ea56171527e0" Title="Common Scenarios for Using Active Directory Certificate Services">
<HelpTOCNode Url="mshelp://windows/?id=7b886752-8d1f-4594-90ee-14686f79fb22" Title="Checklist: Configure CAs to Issue and Manage Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=86a959c3-88f5-48ab-8457-21bc8755d205" Title="Checklist: Protect Encrypted Data from Loss by Enabling Key Archival and Recovery" />
<HelpTOCNode Url="mshelp://windows/?id=f07ac4f6-269b-41d7-9d09-06ca4930bff4" Title="Checklist: Enhance Certificate Revocation Checking in Diverse Environments by Setting Up an Online Responder Array" />
<HelpTOCNode Url="mshelp://windows/?id=05c491e0-99e3-4a33-aab8-8b00c32c5bdf" Title="Checklist: Authenticate Web Servers with Certificates Issued by a Windows-Based CA" />
<HelpTOCNode Url="mshelp://windows/?id=6a1aa4e4-a0b2-4ec0-9555-5fc32e8c30c0" Title="Checklist: Enhance Wireless Network Security by Requiring Certificates for Authentication and Encryption" />
<HelpTOCNode Url="mshelp://windows/?id=89610b23-0af5-4bc7-8eb9-2e2584d3f0a2" Title="Checklist: Strengthen Identity Management by Issuing Certificates for Smart Cards" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=8cb0540b-a5c2-47e5-913c-4d995a4adc2d" Title="Setting Up Active Directory Certificate Services">
<HelpTOCNode Url="mshelp://windows/?id=24bce8a3-bf9b-48b9-adfa-b523d393038c" Title="Setting Up a Certification Authority">
<HelpTOCNode Url="mshelp://windows/?id=928ede4c-c06d-4e5b-8d6e-fda1334627ed" Title="Install a Root Certification Authoriity">
<HelpTOCNode Url="mshelp://windows/?id=0588b149-8413-421d-844c-9a53857eac65" Title="Certification Authority Naming" />
<HelpTOCNode Url="mshelp://windows/?id=b71c1373-6f1a-4c93-9eb4-875cc4a58bec" Title="Cryptographic Options for CAs" />
<HelpTOCNode Url="mshelp://windows/?id=0f428311-c433-460c-96be-ced456f7e016" Title="Certificates Database" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=e9bd1194-e088-4671-840f-0847cf5ee2a0" Title="Install a Subordinate Certification Authority" />
<HelpTOCNode Url="mshelp://windows/?id=b19a07e1-9984-444d-b968-a330c7a8a60c" Title="Set Up a Certification Authority by Using a Hardware Security Module" />
<HelpTOCNode Url="mshelp://windows/?id=7b561f6e-d9a8-43ed-b790-f612482c99f7" Title="Uninstall a Certification Authority" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=d6e60022-fcad-4192-b038-be51c15b8f6a" Title="Set Up Certification Authority Web Enrollment Support" />
<HelpTOCNode Url="mshelp://windows/?id=281af9f9-b1cb-4efa-99d0-ba44e9b7ee21" Title="Configure the Network Device Enrollment Service" />
<HelpTOCNode Url="mshelp://windows/?id=1eb5a9e3-de04-44a0-8972-bc744ca43320" Title="Setting Up Online Responder Services in a Network">
<HelpTOCNode Url="mshelp://windows/?id=c6fde0cd-3964-42ef-b3af-de1ef683f534" Title="Configure a CA to Support OCSP Responders" />
<HelpTOCNode Url="mshelp://windows/?id=3d31dd67-df01-4e8e-809e-22e5bd0a4a32" Title="Set Up an Online Responder" />
<HelpTOCNode Url="mshelp://windows/?id=910c18a2-6b51-4bc5-8f02-9ff32ffc3087" Title="Creating a Revocation Configuration">
<HelpTOCNode Url="mshelp://windows/?id=4aaea26c-e132-4c04-9849-e5106f93d042" Title="Revocation Configuration CA Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=bb63e84f-9313-4b54-b3f2-5a3c8490f250" Title="Revocation Configuration Signing Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=cba53c53-a842-42b1-8de4-7235e0b3c5fc" Title="Revocation Provider Properties" />
<HelpTOCNode Url="mshelp://windows/?id=2979e21a-28f0-4e84-b978-e52514a86f90" Title="Revocation Provider Signing" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=e8c88a49-84e8-48a8-a303-9aab2e68a1db" Title="Verify an Online Responder Installation" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=cf5622e1-daa9-42cc-8b43-14953e34f8b6" Title="Setting Up Certificate Enrollment Web Services">
<HelpTOCNode Url="mshelp://windows/?id=cd1b5f71-5273-4abb-9ed3-f4ff30e9cf30" Title="Installing the Certificate Enrollment Web Service" />
<HelpTOCNode Url="mshelp://windows/?id=99dc782e-81fa-4f86-909b-87489465a650" Title="Installing the Certificate Enrollment Policy Web Service" />
<HelpTOCNode Url="mshelp://windows/?id=0e22c650-0bdd-4807-8a90-68dbf4f39dc2" Title="Configuring Server Certificates for Certificate Enrollment Web Services" />
<HelpTOCNode Url="mshelp://windows/?id=98cde842-f281-4892-9da4-1e467199ea14" Title="Configuring Group Policy to Support the Certificate Enrollment Policy Web Service" />
<HelpTOCNode Url="mshelp://windows/?id=855f7a2f-429f-40c2-b297-09a55047cc4c" Title="Configuring Delegation Settings for the Certificate Enrollment Web Service Account" />
<HelpTOCNode Url="mshelp://windows/?id=d762c3f4-f7ac-4af2-8e2d-331d33dc0583" Title="Configuring the Certificate Enrollment Web Service for Renewal Only Mode" />
<HelpTOCNode Url="mshelp://windows/?id=b5af94a1-4caf-4c05-b344-d996fdb9e2eb" Title="Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries" />
<HelpTOCNode Url="mshelp://windows/?id=419159e1-a432-4169-a4cd-45612fbf3266" Title="Advanced Configuration Options for the Certificate Enrollment Web Services" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=e3990c59-f588-45ad-b3fd-3052e0b4f659" Title="Managing a Certification Authority">
<HelpTOCNode Url="mshelp://windows/?id=026bba14-e615-409f-a480-01ef71375fbf" Title="Install and Use the Certification Authority Snap-In" />
<HelpTOCNode Url="mshelp://windows/?id=1227bc23-4eea-478e-921b-9c805f3925b9" Title="Infrequent Management Tasks">
<HelpTOCNode Url="mshelp://windows/?id=afc1d704-3d8f-43de-b4b3-51a062878d14" Title="Securing Active Directory Certificate Services">
<HelpTOCNode Url="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989" Title="Implement Role-Based Administration" />
<HelpTOCNode Url="mshelp://windows/?id=1b396c19-25ca-4855-bc60-fb06af1ea3d4" Title="Restrict Certificate Managers" />
<HelpTOCNode Url="mshelp://windows/?id=5ddd6c36-0fb3-457d-94fa-3b1e3fc9c5b2" Title="Establish Restricted Enrollment Agents" />
<HelpTOCNode Url="mshelp://windows/?id=f9e48956-7408-4ec8-8907-b2b5b075ad77" Title="Configure CA Event Auditing" />
<HelpTOCNode Url="mshelp://windows/?id=b8d01da1-12ac-404b-8239-ff5b59679f02" Title="Send E-mail When a Certification Event Occurs" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=336d3a6a-33c6-4083-8606-c0a4fdca9a25" Title="Configuring Certificate Revocation">
<HelpTOCNode Url="mshelp://windows/?id=18656667-17b6-4e81-af4c-4ff1b767c8b8" Title="Specify CRL Distribution Points" />
<HelpTOCNode Url="mshelp://windows/?id=9b2626dc-5d07-4619-a0cc-be44f9682fb2" Title="Configure CRL and Delta CRL Overlap Periods" />
<HelpTOCNode Url="mshelp://windows/?id=b3cbf5d7-d1f6-4454-8194-48a3afc87b59" Title="Schedule Publication of Certificate Revocation Lists" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=51842149-feee-43d7-8813-38a64d1f4caa" Title="Managing Key Archival and Recovery">
<HelpTOCNode Url="mshelp://windows/?id=12afc6dc-7e94-471f-953b-9ed9271a1b85" Title="Identify a Key Recovery Agent" />
<HelpTOCNode Url="mshelp://windows/?id=07a53b9e-c593-4264-8126-508e743dc155" Title="Enable Key Archival for a CA" />
<HelpTOCNode Url="mshelp://windows/?id=47cd6246-68d0-4579-8b76-5b5b0998d11d" Title="Configure a Certificate Template for Key Archival" />
<HelpTOCNode Url="mshelp://windows/?id=d6267265-af06-47c2-a2aa-f61695eb4084" Title="Recover a Lost Key" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=7f6f2678-440f-4d5f-bada-7953d9ffa6b7" Title="Managing Policy and Exit Modules">
<HelpTOCNode Url="mshelp://windows/?id=698175c2-9ca5-4124-a851-937e659232e7" Title="Configuring the Policy and Exit Modules" />
<HelpTOCNode Url="mshelp://windows/?id=6517f2bf-bf39-4275-86f6-d579a26e3654" Title="Select a Different Policy Module" />
<HelpTOCNode Url="mshelp://windows/?id=f0bb5698-e30a-46fc-92d2-10d1f949e970" Title="Select a Different Exit Module" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=11b65839-a8fb-47cf-aaec-687e5428e8cc" Title="Protecting a CA from Data Loss">
<HelpTOCNode Url="mshelp://windows/?id=25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40" Title="Back Up a Certification Authority" />
<HelpTOCNode Url="mshelp://windows/?id=1b4c0f44-d488-41e8-afb3-80408014c64f" Title="Restore a CA from a Backup Copy" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=f5ae6b2c-a94f-4e74-a3b9-59cdcf195575" Title="Recurring Management Tasks">
<HelpTOCNode Url="mshelp://windows/?id=3435d75d-3bec-41c9-8ba2-dc16511d4e12" Title="Managing Certificate Enrollment">
<HelpTOCNode Url="mshelp://windows/?id=a24a23a7-b723-42fc-8295-2641e6fc5de3" Title="Configure Certificate Autoenrollment" />
<HelpTOCNode Url="mshelp://windows/?id=9ab7283a-533f-4eef-a243-9acbf85cbfbd" Title="Set the Default Action Upon Receipt of a Certificate Request" />
<HelpTOCNode Url="mshelp://windows/?id=fddd4b0c-c6c1-4800-8f5d-1f77d77d2a2c" Title="Review Pending Certificate Requests" />
<HelpTOCNode Url="mshelp://windows/?id=ef9ce3f2-30f8-4cac-b1a5-930e3ef8c0cd" Title="Publish Certificates to the File System" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=5531ecb5-3073-490f-80f9-5d263e60b07a" Title="Manage Certificate Revocation" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=f3911350-ab45-494d-a07e-d0b9696a651e" Title="Use the Network Device Enrollment Service" />
<HelpTOCNode Url="mshelp://windows/?id=e22f74dc-82e6-4b3e-8429-5f1faf393f33" Title="Using Policy to Manage Active Directory Certificate Services">
<HelpTOCNode Url="mshelp://windows/?id=78f85b75-f12b-4408-913e-8add44aeb750" Title="Enable Credential Roaming" />
<HelpTOCNode Url="mshelp://windows/?id=aab315d6-7dad-4d5c-bf0f-a766e8ad0d21" Title="Manage Certificate Path Validation" />
<HelpTOCNode Url="mshelp://windows/?id=fbe9a9e0-ae87-4134-9dec-48bfda4266df" Title="Use Policy to Distribute Certificates" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=a6445362-7927-492f-9e82-0d7058e599f5" Title="Troubleshoot Active Directory Certificate Services" />
<HelpTOCNode Url="mshelp://windows/?id=e2d10a64-83c5-4a2b-bcca-e6984de16fdf" Title="Active Directory Certificate Services Resources" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> ����Q�P$��:�euGTIZ(ZTZDEzZ a%%
k*
"<�w{o_~$$5<Z
$3 z'K8_ Y-Y$fKI :!X
e7,4
:�cNQNON-U�
r o:��3UEV
5bH
LW
E2Kb?F+g;|_) JD&@
"lJX ^?_8#Bqk])VqV{~/=WS<
u >
ED?Y>"=qҟ鲋'1 Cvq$0{#`R(Dtw U)^x }W:Szh^.+՞{quJlg\H|^
tCxnN8LCңLw9u(EiW
HE=Nq18a<B$i
Wc%8&8.y[uv#$~>eU+Rl_g(XRؓRR^'=ŤI
i^[q#|^SĢ܈YRw$.K<ԗ"
&z$"4:5<vueծ8f;(
tzJCINsvtX<pT=v\b<mzq= N"RүqϹI%yM/ĞN:q]
+Q'
)|^Slo|OO2ɳ:?BSoC6~]}V>Qz
UJ|{ T^H ]\z=Nf織Y]
U-ZYA[;V]Eq;}
q=l%ev$K_BAX>D
P~ucUsSsc?kh|3'g_|/!NU~/>Y܍X
߀_Rޝy7KxYw_Y~֢70)tS
]#3S/mR/d<lZY@n+ZBY!>
z~!%{WԾ'"+#E
qpԷţ?c9GԘ:Q
zR+Ob=
GDd"gZ7E,x;-dI\ Q ~_̟I"I\,&K$x'|o)\ED/8'E'WQԏ%U/>!|wIqtXJh]
X/*?}0B0�gA){.ʃqDw
4qvE{JpxN/
,&VA8Il/--IpGN}D:O
^^E{"O
q\!"~ҁ"=(>-"BXvqhxĭzQ4\rE"Wb]z>9[C EDD2:RRNӽz,Y,CB4K#J3ZDE"~ҙIJ"X:T[DC7ExцӮE"ۡ|1Q
/KM+Eأ.
v_V@xuֱ"5E6ֱǢ[r
u,El,cEl,cыg~
v,Em,cQŰŎkqq,^y%-Љ-e
7PԌSh]4MӨ6Y
צ>-uCSlZ?%._t1o7Ԉz^}n7DtS:> uGncA$Pv~?"\Wr:_Yբ}kZZsttQ3b`ւť ?NZusba'EO?e"-Xbŏr?.:~|,]Y1xdɏNj+?Z0/,~^hNyf"'u 3?Ƿ
= f
AE>;3KV@.ZF+
4
}NG
;k[jclku:.g+|; l!
=>mP�6
r7`z
A B0~� 8tBF
4`h=O?_1Eşau"n˩<frpOYvtT?I
z]±?oWӠpI,'3_98rpDI1'D59ar8pI\Ó8,'t'16De98rp$DIQ-'69kq8$IdÓ-'[N
Dq98rp$IX.']
ND8p$/'Q^Nq
8rpIؗ/'_
ND9D9s8p$80'aNb
D98sp&$TI1'bc
ND9s8!p$FIÓ82'eNb
D98q$I'bf
Nvq8$Iԏ'fNy
89spv$I4'D=9s8Ep$I$ÓX4'iN
D98Usp$dIؚ5'k
ND9s8ep$I'q>D8pIX6'?9p$IěÓ7'QnN
D98}sp
IQ'A9 p$IÓ8'QBb8$hȇ
8$j'qC9@
ӟɔ #$CPD &CPD"e(R"DP!C"Eh(Eı
C"Gi(E8PD
E$8C4"PDH
ȡHqC9.CPD
ɡH
ʡHC5"+("}C9iC"5""/s("1("djEDdPEdhPD
EP9C5"b8("jEDrP
ϡH
�СH
ѡH
5"G("t""Ik(EdPDdEDP4
<ԡD
C:C:C:C"^k(E
H C:C:bC("dl} .��@� �@� ���@� �@� ���@� �@� ���@� �@� ���@� �@� ���@� �@� ���@� �@� ���@� �@� ���@� �@�MZdVG|KDXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXW?ЋY
dx
?ߓ HIIt?>'=
awG�=NO"O#ɝΛ?G%y:S'
$<,|^/9*dϫ&X6G<xsתOR_g
t|d
@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dd@@dg@4v@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@44@@43_c 6``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``66``LJypC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
!8pC
8!Cp
kܟ3J4v/?f=oORط $@$$@@$$@@$$@@$$@@$$@@$$@@$AHЃ �k�鋺� �� �� �� �� �� t 7}H:H �� �� �� �>%,>Ő,� �� �� �k2D@Y ֒
EDqHHHHHHHHHHHHH
3y`IDx�h
4@H(
4
P5H@ƃk Oq|` ۰�mn@`�
zpAR
4 akX׃d$@$H !b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b dug
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O'u>b!b!Hc
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
$ <t
Ot<O<
t
Ot<O<
t
Ot<O=
$
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
t
Ot<O<
tIAF?!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b! t]⧟$@A$@@$A:^
C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
sx:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x㞎x:鎧:x}1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1c1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C|
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1C1C
1c"!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!?4
C1C
1
+|N
sZf'ݖm0ɧJIJZQ:]Oߌ6v\?5~0.?Y'iGW<
o$6wnk,+Ae
v^ojKEuCwzO}yl>o(ȿϟ(?K
<1עqAgl$U(]|/Ϧӂ~i{a2IY4VSoлe_S%
vm p{Ua
V1%"J
[5;
ar?.%բcAFDZH O5VO Y^|2aԉ:UISQ}AW
"LrĘCev{E)I0
7iN7]
Ҋ\o?.B3gq7=~VظYBiK_W;;!=Wձz=kOqO94wݣu^yoy0ߔ\3]rY͕HYm0N{D ?H
j՝M
\Pf}sƲ<^katݔ f8Lc>к4vmMۜʂ
kԒ:>zWe*9K.\vȕo&F2Bb,#A]
䒻6pu6=9-2IYn
em@z
-.fy'U
s6 K
՛3C*^=E
6
}MST\K
rV8͆K6V
D˳ʠH=|{
BCkKv0W3Vc?.<}gFgǛrO
>x
f5@XBcUq
0wffĩa~$E2Ll
SS~Q%zZǟf
s5
tXf >=LP>.*C<goUʘ}XUW~?wG<UU}6гWæ],>gC-5ւ="}?
vĘ]41 t͖-&%EV
*yiJҢy.wFJ{0~
!ǯշ=\Q%5TAECG@jrQJ?Ϙ"vsGw
hgi,:uxuqoPhvk +B4 ZʅM"n[䑛g3պsƃi!,*^@2�wֶp�J'pBc16#VC4Iǟq,oe5X#(҂?bzذ1RٕO:z<öÜ3
`~Av^EBC^
f<yP%b/d1,Ƭn
7j5-MqLLHDvY)_ʚKCYJ?[d۳$zzVQP7#8^-+s/&x|<(xXѮ*^m;JߎhLrt}
tSceU"#Ǘq5|iU~E{r
Kg ~k+=4q0m'{xn7~jͲܦWՅٸ=ơzJ֣S.٢>~>.QB6\
5һQ
~eqk?ɓ
G^Kv
!_rf6<=e7opkv͠Bɘ47^Y?˴MJѫ3)Y>*e~~ȷߺt[춉6ί9DŁvH9~⛐.σy3ցb~D6%],oAQX+92WMNfiOǥr
юlb節[jt8)<Z1/G3`gͤ7fʹzmL67Uf
Q0kNQ~˭Ͼ4HYG9z
RzYQ=S5?ߗ
oyPxJiQrIKTsPͺ>lգ}PQ]* |X6h aT-^_f҂(VDQ?rpY;
(Ustgθ`.a7SHmEQ>1ЯY}}jyiVq&J.ܹ:mEAcj;I{mCtQ5['S+e$EpmP$ö_ζZglh.<ce_r|FցcO1zn0iEc\&;Gіmz:mm]Ϫ
diչ|[A[
uu]r(a,i,r[lG
ށs饋czeDƑ-Ո, t~
U}"5=N$(鼟TeC!1Mծ o
g:ו=аn[5Y{z#FM4Tx8V
M͡Mjb
ewp)
.UzFFV3]<
7ߝRZ)04F[Yy; tH:,<fox7tCmJ,Dw̉oMIE
}�>fC1Fr(,b
˔C(|{]+~*_HWp{nGF?v(o x1GMk
x
hFKc|A
7݃m" J x\}4⍒ܪ\7CՐ
\c.M-~HkL..ֺClE6Mi9u&@mIg+9%>ӟs\
;2ҽ-nwf3
=~5ܙk5sх* WF݆_ckΐ۪&_̶*IUI�<v8$rHeV
{}OJ(mMQ{FXy}?dIFk5*J^AߊTaK [wk^JO^R9fFް[;uK>j9()ܒrZ#=kY's{[Ns]xjv̉l1-
=$i2_^+wXW^~?|_6 dvYEKMZ-eezwbH8j7syjs;8K
Hz8k6+QFJiA;tFU`Oj.~^]Ow>[\{Y<vgCN
9K
O
lBdl=^W7ۛ4?j8v?"u_)xY>"ZrsaC4EFYqunJh3 r˳qu=9Ƹ**nއ~
~܇ǔ\6{^ө?Oq! \݇DŽ?;WxXPj
^soWxr$͓%VjPs>l
:8-w umr8)uhK^$EXr_S##Gҹd-Fj۟,q{k
&en&xʼ[_1?tvT>U
\s1?àCW3k
zsCibO2SSK}ktׁ'voH
<ZUNnuh7~<K[͓C\hLDR
;ƿ*rPQۙ
Kwj]ʘZIW$o:6UoMhx
Z:_6=V_:N+{+~]X7q
4'5{[վW\ɘ2]Xnw"EZIN|3 c'EϓFwހݖ}=V#
hKDrR
Z\
hzm_n[h-h2lJΜu6nuh7|4Ն-J%~cK
7JJ
zk
991?|ڡOn
IޥA+
&zCA6o,U<^T(yT~scK{0uF>`aevZ-u (9k
)
:2D\W
o
}`;X TR~G[HQ?i*w
N"#:$9<4Vled:(=ho9uN7UsnᷳrmZǭr;ZFzlΩkQr&¼_R.
kQ O$i~4(i[+'gAeة& Dzz_r"CtO@S
pxTdl$K1˧c_23۩
%Ź?[D/IM
hűؚ ZPI2ꯥL
ծ|Yn|MfPX+NSngTJ)fe�COOHbZyT; "@/[tߧ l(AT!B
noWWҨ 8:|,<N
8\6p<w~Yʴ6E
:f폯m
7KMq
O߈Wd6ٴRU?9MVƶ]j.%N8q4s\)_TvX
ױ
FI?v"Z89μWz⼼Bܑ0SrSNF3Db
4fgxSKTz;Ç!紺ѿ
yy>ã4F\<5ή(m8O?ɏO7-N&5RL0͇}|8;V{w>J"6
{RNO6iʈ5Y&ģ;O
GD$
UZ]U֝u<:rY4f
ۣ0c9sIsɢ _H^E8e%bvofgc bx"0fvn7g?;b%_ș狾
o\f
ho VTO6gӁxWSeD跟>e21!cνT/! h1
o}L;*Ʒ+ƛU{ԹYH*
:r>\.;R#£
kef\zfTh
ʫ΅sjRL(ʵS
E:pmtZK=az
uWf6lL}[
J?ۯ5y*ؗ. (M1ۻ(]S傍:ٵ-۴vz�WQS]
lfu{AScug
H
Vh`"vUTn -gS\
moV-EqW冢k{^mR5*
1Yj lvy/^,;O~bx5}Yy|
ۢliӍ~b\/`Uޯ4[Xr0OUV,\YrBF?*ZhXS3&QؖPq5[j=6())el{`&YҴ
'5k>Keɨy
o9o!
{nQ)(W&GGβT%h]ꓶv s,
(c-4vk?;0k5OfxEp#g0uJc8-]Y覮z`S/hY|
w?;1"Zͼw\}g4r.ߧ:en
_-Gweg];,m_nz
ƍ
8
wuR܋Rѕg/J7
\/Ѥp;
E< "cs
Mz[�h䳼Ծ
읮bH=Ic<ϑxI9CG
An0m]G. Kr
$5F.D!e
^!&OPAYAEVd-C/_B?qb~H
ހڋ_~E~O%m_D{h_
q>PEٗp$9"2$S9pD>At
A
tAt
A
tAt
A
tAt
ADvO&�X'Q:x_-
g�u
"NͿ-(2Mk&UX6ӐUi{?eENX@#8:y4`VL果M sf aF?I#W`D)Qh=c6|#"G
5,O~ ͏jm#8#igωLp
#
ͳ^
tIJꝤOD2ٚ@ۼuj̕rtٝ
7c53?XCG34$=v@ҨbڔK%BtTZEp&.]JBS+))o'L#
~
#lUٳҢc2HP(Y
eW*
7ղ/gWT
m")z%;c}an.bw
=@mSڎR\$#s#oJ(kLX)
+vݔ2> ڹ르TYH(ޛLjMR+ǩ
2T&67R!6Ev]EJ^Bszd"f{έe𧅞^4fL5)HM7nkv;q`=s-*mo8
_IKyzBey}
ǔ$
J1Zp3.}d'h787㽊ѨW>#ƛ{-n
+msV<G$#l~lpGթ?k
4v]s>.-+;IWF kL+s5h{w2ۚgcz/Q?BE nT
}c
ȅ? SuঘH4\
mҚcb=nҩ܌
wҺAFF=۾l8eOd$y\Q+Ӊdj>0jvѶEX
2.[%l4n*[Y4YRuˡ-T
B G)S[Om#3m[3[v 1876D*[ppDzXW"k$Wmԓ>5ƗZuŤO`1#O?4E$%Ias
y
s�H5ad:ef;w
!̢?{e-4vc9\
8 Fc}
{nk3-A4߯l2WJ'N{Y/
-u#y5ɳ
wQ%X)gN?܄K
F䔜@ _𛆺uwz
˔h1ʔc`mh|0|d=;'+j4cßܒ͚o{]&jPn
[J;jmNAdp~^aL(js {ėiɮ>3l4hbODsh/ Nm5YfB.yt I"^(v%< g*B+r5bڔn?Tq^L=b1=?d"HaԹ4k62V$<
GY:
Y$滟zUl[˽YԶFwijz)JEikuYDN
!y_FloMk`{k6RV4Ͽ˿̭.Ҋ(_ ={zYJu+e@Zt +ޜL3*3r^lE
74Z+f||"Meʥ
V:r/K.<J'vN$u3H-UӢ4BǓ_Rӻ*4ɈR^F.j]ˀ4aRG=xkTb-t9ֽyӪ<7 }76{v
ǘ.R(zfݝssTWc83ΣGaNò
G
O{aH^13"T
`#T
L%]e599ˡ5YWU+Zo c~ K\!gчPQSOsy1&ጜl.U'TNwVBpx,}&WmPk Oۥ>\?CNz
]r6ND$y"#t "]]PcMG[
%7qNF@
XH%
4D
Uhg
j
ipr:fl+ݖfXD=]|&"hSCMZbrqJL]ַ$&'썎kG1:
co~u92^zzﯮ"y_{HZ
|4C|3T=kkdgll
dY+H2t;oZ}Ian(غ%_2
gA~5o(E]g8gjmu۪=Ldf0
lWZճAab/'}<m1q{ )F>R<&i6&ϴ{
)RV@\YN--Pe;
ԕhZ0yK;ŻOe|,obY
wV 9}_̜6PVloY=nOG;ҡ隳kTba[xheu,`nMh-땆x2G`'z6v@;Gʻ
+1um vF߬ozsnޤD+tשMuFU(WןRx:ip,O3~ڳQH#.ASPin`) ~K/&an5ّ2҉&?٪J)?0%J3
_p^mhviQ[[
E[X6"c%/.bZuq/㥏l=/*^Lwb\
a
cm5k(W"$~˃ΰ@H.ff]n<5ʕ,T\tcu!}UfB[˄U*
ŧkW?}`=qo'R)v*j+S9mE.ɺAYUǐ
r.sj
{9v;wwE*U='N"bsN:N܌/RT'c0)w-^(,4i5oNmEYO^VvkmJ˥bm;tÔb֊Z+Y=y})�Fsq.
` ).A*).Ԣ"6̢uUj
W!UOJlrYI4S܈ Ͻ}-~D ghAXoЖs~ՄO
:75<2Q 0^#n ^OMQKA0G*-n>p6*J橙XdlDힻQW)[_δc!
u҇WֻUP /EYy=O1s^4N3KK+p
3Z&mάT)f),EicrE݃4w(բ-s _18^\_="q
:[O2
9R
;ɿhEKhGc
rO J\-қt7#{!u6D=~R?^>|Eu$! #&G3T-vDIKɋGtPoomH$#
)i:U&sO-IfMlB-O&
Qw;N^§
y)>׀^>+L?>g
Q1c|dsjlXh?NJqjF<XbS'
=
$s@ߪ@5CRÖ;!sso
/*o[IRu7Q 9Y&z3}&e{a+*Ovck#,B
aV}L`6]s9/yBBO~U-~t_xR'\1h[ܳL'o4 ۆi o[USwy !lhLm
3f٬ic̹L
HRS/)ޯP֯aߓ
l#)?r
|ꎛ)L3b72| ~l<:^nF:3
o{$
kÞ .M\*.;}ngKs4mub<pg]
:4:=֕-wKZؒ%f חYUֱS;0_G
ۺU^H!_Fos) 2
şr$)
3kD
崒=l
ۓv0ɈC UCX[j3}{ <{Л TV>w$1u_
s5I/
$
']ƟI8ftП9
A3!.#JFj�+O%4?~jEE2_ ʶ
yIO/#G
A.YA#˜N.on-<nx.:Ij9ҲrJ%>
UKBNQT^`a5cl橜G^{3EZ{W2n0mYi
ev嬪'霆n#B2"ZsʕUSj6drJQVc;cNmSCҾ=ɉyYv}è
9o=a[Ȑ5X(ǹfU,8V<gMљ<>ӓdn$9u'.훌[^
dmc (WU܉S9
\J}lkjgZ'nrxwOhp.c樗a7w|*.ޛ3ZcR*ۯTe{mYW^w|ώӌb$~$h5 gfRF&]Z{{LlwMj-&eo[؈6J01WV3jn #:ˍ&Tì|Ck/EXpqo
LCöp?
G4"0a÷k>cjU#E[!ɫ
}[K# q' cǡa嗄hFۛgW:7RCEōv{rmX>bV5V1}xkqǮ+zjm[eM
.*Z⼭\,LZ+
Q[ȼgVxڹ%;hE{Tpox*ʽ.@QvP
f!M5Md]jUPyvRWߚ:4
Y[sPq}SCN}UJυ%i/pc=}l( 8QЉ
TV2ę^ձ=˖b=%S+1O"yX8.ޭS5Jz
K$,rt9uCfDSh|hf9--?NcIb$h9
G#MhJ&BՔH#
O`@$x>v@%?g}}gt^m/;9^mŲ.Y:c\Җt`Ң-kt6]
2iqxJ+mlj>*[.J]
^6/-Dv姩&uª0>4KؑM5wQPa&z)v4mbV9]mɏk
I,+N|&] /x7rF9r
�na5rH7f\V9I+ðZImY/I
{tYd,UfVJm^^)}
vigw<<TQJlJَ{#]'ك3_s->m07\.Ā}ӿz
tш9rV+Hvǿ;%/d1cnk)/Uݼ+_r\:EegD^)5]#z&> iU_rIʙ
ʣT Xo~
7)ֳj
|Vr
.#(D(9K:\NlAZk4kt�>u
~~iT®"ޗ BrWP3*JUgAeTԎ2XfKtZ,IAjRj9
F
p:`kFe8
HbUO \J6W
;L]`р=
I4b5:C"#Vw>k̂smdz']<m
BM:
I2mwiro]tvb;zTΧ1*jB_[iru#4^
:RH\p#ݻz2aj~~v)đ~)8R#dWKK
bDd
ZPWoO
Ϫ芙vfG
]TA
v1+rߓF
e
Hby9km;9<V
W)sM_$hc/aP<l}l~/0yƋ\LŤMSGpvQ. 5w
T<#GxjSH"ub:h xY %OS毶h<֓1%h
R1ƴ<n)vlohq.5(f3Q
:|
\m7buÁ n\%0V=W0i/fZD~91m6TےjX4 V|-*\%NXMnZ<i^it.
.{|mI0mŷ`4yJ"|a^]ӏX
^'f�Ssߩ*
~
0K@ei#NIUNX?BKw3e8'._~u>JOr}[`ZhWc})Kei}6
`wAuc^2CPx,S+5ښz7F%
TRvcvƉZeV]$]^˜~G=DzpDR\=
cJO 8Yic.mFu<oW4:뮞yh.vd\zG^J?k=A^
v
JeoQ.Sdm<Te9DΔ
gœpsзPŧ$}D<Nr$
I
ؓ^̿i|ܢ딺WՀc֕?]|Ьh|>
?-)\8"wLF
Iu,TTl{eiv[hH}~
Y>g5씬G
xc~
O/PF¹97r*% #sAFC_'{ ɆVwu_Z[UMXB{)K7,
vOߌf GH
mD<sp .O֘H
q)E@⇟v(p}Y\.
.NU2KcM'*~o˻ڳ&̪E@WLHoڍf[mE&/Ǒ\=MeY][&fswBg_]ѯ|/cjA.L9z�vznџO&
'^BRS|-2_6d
j&B>V
'[wL7"[[YO;E2<vX|k6>!ނ,fkK\3ezVo6Z6^9F&4_3Xf*640JDz
qc+IPRdб^Pys40cy*ϲ)t2,EW`W[[m^xT5,$+Wď~qEA_1JSǥx}-ijS,T*:Ky
izfV\5kRB)R
,ͪCʶy
9YcZ[Q-kht:CZ%
B-{Te6H?X6eji=>={=OL\?ĚaնXD*֟~F:Z207+
J<Uޟ,
7r=Tvgk\Mmpf-Z
al+}-⟻2շj+>>[y~ʋ
yC(;v18LR9䰷iYQ�&6Y%d)6WtO:SM'_.=z5yRG/YiūͲd()uiJiԵ*#'*<
q |W4uIVA߳Te\\T5juko(xU^XdK푲&v^;bBgI
8>3Q8S6
55αhjiɔgWS4
&Ļou[&b^
"+h05LUpS9/\
7Jg()܌oFU:>f"kf}rp}G#=զ*փBw}ʿ{Lv.x�t2{"Ӹ16ڱLKtVD.
1<#3O]ݞW
֫t
1+TF?TƊ)ZF;
`"
SJ3j5_pjha\({wz,V)zT3
?MdpPǡ^iS)i
.
YѶ7N[XY}˱7]ܞm[.=sVa\j^0w;:BnjXQºФzS3ltg(=]Ӷq8ߕFփLs
RÿO7}+l^
t<I_ˌWoHY3M7y}vdλ מyW*,vQְtQ8c v%X^
/op1_'*G~Zd~#3&0x0GE;IFHҺ-^
$gjyuMwG<2rpq10
{|$E/on{z|&YA>IGq.0M9Y(hQK
Kzh
j9~g
S6Bk:7 Jos
#M,.qj~B)wߨ;F!V?jQѮqc~tAO6D]ސe}3Υ)/"8.Kv
;EᙯHh/qKQm:]U~O:Y MՌ..0"γ;2Z=<J8Dvٙ@̯i`8T8CAx <*ձHmOQ}kZlCA-TӴT�?M
6DrqDO")aw|#OK5W
^
X6ivz'XtVm6 v}߭Sv9_Ǔ{K ~4
6k+A?F
N1f4#:-,l䠠jg
t|>WL)S4{&~
^4
AQraU%3Z-r UXV
k;3o|Zcm=+c%X
3{3aK??unWW[<9??O:9(Os,@Tbx~D"OQ}FA4^VO !3
U
ņi "p
>kѴ
W%Pȳ
)]cl3D lnqC˳M64
qq$騐9úZ[i2
#js)l%H[*n}&6Z
G%kW9K1ks]Jso^6Qӏ p>9[oFr~y)/ؑfK
_
A˕[>mVE_Leȑy, oP<(~
\
lW
ۊvRMAPKd-vZ>Ld[|RI
y
fW,ρoا{_I
ԇx#Wf|8rMP?}�g՚.
^|7#hY3K3>vfF#
yCMMd&K-p#
GW)tDȓ,YuDtPҐ)@#UO(@@&NHy;ꓕߘ&V8j]
I}pyhI+4Զ{bN@Rx6_{$"ju_\F;X{җ>jZa /=
;yBO3wQ"}
42;e?fju5d+,쵛-ޭY{J
-5mh>
"#
EVutJ*՝u٢Mym<EH@#-[N?]1dIV<I)VMUMNʎYOKs1tvuKILl/6fUk[BIOO],m/;#W]uiA)}OaItW:*=%Z v
U
pEe
n͑MzE-M 2m
x<|MPWJέz!\q{^lcʝ4#,RN-]\tT
{Ꞝ^_l\sM_qM-<YsGě6&%^4+PUk
,%CMl2>aY7#a,ˁBX
qȜ= /G; #n/Q `
m a٤55%_>e5r>JƂ*/U^UmdPX~@9sbυWQwJ543n0\Z1Kq4w[hě:du`?i"hc2O?W-[W<im|J
IAe}'+:c_H*?褒p¤}jşin\R.oa%qט-BꂮtN)g㲇iݟ{[7~F6Ph|rG妗<w7
d/j~9րa}&",Q|Nju\ifUIqo^$4bY\*ѩA;^M?1~O0TByP꺨h:혳7pԗ%? \z5jX˫
Fx'O
2`4i
>u?u'{w?dKf1/Uk0)5"d:35l+?惯S/`: v[*/j+'4=rx>]kƊ>vmI0QL|4K5fuYr/3,*ة[Z&h*pP.{}4X.K!Y+
VΞd7WmN"=/^7?ZW?wz#ʽE>uWlL{,DM 5d6jV6p N͞!h(7?ܷ7]cےux[֚ø\Um
|kϸ
{$BFGb1ΥWeH1{_omܱ4
;-
(C^8lO_Y4<
*Ucg<
sU4 >Z+N}/;:
rf;uHoyliU0
wI( t^ GuJf7]Q
X1R#֚* ^izai
[!{%U}M蔟=*Aeu`$
rl+vڝ
ʁvBC7]\+Tֻ3iM15U9<3]4#Om9$K@ANzdk~3íxY'jNck_ᖦʉ#!H<Y'vd5>GmE5A -Y ^Ǟtkx
Ha0ketT8<%zHcfYP1lj-,ߔ5W/0fbU6]'8m/tI.G'hPfNi
[wS]w\Ү2gʯĒ4yHO>!FT
T Y"T+-i+,~M 3w;ar*tUl >4R,H=Зn[Oؼ1H=
XG$Jt~f
^r
2eYɾ|0oiUZ0KVuH�
i!}I^.1'HQ<.IAka`XY VJQŴR�eed6Lu[ClMϯ=&<7G
˘
}P̝Z#1Hs}ɀ}p\|dXO3i2I
s1=wkuyH;?w8!=͙>ACGRZN')!s>2
4k
ƙo@lSרG@rT%+5XHQ:Qo
&T >ǒ>jhZ}gjR7&e?eߑ
r^̘#S}.cj
=ZomzQ=-lEn
LZΫq6ŏGu\ꏻ'm|PP(rQ#k}EW){ 綏VE} W@<xbXeTB&Rr8xg"X#>pC<k嘟PIDr,? Pc%"%Pi]0Ŷf0J
kʹda~yk|OӸT !I-$}_kļ
.
}')u!KfNI?֪j>%4ӄ|LՕU?~P$>yT|I#VP }n;6N2!+v-;
8Nr0<~dGJ\43=1Ymٌ>^W|~Dc~
jqJ݊z6R䛤ҌYio4vw1ZY &_ų"6Fbߔ
罼)O+F|';+r''tecy0J;:_A@1~Pɖx&!
"ݷNBU}2_i3
UCerzΨL[kdTCLrOH\
YL^
JZr&ǾRN?{dzI/JZ4_HT(uTb'4_(-c}Y17y8BHW:I2a=\6
6|e3(0/
-;
C.!e
Zm7V~E.W3Փs3'U},^)cňFߗ&rGrWiLw^?Zϖg`1:O*i~I7; ">B05oAGs
G9[ea6c҅(EXҵyzaGU$`Zǘ
Ϭ3`oe ]I8Uo|7>rHBHPnhCA_?tX>y)̜.5m}bc:ૼE%[k
Cxh>|x-6sBa
uuijK6:s`=6Q^%z>M-ހsʩ4B{]Oq%j5EDv�g~ٗM
Cy˺\ⴺokt$>HG#>(Wwؐ(T,x`; /6l$+5Ce!,'F(,LqS
^B+,Ѥg*im4
l%K4[:|_SZ7l/
:6jeQm=qH]ڌ
ͻ=ޅ]Ӳ,dzqG
6sWb 'Xʯm5od+-Kja'?H7zJJ<b;nZ(
]RlQ{Kdq M:z2$V:ĺ{-VzJWkMm͋Z[v{vNS?+ϣm
蘃3TW6/X_wQHn
\uN9$;o&5MM<rMfd9iC,:Lι{Y(5y~QKd鰞�(}
6N5ODYVL0VsO@!VEҒ:Z-*n.1{,Dro1(ֽ`n2k`ݟL8[=3cx<Θ13
Sc?eǡ
7IjfVcDmMJTb*އaNU;
Ұ?}Ϭ>߿jx.~oet&
L?4>aVyp4 5 7e؍Cp!F!~66VWIO_Vϐm5襈>9P~q%3rϧr>Ju0ն5H
ovKQR~p=i=h{R]TtV
}yMG/KjZo҂IӿKyWQu;.ISߪ
/ͨV"2AcF>('HԝJ
7|-cv8$ޞT{
#SdSi
0C_aS+ɵTH?GiTʬ
L uk=N$/hQЈhZt%ͅ@B))G!q>)
=,}
�h7o]*7=^SZnx
agVG~`\.c�
PKD;s
:l:ugZ<h\eԘWW&k&U
ZqpjN"
Ydt2%f>jی9ێIuQkĿ
(e֗aZTK.g]c7>@˄ֆx#hl
z`o9ٳ/?nFc~YKկF
AmM]rIEϨ+_U<wrs#wT+MeҹsۢJ{
f
?`\^蚓o§UtGNF}E#3jPGuI
~jxљL7ҬJf%q1)cEffK'<(S\k9 b7jXC>Og|+
3̏mɚވ<z(#coˀedd
\(K-|x;Fzt
%)FA:n7ꓯQAmA:`e:z{ôci.D;]R߹q˅C+2ѻ:My
EIJ@aުrS{RQFi6 }mn FsCdJ\k48vZ
3V
g k+iM
A벦VnlƘ%D(ʸO/ILv5CBUw&6
KHGI\aYu?m"G}UϾuUйEyڬb-5Ū,[jz.y&cbsjI
}ϧ j
dGPf@O"Ƨ;U4(5~YQwRW6m\zJLO-o(HywfaF}wUcQS|x)-Cv#LpKrkQ_^*VZoI"ǸV ] 2s^z}B۸i})PT1~QF+E:
R]څ8ԳJO?E4C<E_e{"7hauGL<_#3_Nt)Iƅ\ᠵteל2Uy^~\Fk
Q?_
v[]nh
fVn s
R<=1zXcX1eaNmUJ:cM
=<~Z
0Pòk6jKN_pmCɨZ8
۩7Ȉ#ͫ$ =t>yЊxo-l33Βp-7Wjl2jzKbHlŋd{86B3I%-7
RFb]g0F[#sIQ#:iaJըNmkwBqٱ<5g/\-^D0KwxR2K+8}=y
4N' >48T> YLsbᩧТa=<PL
U(mxͽ-M=U}>{n~.;D^uzN;:o\·
щq}CtWjNmYYn_v9vYtNϑՏZ,hމNΏ&ËONz ^AK<9eO
}4Ϸ?uϾ/ˏ9k{{Рv5eOUe'>~qyL_bҞsu
Bn'攄p
\ϧޝ:|3^jo5zfy()1.Ut$*7oU,%y bKmIB<1&R<hю
a7W(ʺf`bJ6V5η<jbՙ@Ә-%G/j:HD~Lm͎$eX~wヘJ5R&LUN
(i =[/a[-o*u9m̴֠˚I]_ʟm=x{ps
,4d²9;ءD\
3M&뒕p#+izcAOWJZЎRLϫ+UYVlQp8'ZʑMDhխ}}:o8^JK *]УrP/[
nښ_Z1WzZ';ϭt
r>{n
wa
##
ݜhBZ4_akTQ8
LUӤ=#AKc$۵0\ԜjjZq /Γ8r2Bv,?9ϛX^Z
aU\yٙFőGDvU29E\(NF5
iMOPjkcΪoݎlmdwIJ.,J
?\y%wS"יzFUculཫ-A.^_tE+:3S2s`z7m )K+Tv8i|O 2Ʃ5KG[Z5z2iaG/k ;r!ul,ʦkveIPƊǷ3jH;] y
<,jS_NbؿaU9l
=dyyT:g
Z#
d*Rgpu>
ǪT*)Y
3H
d`ceknhuƴ7H$0lJ]I/E
2kMYtC]
>
P@߷q'o
^"[
fѢ^:>/b_ꉰոe k?c!4k
|F{m15r5֝('Ad`އ&z^R#ҥ2+vuC1&Q&1V;HF@хD. N yIX� B%qM"1C$
jz=`tQ+~f3,Oz\Wh7Y
ATU73F"foO` :>Ig@]Lr
![qfLUP_.'SyK
WMv٥4<ւY7\Uor̾(
XWf?iлz,Y{
,j]'"
/KZuXgvL$Q
ߪ %2ơ,UI6hRpYfƝ:}RL(
͂5[
#�fm^
ԜlT,$
ڕiW6[
%:[' FoϿԸ?
j+tέ]zw!MSl[q%zZ}t#?3&c}1fTkfȝjTy(_47<6`ݾrTM|
a@mjcY]hv-
2kb,=V)&ӢtayR&dr=CU/{nHm饘[P2im&:hkm;S~Ucl51_x6n>{
XU?Ɩ6j++k~zY++N2{_%WyFs-ya6^,ߋb�<
)6^M[̾
\ɲ1۲(^ѻ}"tt[dUH7ll
PtV,
,qI+[XseWn\&oͥsC|_aPFi
cQ
ڔ|JH 8fx_9.Qٙy)]qZf-52wuW~y
mgE?R%(okflzxyagBxq.nE~LJ/F-(ґ
ק֫XiǼ7̏嶕y,49{IB
qۡ6hc*KJZٔx*:+u|a`fѤ4s HgDk
V36gd&Mjqj('4V92Lȵ[[ 5,#sEr|P?^Yz+n,ZKܱyN;5yԫ/
5 +!̈́:
1bO| Z{bM ?@Hj,Fb*ѳZ]Ժڷa'g]/' v6c]?fi5
oBֽag/TJKߤohbFsx
')W
lBX28QDԲ'X'0gtU-hd4*yzrjێR=aZW~.K ^!U
k¶[^M*q2ͯ+
]i)eRG|v9ygSt³),Y5:Wj|g;7p~ sv\iGK*K+Svۄ_l8d) RB
sٖ)'y
+!EoKu֔`R8i
7}-nSJ0:\_i٬c;UkuB<
4
Z
F)Q>ЏBw¢81
`TMu6
Y+YNf;
%Z>6SɾMvY,aϽr˨ԧ':
"Gdx T4aFsӠk3gm%LJܒHmݷFRyp^Y>k@\{>=j90i|TJ./K$=/M?Vzf[V!~_~
d6+&ռ)4M
L*cb
@W3Zu2۽
kP/Ңv
j䏂TkkԩX2l#_ӹd:<;מd%e^*^
w͗gn)1{Tq`,xOf
oBՊ2<Ϭ Vo>
YQia
n$ILXDw87b|{'Am2* *ØM\gJK:V}gy!6eBj~
YIhC2\FMeU8slyJpm$fks
8׳-6nezvxR1pY̫3
r9لC*DKT K
4#w.T&(L&+_rXcPE+Ƃ~QZg+5
sE"èh0HVYc
'QfZۭͯl)Sl<>ԛ篶7q$<T8.F+Fw,4'~I`Z>G/oe sE&evdÎGՒuADo)C
GQG
̻mAq;S6|O~$?8G-ͭKj7/M8
^͝sNa%ؙ˱uT(УoC-AqTG
VovпAaV6{6i#Ix!7ˌ/:F$=&QP
K
}(MY
esvݥՑ*wI~UHM$} ތ婖< ]S½yǥ,KpGT.GӼ0,Pzm^~M6DkN>dNm!
s&#J0 |NC
0@ϸ*1Ql4n{*JVʀuISHobG
0~RW㓾;h{6g
Fcw=7`Tu\tv٤J
Nn`R hoH,}
qr,w!aҽ
A+)[></ Xlb
_HcvWd:zᦧmfhLRӏ-
X$ríb6DQm
ѝetbt9o__nSrmul=gٗK
_?$m#T
ծۥԪ`cGˇTQ9
d7�vߝLKBǝ4l
Y%zX(|ȅϑS9ZJqi9^-]:/$+#"yey'-f7U0R<9,[+DqwlsDQB/;N9<.8 \xBiV _gNē9qP0zo2bz&$gF)_}|ZXvq+4Sʔʵ'4/
Ipo^;
w|sNq'uu4ݣG6۪*;c>#c&wu߽1T|]3cQAEky
ǩ]ai+X!'^7ğMk
Ak8[φ ftؗM8wZqr76TƎ~̙w U\ٶh..!:[_Gx
.Iyѐ@>
z_tH&REO-59M+f
ıc[6au.dAhh:
iWKZ^`˳_zu
Iq2s5\%#89
ZdR5Ai&u밂W
vF)MN7
gYBov2qG';e"柼IaqޖiLpXPT$G
F-![WF)#u9CGX*yP=[ k^S&}dYIFCƗGRxf ܻf K~_g셟V첪
=bΑq+\PȖTCŋQP',{sd^f>[,{_%Yd3wF[Y7?Z&3
JÎqT
e"Wӷ6h3ubМ$*ӆ)
jJMp5kPn[qX;g
C9}F#qv3q/=EFgQ8;m
C5w|qɰ ڞe*\=jc3
GHS.2
6kU3xjEOءP)V{}Dw9f˺ɬwKZկn;0`Zn܍92?/.B;P,y~nП"
߫:]F2a)c>0PɄT|E)&V8
v6{ʷ\slU$s/>6iյ.4)I,hVբ\km=?L;ӣùWO
_
k
8D3O6
r
6ϨP7W9
+9/q|
oLIǝ+_LJtj2l+?ƥ
1TP3BmgXF&qXJ9wި{)ڻy.+JߢǤ@hf2GvsrҺ*Ǿi]'>81BM+Ud
IJΗ3c#.mF^֭FbMcR;JtKU7DZNۘm:iGWr5u= n8$5֙ }Om̚.D;sc%u&n]2ڮ{Z6.l*/㙩F\k?G~Ld+v2ꅮsK[U@еNPwܾN>Z;ۄ95>
cKmv#I}JE83k;Mg_RX*%'Zl7ۻ(.l!L^=hF{#NYˉ.tG<״-Cd0MjZ%c/s; Q:[kިtV(88^mhz
&mƧ̏S!Jb32Wݸқ|ǼTG7]-,Yr > ڌ#]lBm$7R:84Ȼ̊^??)*!2)E
D5!J=D
HU쭴2.ɠC <l@"Z:єfMӭJIfKgYZC?/UʶUJvq0L3E=cis
O
rW9Hl}y$MUa&d)]n~x ZZ
" Vbj ti'U6rvq|?|&AP'
qjyTxړ
v0~)w-O^6:evêv
i|@9-[
YuESEtv�ۮTH5{Z}l
w#Ѵ Scd
f_Ay:ʩ*༊[;&R['-mis3(eVmvq;]ߠl}Wsɣm>sm-
Y %Szx厛Hz
1I:,|ɘ<6;ȇB
H i; V s4|#i:&+&x.l&#
{V
Yc
{`Qb/WJf>:Yf\3_4糌۪i.GJfN{UyV/tgKwso v
{Cr4Qh
N:r7s2iRU% H%+9ނq'+3-i;#%h=liNT^O͙r(ޥ)n͗oU\3K
"Yz1i[
KuqN;V
$v>sd
cCs.B
W2fU
�
sLN04d
Ig} ?e|D ɜr0pu!t;
>EKU?(n&hCvƘ2uDc1ugy3Ěna y)O^pŗeM-E19
4֯_d4ܐI<
,
ne&/LM)'V+n
}i.|ޅ_!
WS&
))gHt="s9
;to$([{-x,F3C\ upHW'D[
Kkcv)Lz4*'\
%$fh
܄^[!C^%e^Z0ƌᴤrl?;{jބRkLnJ{v-G%Rqƌ+rUf0/4hm+PΙWeU~
|WLd<B
)іL{mK6�{qIsV27?4V
A1CsR;]A#*ica͵hF߂Q]ر8ؕB:(^A3A.+nky+~m
>eB\?
t<;QZ\.w.u|⸎H*T#na
8i%E<I,߶:<]?aʕ
L4-]]v6ʘwխ0'yM>/}Wց_SQ:U8z
7p,4z=cqa|/SGoxR
Xedᭅx,w?UJcghc3JޕV1Yi8\k9HKZiS\EF8ZE||p
1Ri"f
I*Y\zXXҧ pa}ŚuEXj??WY
\YpRhh*~bnf.5Of;t}oq+y,/A33qTR =R'UHO
5%4:rU1!$m
&sY
/k2>ś}
^ӱ/x4XC- wuX6+-|w_']ytER8~ `#SMӗ͠S3q'҃*xÍ0.Қ-;͓ujzeHea
nuVt
fl>_1f鰭Dv
٣NY[Y
4;4xT*s
bsMl兀c7jӉ|RV
5BمU>шAlwx
s/k-z !jhƙB9̀Ao{XK(M9[L-j;NΠRT?^6&M/uj=ٗ*mB
㈼N̞@MT.bu!˳_ǣ$*#heH_
:c8=*h[
g}\6̟ӵ<B#4,fy`h
{k5$g?Յ%v+lGuX$il؇3Z(".}9'QX}
N6 STqsw!ӥ'
/7
_h,ٔe`cy
b?dz
#Q vNF} _
4Y͟V2ۚNMcot4-g~JЦnzStƥ9YW5y_N-
f9.ƜL{,6&'!|H@K@
v&+zG콣74JY8RzB]|rq
l&VK|Q@_ޒ6`ȯNU
\I-MzOTV>WuSnzfPLo3hM8{"Q.25U\v5YW]:%FiS1[OLa"c؞t 5-Ѽ+@}itN$ p̕Q~@V"dj->ڒMY~-
ǚ+況AT{I
wö'Y}Z漥w(G|M7
q"dͱB|:.ӡ2m X3tS7RUJHiI+ɮ}o !{~r\ғmDח%uY_dk>[ؿtBO}HȎt"y|7S&}1|ZQ
[QC'f*mK9Lݙ4l}JOyG{ߒd*bA$sP̽IVc
mgU?S;@eϹFnBig:nIwm5Hr~
rpW=@L
s<&`jZ|u7+}f~ qevXL
D;Ŗ]1ILz SdL
**<\&sj;m|hgU!cC2Z!?x8f7=iTwn
ȮR d&K:n*M|awKb(Vdzf+7yb5}n࣐N6Hd=]}F4}lz$lnA9Lێ{CxXf ͚E3+b2Ӷcץ<r/rXAm`=_V(o{1\{2=YDQq.,3nnrj¼4>
3 2@v954`N7s
ZRa'ypZm_}{"BԪԴͼqVjIN0ßhp|8:6bZϨ;
45T#>@
V֣
XoΔ){
KVfU`fm(2Zh^F˾Y`s_R,_]+F杈
Qpݭ;/e
U,w|K=/X
4
7
ikK4Ϫ}|6fէyIvn?`Y9+S¶ZW.0h$~<6ͻk^tjߪBK5+Ģ
VU6
+xdd1ӥF3(
q:?Y#[Q; ^Ө4Yl+kR;f!
J̥9Ŏћ2&E
f>x#A
2Pi]UyfЩ+"WvbS0^}ia&O#\yEcԴ((qVWBrȒ^n~q
IsŶ u'=L@g6W,WXWS؟
sˬUQ
\650
ͫwC<k{oin
F<jeې߸
/נ@>5/ {ŮTH6, 4N7?O_A2߫wUm5uΆS&HRtڶ݈0Kp=5)>V)蝃-0#MrJBN
P
Y5]Abv$镖
g4hA'*h.m5K|:H"UR*^ η|w6̻/
Fpy}7^Rk8] 2;CE?6K{
}W[l{{̥=6Z'#9/
TJ
,(De.J2':r>6{�IϫYم3`e}l+u[}#X.D{\^a0_Y3TQyi!4>KUqK\*pܹys*SvNT
74\F7NcvҲ'훐XR"C"Q
Yyʳ-0y^<
d7Zx3@Eϯmp{$Cn<OD+Sвdi%7vaCXn%Y
6QZ4[
5wF˭R:19ři�˗-}xSq
jظGLNW}i:WPfqz-ryqrw}ss{&(r|vlZJmc|-WKdE9CI<LLժGlA
sJ[۶/nj;)piuEzR
$#Mk5+;_Fii܇q>d
Rf$\d.!t$Ss|Ku^q4UXa1mwQ} Աڄp~-^X(n'^`7|FJԘ.hb+rV2$SV guTk&WkZD-bw
eʧh)bSe~ʐvmW8Λѧ\@G,Ns)Q!_sk swLx1^[ϐ:p sCGKun~"äZ
[F|~\_(5UR
muLd;[_lݘVg4�Pܯ
SNՑ
Vҧ饚2_8
D{9<<BO
,>
b1uN(>6'V
)U<kU):Ik]Kjp
bJr;.2
%+um
M\
S
/mݥۯT{]E6o'%d6WV2͙KicҘB*'IkGƱ=tjA625B!nJYe!>uH
Ot>U�%P"p%?Ѻ-SFQ`>gOƊD4BT`U
m~唹)RY`XV
db5#Wr+o
ͭK,ŪOJIr Nm+2d۷lYċsujvZU2vOJk76'ɦ)3̛V`K7$<%NT4lJS.Lφ
&FQ% G&oszfUsIdn3a9KcQMMW(0=[$όmgrUrnn87P33rb[Pv
F)2b6Ԯ:e9fY=
W>l9Oj7C5 >Rq52\J(ۿ,*N%> G.r/|?>" +Jps]َk$<}<QO)kN۱
_r"u
ⓢ}5e/Ac[=3Eymv
K3`V27+f.\jZ۶ݩ2o+_OA@`b?0*RN]ZQh{g'lLt=jܰj^ Ыpuz
2ٻÒU&
Nª_eڿ9
2ɿO [9o:fݘj,
0:i_JV1u
MLv;}k6U7'/\Sўʂ'Va8ֻ
b^Y1
oƘx$u6
T1e@6dwUwZrM[Br`[fZGWL.)tYd{M|f%#AIwNᑡKa|oR
_^
o#Rvi,/(;
F]Yv|_T{5bDAb|RP$YZ 90ͩ-]
;~R!.r<y
EVű1Ϳ(}
ENh9�'匙Ae3
+<ϑq4E]~JwW{F"
mfx:.~qH4OjYî\/4?)Iɺ<j^:xckK%pT$\_;@rMfaV*E<
m7'̕>c#GxT7
.'C
}{)5
&EuE~` ʫR) cͣqgYIll]J.crWYg%
ĒFTEef6n7-e.֖:c6mbfT$AkVn`hy
>DecF:z3~~ِ'8?NU?Ta%y
]4_ЛnN=Zj�vH~y+0k(FH
_A)
RktEfbsPK{մ .˂D=e_`EG w(çS˶2*j$NR-E^c^4j4jܝ}{4FߊM#Sf<m-+qM]Pf*5 FꌲTQ|45ܱLq*sI;rދwQM|5hV}DQ:axT#z2hƹM5L90[Z!XG٩3eZ:ѵtG-BYc;>[>`
3{Ƶ0ɋoX<S҉ 交bA4P2KLwoTSuݛ;+zZGNfN8ݮ}gU&dmx<SY&T}u}g~Nt
ݡk2ڡc{B+CyB1S *fVmy
{AM'l4Bj{&w뤞YM!3t>I$\55\͎<k˼oL֧ɗk,
m7
NL:K9!N,|
P
��R���0�㭵8(X ZkZ+qIJ2OHZMh*r02Eh#���BԔ
'0tܤ(; w5? L{UIUB`وiK8̕Kҙ$I_:!���!�""nnn]J<N"G
D &Q^8:YA6\"2}�)9?^6&~~
1{$;![S~
79?ge )xS뱧 2w ~KB&�*f1= e
楪s4UYE.g
[=ZfCDn08HC݂ag+[:sOֿTQomfP1>ǧLYwGϺ�jo=`\|
`?,a:
`(~ (A@
;re8�gݦSߞ;z5l
gaI0$m9ʷ=1μ
7صIW
dH{c/˔#o3{E홄}n
$*c{.GxGU *<3~m
F,"
&i=5]~t/'[Y۴?kiN,ip"
mg['�qx儊]6Aӝ,F|n19*vLWIw2kW>ܪ'��v�;xw7(
9�Rj
?Cv[&['9
`kǃѱ$j`AFQɿ/$Q| Άrޡ)uעE,=kq}>k;r[:z_
6ȶ[qY
Uo Z )i?D/JW
}2u<휼J9W�u Jc5WV{lt^x&!!^\,;
_#3{ĂA-ɫMB&e=%)S;z0A+)) Hek-T{Im
o` �-[3j%.{Dx+$A2ڴIb
Cf|1-Y4V1/G
~?)myW؈xV]=ǐ8
[p9^
<]`u轼!BC0L|09lҗꈜxaNtiτƟteǡ-SOƔ
S, K, ^O
8.BV/yX�ثvGD
`g{^
o.
u_=P
3Fn4E7ظ0"Ҍ2Ɠa쁠wU#b"k
Wtkv__O24$rWMm{m~1$Jjۈ:sԀF CJƢ=m%HFl,4
s / u/6gI]5QF|F^\x:^gcQP]g<+
3(*e/~
x\W.9B㮾
2>[=_B۠TwdORsru;'KEG`t7@>N_#gR�{
I1FBBg73)j=D WO%HZ>|
W@VJ
Gdwl 5EY2|\w!u:潟
a
q=a'J
&?9p}Ǫ;ov~&AIK,;VwЛn(s(&S)pQ(sf$kB
]:2O
szsO(ir
3)Oj
QR=it'ޓ<
>kJwhkʈc6]q/yT<b;
էiؼ~rIwe7z=C@D[i&eTM9F=x$=~c6YFi/
?WggY沈.QЯu5E0Ir(1CH~0
%~z{IxsϕձU4L`McБl3֪m$<>
RE0RJKLCaxX0ytZ<tT^Н(? ?WmxiM0jJrW4tQNiym(*1&x9m(0cox/\
[Dmci۹w\3 kPhcP3mrGNns:wM> vN8~
j
'Cg<6&? Q̻öm[gXc
ħu@
Pc Rw~J
er%(ߎ&2/V.e;
f3
ØMp`y&a36"Gy&U%ݮ)#y@v)ptJ/,,߯zF|caIFǢ}`:b
]fn\=6L[�=Onǩ;:$o,$)D
@gvp.^[%eƚGgA=
<9N*wPs֞t!)&((/'0'&Wȵ<2 1AׁΑppX0e|c/VZ
x
إ�xL[
q5u
-_
Q|
@pY|Cv75?34ob'0Ϯ\+Ru-)pF!;
=̶[z
5%<@sNiga8sOr&a-$cնWTA7p!XY=o
*c~@'VC9- Y%bK_Re
Ϛ<\p�V
"DTH{^F>Dz:CYƚ&=T38?�#ٜ"D.3>sn\iݭ̀3a
Xyn?zbYv<PN]F1skwf-nmNބwݒi+tܧčZɶZީ{]Z}w(T|;trB/
`t7Ó0[I3E8ces{=*fofo'
9/#~J/9%
8Y:yLS-uHΙSCƢݟ!vك[aC8BP>
]p'ClCfm!^Im;Fh֤1XwN8F
Me$_�F-;TPzjv9q
-;
S(
*lWZe;꤃]wjGW
\@2SU:,
j}as:Vu
HڏBoqhdDTVRĕyLsӚ| nť{!cnIp
kbνB, LNP0mfP.
RZoS~
Klw84`<%
$2i=z,'O2d*ޏGpqz֕qA
-<~4 >Z)SPB#P'zl0
|5Zq <Mcf}
w A!台wi{�ur=W>5
y,)%�E9oO `) :7
W
eF
OGQOe#N {}g/TO
D
jZӂ o5_1!Fe)
"S
nybSx l#É qxy1S/]4ȘaF'q/F%'ʅS,b1p.Y^1:Ra
1
ミPׁ@ts
�#ÌR3]Ku MmϦ9`3 ɧb
H<.r X
S@{
Ypm\NB5\*W6Xfc,4CT+4{#b2F Uh<67J_JO}[Ő4
idxjxh%PevSCt, (lJ4)D`
*7L
$Q%_
𥛻U ř
`
9pcx(f2;?+~
2(|TW
zKu "~yu+it
ycޱ#ׁ<Ӗc8PYS+ֱdjW@9k; A(-\qv_>rX$Zފ7?B7U
E;=[OѽYb.75&
0oJl-Y6\#
;0OX% &E^]ڇ('{B{_]0|X_|1i ./c2oր
kjƛ
w#b/x
1z qmy|8>eMYݣ+<}e!ώӻ2-,לO`wͻpWKʯƽ_r˰6-wQB{�s�2/_cs$,q E?SxZn木p'}"xCܯj]
%N^BhZ.!gw֮g.o
#=Ўȹ+E@nK
RVOnmj 2fdŹL֮V^kzTKOpjm]
7JN4U|irp< S
cMAQp`+s8ɸǁ;c^"lN,@L\
S
T"#D}.N @/2nh`l[=,Y)V.ĈѮS
^Ȝ1S*+;diP
o,Gk6G8j^b@Rts;"G{Բ/K.rt
ϖgG~7Z-<
<hbo Y^oI\fwJkr$yj1,-ֹ
"#gMP(F#iHDJ`&:Z:JA.菅xl8#O05I:GxV8ݿlN6w%/=r\.@مm
2WlocIJyy}djI|Pjtf
R,=A7ZE y=~|!KɸknKIijAsϔ4
6
<^2nL&#nn1
k@ŷ]
@j[@;\'
Ш@p;߫uʞ~[xlr=|]YyX8n^:
Uq�o~9
qֿ3-opJ= ݪ;T{dzy-F:t7
"&!ws:[HƹЎеĪU
ms 7_ 7c}CH8
-}\2^(?qŚ>]+Tt)+`
A.3LzRC.ԞiXLm4yr`J
H˾о<Lw ;c~MswlaDּ>ZG^>1-
zT䛘kLkH)|qܑ'Asqz2)S&d<V@� -U
AEuiP_Ʒ
3-f3},^
Nbc3$
ϴFU? tuPn͏~5
aCRD
Qb0Mm
(bȆ%v%xykYEJbNs;Վr1ǹM$x\w^N
79HOsarH!\ն4h(R@bO]~VT-n\cvER-&]uxG7n՜o
#5Փ#4(r7[I7Mq{+
aBaNQg
5iBupE
6
9;;a?�zOٜĒWq
ǃrF ;4| MWC+d }3|;M$|ЕrX݉2l楌2-1} n
Cۊs&+D
?}(koGܥY@=Ȋ*uGv7O!u:4u*Z3qB&bA~Jjr
nLfCј
=5eoUs|%{L
)t[ǯJ5*FnM
BAOS^(g,o}p+/*X^rJ3~pOGK%"ةɜƟF%
2C.o| ӻ~c5HdA�vrR
϶xF/ޙ-?W,e2kNC^b%IE
08@okz/ :&=~>ӰbhoGMŮC@sK<8)dgk##E~<&{v:B$#nvϡǍ&#HqxZZKQ??k[ =~ˎi,CԳzB[0aQ)bޗ*5Ѹ߱b!G8
+9Q(lh.
\.da
3gN)
军
6<+ SSz{Wt:>"m?W-ڧ[t
5X_)|R%P
|=}{ 7͓d`klU&\.m}D
\iZW:y#A .Y:+ݑ}n[NLj^iǀKS?3'[:G!N<)g�z hVi=-D
pLEhH?
Y<]:H Djg%pP�fJޚ2%Q)@
yhΈbe$PV&2^~.Q>{
vC$
<d2ږܜpaUb
*c\Ma+'r 4Yڢ8
u
k~oHwbo^Hg_@D83[eB!&%)ʜ0*{`^c
:R%[aX<4/�:cyEkTAs
`6ֽo
(FCSrvHtG
HOEC
kgH캙,j2lgJO6jx 07S*ǜ
uӸZ
QOW˚/BWD! -Ӝ`^
g\'Oo>wj~ϞWy;v cZ7Jn}v`-s3m
"%U".O&,eQQDDbL4ya8ߊJW\g|P,v
-
B>{M
^w/G
eؿ@
Bas3Vo㻜eigyxdx\
GY
VCp8\l}ԏ⽓=G5W
_wНNG`)g粭/z[<-tCpw9c7vnL6=P'0D&PලHLjRށj>?q^
}b
q!t:YJ7'LJ1Rކ+z~ *я*Ʃ=iˈg,
̸<
>ƯtNJ|dȑ)Et~Wd
^'M,
!tQ
%xE!";u}4Y))," BC9"!&AAA~׃TW|@NH (&�?c.a/Ϛ"z76�Su9ɦpwjļQ+v 4XJ]
z\z+ɿޜږMVs}VņgXU,m]4Э.Âa;EJAo~pX=;|kmr A s~jM*s<>L3f.v)㦹iu:S
y]
ы
S9#t4Djdfq{'C^f
)Cy :q?2/j)DcU}lc(
Cg6~zo[a||{_7A_~|\oE_Y
S6iAiwSP>Nx>�[$
D>M
Q;/
9Οwh~m|̉Ļ%6wWͨ&@H7fb
!rŞ7
_&;~
e;l1)Vf8%jTa$.;[QLhq9�aMR
ps-dAJ#~lkP_CmkLu { ROp;cqv
b[0_
2
iqs>�^"E-ƲALقՋLPvn
"o
b1O~
{3˪G`%m+Yp2@p\3La5PSo7ED};00vȓ(x5}!.ib=X]%rPͶzZ
kB-a^|>͛;C/L
vfj.
GY8dqW�]kΦGAˊŷ/.p5+*X3th_ov3{$kY,z`<&;5?uNjL1Mݾ`oCУ $ǽjJiVa5q?p%w+xΆ4:YL2}o{Oy$5>ֆ}1v++z@y iOa9LgW3~
�ORHAύd9#J{Ic
PGVYٝN@/3:
g\B
<NYEu7ǩ�Z?
Pźqk9\/oZ*/=4�>o+wf|,Vw
-{P)Y~52#v6w"AwGH1P^ʴ&zy3hݰk%ETjhW/s7JLH6
nOfB�AD{D%խsch8g<~Yh<3I?EŽ
㎪)0w^
&4>+NftX$pMXsmò (x'X
X#YlLǺ}v<6
צ|KOD
jʦstÑ߰ Oaf94/_*3
߃j
ƙ+JAg@m֬|Ŵ!x=^ G3O|+W8N=ozّzs}]vq?RgB3ADbDac4ᚷh
B3{ͭ^�)<SO]'S.W"
8 ;sox&
o:
з̸vj}6閚g -c:. Ϡk$ɸ:z69Q΅Ms
,t
_,?tɃbӯ:H,Ņw4f
HNonuuugDhtRA9*d8e\)&n9S
rHsS`ڿ5wJkѱ pUn<CzTNJxyn\N6)z,؞ZyjT\Qg%'m. Wb錴qN{M {3d
2[Btȫ*IJjiLmm
/OyPЃs\$;
cX>~H_=/7. 30 _чY&csZgRj
O7// ]S33#_Sp
Vy~"b77L\$H0Hd!j3!]a[yQvr_Q
ވK
BEoʕ]8m9:Sok\#>qqnwE$.K
SغS:UDX sxup
ft{N%2
]{AgesM\qd!%xdh7T/wᓇEBD
(Lijh`).w
Uۡb0Ҕ3cXpb{z.Nd4f߂{%z +aNDS!&n-kM+}%ԂZF
z/qxhԃњ$бV/[/n~G`*v Bwْ
˙~Ƨ0I
[߾69_*Y2
;r
059vRzgr0|s7U՝10'*"+ph#(
2+3be!Aa7і.Z_l> A'g(
oTx;N_1y><L^Ztقř*RQ,3 )Zfπ;`QXlu^2rx|w=]
~"9ٿ~>7K8
CG
uޤ7}{nlt�nh>ߍLH{�
Zޡ.Ba1%'t&\}
ۂ
=f
ՌG{DVqWm*X;"W| 4:Ru8ըH),8b빆^.{
83˟L
nhOQ
N_}
ؑ;k;./
u[&<FCmT=<(.(<|G_R7u/
Y-jhc2-hYɕ|2LL*CTi#t;Z
I+}rj
<S[X7:c4eQ\ϛ8ZjuZ
]Aa /ЌqS{zGط0y:GZ
#Tz 4]'6S3^"�~3?H
dE}MNr˗8ri_kaʄ5LwÇ
1(tc-vqbz@}˹Ϟ/2=P]4~9Ν'9^ ׯF *p-bPU뵭L:Y|̥Lm@
x&^{?"ϖo5&Ϝ_ Y1ʗ5a
{f~/U
U+o
3_}s=
:=B:Hv\O4'<^
%}r|k=tW7?ҨS_e>D֞:ϽdIQBg~݉yuuAr=5
0Lϲ<_
rp OYt-/'
g�^/P?ٓb=
Yl;d)76|pǔ]@F]JʫNXuGX9C]3ݼywᎷHUg%�gR
mFPRW)ډNpB/#M(Os
*{,
ǝ�\7,&XFӴi9ST$ WW㑉"$ MyU:*Hals|[I
z
iZF
-/T
ًO*b3njxyv>
lF=#˭ovk/|-XW)eW_Fvm0%Iy:AOpr?n':ه
A<rL
Vxx
9awݳ3}֠g")]TAl<o^DzEZS(:Ҷik94wdAK*g8QI
sX7ȁyZsٚ(].OxAw "|
Vs
;۲Y\,8-w,YMTJ͠(0
n1m`k1]t{MivlwC(gm0߿w
o;HM } `DGe2(Nmr
ļ!Zo՛Ç[
9Sy:yelaf cMun`H2}Pc4a%mFE
Ud<
c;H_3?.J}/[*+ Q
T.T(C3hd=DMC)�X^A:JIhSlE[9z@*)ڏof/[ehdo!)Ia}E#7)aM7{L`Lэ%
�J t5
A:
ǁlx1i/-{_|]SX<;^_YSoƴ)T[dougp^0w
soL_,VMak6#̩h)%s
^+JYGS%GeO ^e
WJ$*1Z]>jqoi
^tuc8^H#¶y[Kƃ87MJ1,i,'
,&{9SZI8::>PŪU#ܿ*XE
K)tΘ?9IgU>,+Ho~IAGJoH3!tNy'%*ٯI<V H$(+@yQ2Ԥ
1E&l&?POY
YKNw
9#ߕvDI-ǟtޗvc~=H31A2̞?vZg& n3
~9xe5y;NU@)
%{I
:0~^ڂ
%�p[ҧ
VqCyt϶[~[Xہm^}_%0D-4.ONt/⢶n
6
.W~z
0龐ez'ߧ-5
P}@&%D$$A#I""!q A�
~
L
<
5 `U$W
)dȆ�_P?f
~^_G/hwk1Ԏ_FR
:5|)GUꦽ`
!۫ R^0h
wlm2\
:^noEǘ
2k4
҃5*Y8xqD
~v/IO?}>/:w_%7
=ȋ
:u6Ic*y9
WUﶦYv ǖEmBCI~P+/boXQ
EzNX{F Zzy/we2ap {$/FkqB͑'eNUp}
2d.}wqGF^͐9[GQXk4zj9N{M'<[oN :mW6N.xPlLc.P,}zq.$=
7zoN);l+mbϥ'
Y+T2gg9C:qy~TN֕onDj6
<3sȧ#%O4[z*1 UN
h=$=pC̿[ &�D;Ob%x:p/<(kP66+ga@0$n!
#J^~dMZq=20.v}]ߊݑa_CU<2cI2Vc3D1
g%p]21%(q@XtUnPA9]/HHaq{|!}]4_n%3O(
�!NG3Fާao�cSh?
(woal=4pJtFȵJ7VH
Le٪Bh
;{]:iP6rIӖǞ=E|s0U:=эi
If"*k20+B_
%Z
K1yYr)\
=*gc
mb
}3`9d/)r$v(]ؐjb֠/E vgUciS]ңik+ :ZO4IK]M2Nc i_e~~GݩWmIM0M8:\Qנ\I5NZ>HX8|u:C"iއk
_6�7ﳄxєgқ�,~2/j9Q9
E}8~Vo=pAJz
bKaO{ >O3~f-ѓ4kV42n
Wqٵh
題]d(F
MD%X0M+�A?34ثCKi/1]Їt-6}
# htyG[:`
lk
/eNoT+jt˶CXA5
'
>~{}dE)(u]EsMJvJ
H*2%bp2$Mv]ϼ*`~9zLƫx}~P%fKo
b8dl]
'xF&Le/^N a O ҨNH+bUʳ(ˋd0 Zdf=E-X6
Gaώ/m7!r-Ag0}ZpUx~{ <;9sj
ӹC;>7jo~ 9hjzwpWsK9]27oz871[wۭ{Gi;(IVRl<(fN]h
: sW$d
=Z>12.EƑ`Ũ
Cw]
Wހ:iK|;_~JgtNJ7c^(!{{fBӏ"OQO u>
\&c=qE1�.oh
NӣZ¢6
Q ܇C6Lc7oŞH^g
}R</7>ϡ$qq
r].x7J=f C
;W|w-gb䌉#Hi&%L9 @" AÞLu~8wnGrc?<g'^hD\`<x$
B"Eo|wX0WtPhW
Z';3
("�%ӎEN,u D+U&eK0ѭ>fNfYf >,Zko
{3!t9si;vN9siΧN;v9s
܋$R[+�*K"# o�GL
_Bgi~$q8'-bOO^|5dC
Q`ڇ
Yv
>b #u_�IP>"_-Cⴸ#k6(ZWM
i( ,pl&H1$&3>#KALNǑc 2#
q"c`cx2FZ6$Ҁ
cOںZuZ)H==RE j
\ă}J~>/zw.MOƥ3/=7M
)CQAתR+a lNNG5ggG@#zC6*\*D\
9
)2lI@*V>G
y
4ʒ]0)ƹpA'
N툂Gk]\<;$+1Z0sMSDb{+ c8UkKCE!S݈{S$3[U[1$r|l
Kmbqw1qڼFݼZyr0ѲP-3ۃ,D<
\H!M V&^fV{q-a4.כ[:5:k91a7xLr+6 Fƭ>D2Ř-b=
jD J!ƛA&q`P"H
q=\IRa I-qA~Ov
v
!N|}q5%LmFC3r҆Y>[ҸW#Ub F< L*:
/\eF EuwOR
(ı
X'Z˥ Xpe?N_;$}UW^@I.�n X8RI(gFdBp}7vPxIx +|
JY EiD*#dsa
`X])sa!ИJvtsE1gcygx{XAkZ'aʫ(L)Z\J*# ggitU(2cxbE'Y `SU8%�Y
=+YD. ~Hq
6">s5d+p[/"Uյ
Qo
':85ϊ}
/^,qc.^jY51[ᎥokGP_8ks֏pHl;gS
sʈFuȼ
1V9Fʉ\<.XP&+mQ
di5A_5j=`K\�.(v:NUc6[2
C 6.ځ5&'
%Λ+(
q9ޛ2۱u+&3)U &R'/UW +ccdyװ-*/ '+
9h7+N)uR1MXr9
DzhĖ*>Lq #fU&10
>6N\]$ͪ}b Hx2搛f;-21DJeWA3/*ta<f�f|lG.\rŲ p}j.#
[.ȎZ5\
bF4'_K_S֓@ yIySr4@~<<<͋z
|᫆Ec5J
r=J0p(4Ŝ2Z)XuZmUU
~L�[>@B8IVhS�Gdqbm(kmLw
7c
c6ݶ
õK1
-g|7!goT�tl+HKvl
3Yu(V5ehmbnǭc(
m>2}w9o"RL|Y+"DZ͍
'ۺ
[!8KKBnbPrijGpĎbTӌtx
\iҪ[,[?9jU%6VQrM3HbFVp2VPxl/8{q
Uya
$NHneం㡽ٞcQ
X9*ODԡtu9^Ay;(=xkf
<uzNr&9[p?\EjqK.p2Ԉ
j0;Gb{$GBE%^R!!3r3N{V>.;!L4¸<
f?>;
GWMXy%}
8
ncꎜt!у#!Щv{BS^%뵣GqF3TճZuZ"&<Ts@3KK/j@
jC.biY`<
G
\*ԥJF�RG$E`}WbrIs8$uCWGֱt}K~NuIr%}hCw]Π[8.<S^�
$3
fZ8ug ^&-<Wѐ"{
^
2m3FH%'<ªh!iq33\G-6;EJWUD]Q( XK(QV:8�"6r jy6B}7W?/w7a
ncLz%
}uKW*3"
x�!㞯@0?b N 2D$ؑxOR@r.!*,*Z1>Vz곖\Ai Ksqd�
&Ɖ. ҽk1TGwSFW!
e{t(
n CԉJIg0B#ъ"l|CA\ޜXn^8Gӌ-w,@[{# @VdkN$9w_0<zBiM
!F"Q7p֪f#Do{bKŽ0SrC mvK0^.%|NO
$ VV 3] U%nDxg`=�CH5k">F:Cܨ: : M'F L\Vy,j(Sv63-�Ch,.]I{;5vceaQFAs9%T
+0ƣ!MJ.ޝ,y>/Xߖ'
%
w.ip05Pv)x\>nI
Qd|]Z% l]S\qdKY3:i^ђYD|ʽ]ߎ7
n+e{z36Ndw,{N#3
Ba{}3gr wtl3K
y媨8$v#䳯:h
`%Kjbyj
7d&8!c&kYJ1P
!uHײh
y9hYJ숊3\(U�
EV|^=uc
�*i[f{E.QJuTSäe!sEnKߧNR3 Za/4h4FwHxNҾGE/7L<hX60a[X:QŇPgdvh<DžH}H&!�lgfI
;rڦsʤe*0+I"@jXr�~S
\N(9:iNzӿ
_ '4Ug/6CDsmYU/RH?WQUb
7.ҽ6!6ɐ|;4x6x6T0Qw?#b?xesVSRT<M!
"�5di1peV,)GS:3ջ]e
l$6
5 ʌ]2sA+̳uN0-g[q@q(Lr%tѮX-`cHƌR`}H
-VLHI)1eXLHnN6,-\\zTi%
sf
j90Yq4PJ;PG%*3+I!ib\ڪ5]j <YpVfº'$ {VE1yVo+ź!T\q~,lK݆$콱N>莥9$nE&:h/kxmYQȴa
08ee_! rb!]X%2:ʬ$Rt࿉-"U
ΡGO5"
5@jUPN&ܔ'I
60:֩GUβw
5Z
'n% $y=;
$G+>J1'$l�=;��ηܥ+i'$2`
cgZ#E]Kswmհ#{w5ԌvEq)4g7-u+Ѽ@ygL$mQ<8j[V!gs")V
}PK9qMHZP)O##$-^zXR
lj9/JX>e\D}3AHr*H$,)SqAL
%{@+B8ǖUIYl[>WE+GzZ%G6zI'4
*l.q6!§tpLa_1Ռ'!n) -;Q*}N;Avd-
|3po-]֫V%x1E2B�yh@0
JQ%=I6P}L`E�Rsa Q�Iz
F^ FӝȘ#ñƀp<DeVN8
fFri>
Y'=ŤY!
6
b
i!;
ЭtO0dJ>peyeDp*i+\.R(}j6ھgfjŋ}�R=6;83pGZWF}f$�E2L0,D}<T!
2|N"J�=&]%
c~F쾺΄e9('>Sc }+6}ZFB n:t+$]ytɮjXv'Bi@B26'+7-l~Y`rtC؞PY$"$cc#0U 2FY=һ!ʉlnR^qp
`@)hJU6 y-%:
kI)ygB;qCM{)}
XgAA;_o֎8ZFAboDGCeC$'9P5?VDpMWeCąGuC'
w=fâc�ڀ|2Ș3f
7b;||\{%Dɭ@)?w
Ƀv6Ge`dcOTbWm+MZ/168r477{V.{Hv,27פMoޅnm
xN6
jxj0" MT)X
2ҭ=~zkvI'֕Qʪ]y4
#yN`-u NO(pȢkՌU,eBz(XA]Q
hK71ҷ�rX IcBo4 7ztkn?2 cjNnˬz/
*Ip sX&st¹bt<H%$}3{D?[Uh>:ZIaMy|
&t$戏+ 2.!q@}`;b=@N# cB^3J.){i@fQVidVv=1%EَQ
9W}``�,qF8
`N
ƔB*S[b -1`A
ٸIc´h_3wuctC^!*`;o& wˠIREɡ#
:=C) |)]Δ3Vʘ^("gUŌfg_&#bq[.o*[!ޏǡ#<K3ЎHB͉}W}}9P
>U)klA<D(M|vŬGqLj�W4*?3X{fx
BsQޯ#1c?
l@yl}糾U#^pfmۖY[�ʱDt:ug:+l2,
u^bò3?\_R:ɵromz6:ɬ6#Y&P.'Y8=U}ih1
ԨI ˭:vf IW
+
}16xK
{2
.bƒt)SوӪ
MxJI47\(ʢAE1Z36
c#U@^X9
>_ht#'Bn 4u-
7Q| �T][,_HA
o
LLjҼȉW
@kr2&bd!3
5ܻ&6;M)7ʾjrfq?=I5Y2OA1=iEYrŻ\I6Ὸ˂#s;dV[ִ
R
r# cm,F¦&"TD1ի^Ia^< 4Kl@F
հ_tw؉
+XCx+
>k_c+hQ3WZp17+
YrkQtn9ȩw,ֹ,a;Py\
Vc}p|\, "F,U/쌁4hkb.
)a{%1xϡQu3ƚd|LE[6͟[ئC0EZD1]s!:[زºdE
�e{e?{cLVҁY?3O%ƨ)
1$%L
F8N>l_k',1d4gW};
ʩ'ZMAF
,B+R~.{
M`
!R%9
6Je
&UP@agV~ܖHOs
2yaQRVUi-'npLX[u1Z()#B]$615e"fj*Ε6m%SLS,:,<Kս#;D<5Er6!cvU}
9/S+fVlKc&&K"V
I
H!jyJ{*
- \'%dBeGL]j
8&,549}-,,V<@
}p`\/�?o uF/n=n
SQP ϛ,3:
B=nıFUQPnR7\@ڑZJrGcXn7bڶ|y}
02zd k
>a~
HP,#^\C.Ul$C b0+%!L
&'<Bb::,j'é̅zx/
^65qC,elу<V.ꈓ"
T9oJ_{g&Rwĉ4hwLNyRy+kKQ3$a~
㎄ %X'cI(4Wv
.'+6*+߾n%<V3Q0И.8Ealnأ
80r}T~
-'.s!(A{'ˈ]N BqiM ˭WIK3::[�1=_z"[ ͚PiM̳눰Ui(rp80
Q{yUbzu
XĒ>_
nIh .K '5w .4ƶIFܤ`y+
ڞĴW#,5ta#<=
KVw&b
5 ؾ)4E_mm:WltU>pCG)vzm2ܘKKT\D}.RAIKv
>B}Q:xc56,*Ax0+p۲uخ
vN+a9ҏȵvv55
u
3h|AhtNE =(|xVwӅ(aNqΫf3,ѹ)d)33`D8
nNhp~ZgsFP2闷:#zE0)rT}f7(T-T5chMj`w!om%k2.
Q=Ijl
aHIMI#%o
w˔g
j'vr܄kô;&E
Ux}
%l�
&th3UVϱcSߦ[]\hM!q!mm $cqeWke.wY=Jz7~.FOLàC&=نBD+
{v'+eK*`w4wб$$o-9G\f fm
aT
]y#1]f6w6:%&pX$YMt['bba
xJf/u3Ytx_O,# 35.ke"PBi>RDtϔ[8&\
nW)9D̲ȢnNo0;.paDՒĴب'Ϟ%\
ÿ1뎢@=3<|T�矘Z
$
2$8
V*�E-Ia0Q5i7=pJ
׳3*]a%
k7=f
̶D ̐T\
q0-u$[;4 ֵ"'x{<]]cQ-f!R\"tnm&$}Ӳ*EP_0Ȯ{ >`WZ
\
cRk#5DjFziS&Ƣd,!5e0kEpČ<tDHduƳNcaNBk0 !
9#^:tm6
NgB5BsukI20Ce5{Rah2*
Bdb^
X,Bҧb
W4J^W3)~
0Y `Nx*T,T-PJS!C+6{%WL*eW@CU8=WpL1YBDrj%G
dx[-Z3e2d[5S1hYxR1\MAܛ.ܼTHXBrJD
vpcYOtU
ꀒؔ#ڄkcFkSߊ$E*NZa/
G
,z
EE{=PW)7<r+4Z˽#q|^]d+DkA1'ITH\R,:l!z4Lj[_R*
H<]ь
tf,)[JH#*N'))ڪ|$"(#N@f)N@0==)if%b�n+U CvZ7JRv16SwAM]Z8z
E~:D%v0z}
rRRـ)$Sqԍ,(V~9*U!!{
Xb`#ϐ`_"LJKv4J$[ r]TA]q5l|kӝ!
i
615L,In0_RfI0.=c?[RCryaץ
CtlE QDx0j#@hʣL(iPf"B
t6֡LPb
lƢ?u|\&Ӑ%/DKtL﬩l
cEE'
-i`ItLkc-|QOa] dV o1D
ª$
Q
4%C9|^HJ!ȸA$3˙ƭ
*bEL8uHfuFK
o h@)bH$aMo=mAKJG8e>N!E
$J"G"q²d)St=.zD(v+Ytk-YD
j@
(^"YIJ^oJ\ ,=`3 Jb4I)!AxIRДڊ.Dŋ=`Ry,
Ra
G+tƕɱ&Im
(G`ǻŨ Yž* ~s2Iic͌_ zWUgEA.VttWXVSaGi[N[Zl)֙HB¾W2u!?
;
Wd-&nG$
«E *9
o0"t"XhҪe7se8CQX=?,8zG65F -V;qdaQ
+0mqJVTE\ofc4hM#TS淆+֑:
{9Ck58d06zU) \[GNF1F~]
8%FR#|z
+_GG{8-<v4uasRG"_v\ռ:r,र2\Vap.
СA%hk,^
^RAqeJ
zIOxɻ>UsH
q9Җcl-Y'
Zuź%zyFB\Pv}i9YL{j +6
S;T DiY[/4d[>屸$D-,ߊ5H`a"7U1ח0L+i
D2^=}HףoBGh;$V'CF?˚?aq$JNhwGVdEo< k17+&*dI3QJ VD@^lu::Qu]wB40RhcI[ư"V `F
t)b4üiuAbi<%nH2@/+]ϧ$4Ve[
)ic3IaIJxmy
2dr W&pZ>͈?V(
DT7? _jbӘGHϣ=`r6#:֤s\,;^Rc7'NU
MG?1Ao([4da
J
|ÿ£-ho`\+Q-HƓs]*1l˒LRv!it2ۻr``h,
K
L廿ÐML*5o)"+'igV)
mM~>MdʫrB=LkLR7IB4)glI@w*<Qݥ6wk5K%}P٨rF$& g-i[%lGU LjfQXtz=?XDVD)Vitioɣsƃp2Z:rS
BUUpJ
!+UkVr9A�Ea|V>$r =XJ3VDYN
%SBn==8<iк9 2=M14bڿA
#$GC\ْuE[Ė01*)
[ʙ*Plfد,)4н}Byzq
JSԷuZ:\"a
}=ۼRxO6;al̀Q
(ߊ.⇊>F8"\1P_Fo7$f\Î*DwTuT![�YL I@QNkDbF4\P5nz+Fi_pp9ؤ<&pR-Ys̥PtXK^ҴO<D>rxIwҶsN!^RDd)w.>XcH$P%ՖXG#UKWk<9DYYğ
Vcѿ/N[\!h#Kx#<howC>s4k ?rbB"xWp QvOGxh!h?@'[AC̎{V.
w">>d 5(>Ozc!~ Syw
Jm}CBZ_ܱꁯWVs_kjFx7kb^kt#9ԻDtW}1?4~@*wuQ"
_
)hipa@ ӡѐ|_~4Z}0om6"zVPg`(Ma౹v dpŻvR
aN!%Xc/LsN3ddFw
_c 4,VHMavuB}\;Z;Lk1}tn;ٙIeurǞcvΦ4,1r
8ޞ
e
$iJz"fcߣ<HQEI2X}\;!LR1٣wQ{7ʱ5IoXF}\;$T{
1g={*wu\`Z"y(_&
kdj2&[EAj
:@<
O0d닿f7]e}g
OǨs'U~{%ӇE
=w s6o
U^N2_][ ds
5Ӌ>Fڽw s?~c~<۳*m}i}+GM͡T tM/?h}A|9O_Uc=^dka9Wʞ3}mLRY?f;щMCָ x
?'u^3 ~]xOHfIQfzډhD
︻ SC-wWu*o#&N~/ߌa1cuǚwn4!m0Amq$ƁDjzJ69?08�T!YDw|gufa)fDy-4L,D#֧Z_]Y_>NV˥.ӛs
p=wJ̌
ޕ`ўrj*>ҰqE2
F}
o7R"N.Se9ȉ uoNcr)Jr%{X#vxaq{6N<~M�f�3|gpW#�`5UV}Ws/cܖxks-s?[ǭ%
ͶTX#GPl!
ދ1*P4FOV'u`*1 EW@-a`Q*" P9
K*+vi騘
n1NRlɊ^W(7H7`b#R]&L
w 2`TMcRѩi
JE^~OL
1w.
}-+KnýxQjdqg'bohu[0 }DcPL4ɟ"lU\vA=(<X\1K\[jp!Đjư7#D#çƣlngm/*#26~:Y*F"U;"cd%WAUl >]BĢ'b˨fw1tT[Dh85Zdb17n%#%ΛxlAR`f7FO1Ξ
f~ԉz1Gx6yN?!dɿXoV]-Nj(5
H1QCOJ6Sꧣ$Ks
4fR)*ibN
)hD)tv a凤k3m=F':/WRjo_%'O f^z~QČ4+7
:+
De.&iu[II?Ot DnH"Yi5\]cOvH<zw2%d&LY>9"1d^.˭+>YU/yĎcГɥ!fR?%QYD=kQ&[plmb زkWtϝ6&Z[
ZlU.}T$o$ =#Au}2�3N6nD5ӿ95Փp"Kp4>9DɗO<~fFJ'�#cM
s&!5Vt
ygjOGILCa؞%PG1LILm)`zҩޡ5wCݡ&)
H\8!
r觶\g<
],V1F*G
1w#lV|3
Gݤ=nr!WE=
D3d]\k̀0_6Nm8s.TI$3oQz7C]cԡ̩7J}Tvi]7)vo_ɵW:u
fO.֧J
xkʱnukFM){×ۭNDF9e
ZPQ
aͽbW[&3:
L kgNF$OlWɧ!V# NTk"G,2y�DLxט xkf
26M'%*DvO*(lVEd>~98
syvyik!N\OJ٭O4TdXF{}=]B<]Y?4{E~y[P,i 2UrKܪδ[&ZUB~CSjrËh%x"6|*P%IJj0X
\
?�cQ^r{.
i T
Ɂ
zFI
#Qt&+dZg5[[yY
ML~L
3%?
>6Ff.T@ٴ;CՒ@u=]w q
Wdj5O![)6f@y>\hzs<F䛧%x7^.~25Ig,5ɮj?\N
,WbъiiQط Nd
eNLR$@Gźi*6n�\'&{5Fɉ ſ
YbZXlyeOq ^&'2VC_Ls-
>4\mJ
079L j*L5j>X$Gj+`C0mJ͢d%Gkdd_i&$}jc9 ˚^l&Qf.di5JaQOoo`+J8zA>l _0`0V@z2HZ,aG#))N'L3/+HČrQF,AZ2JD8SLԝ߰:ZEK7U4&±agAe<يgxu];8e+~
8%q
!
7+ڙz͑aof3Ud[
oW0ޮ Ro
WHiT]
dk
shgH!018 r@4x )sNWGp>}{Hi,V?Ȭ=
[3t˵U0> ykf;tTf` As
c
bF
`;%0|ƣ+W1Ӣҩ%H
batΘUoRK
Dz`D%c4ZoVy;U\qWGҳkaNOf
㮈e]5SpA;ucz7ԋUoPrj'Bki1U�3j7'PU}^G0a367jRbGdȐr
:ey
5RvKD$O76JB28@Q=udA#FH{M鮲7[{
J8@@qrQL#wxZ6 1!IKe^s&Ekh
z
3L`'S4B7̟s6an:}g{NX GfȖl1
5C' /!1NE:P\FyQq'iM
'%G{Q0T
}*f:=^VTi(nc>9ɶ
;Hw?N¨o[Dzv
PD?襘Zå]%'dn/@Ы
sdp/D
D0K
qd0h^(ou7oGe:0D f8&9kTo:7l
DTd~"LE|؋pGoW3Ļne7F &{/_1 )"Σ<߇[6Qg NgNW-#@[ynUӇh謏(
E[=v*8&Ou/rXO]$b-y6S8m
Tiknudr,$x,]v]o
Ir+/
z
1N7sqN^m,F~wdֶa]6# |{i?-}E=.zŝj
6uG~s>
7g
(4ڹ[]O
^bG64XQ</D):-&NF7
-cx|Y[,{d
~{>lcVͱ\/뻎~n
1~7_ C!Ӭ5w#|S7Ladm"mLz<䰣/
Yd
n¼>'%
,`c@#\o-Wo
g|SGIduƱ4%)i=ۆ3Opm֟7;[Xꘞ/>UHqeB,lF{_02ɧX
rquẂolu}^NjV#1F .X/\"F&YF
FXP �@|
Z~SϜKEU~5^&2D>BrVP ͧg奢O
2~Zc_CU*?:[y
dE襢]j"rm\ԝ{.מ[
*uWQLn-巭 wU
ݿ\"뿹fI0`wU/_P7^%p+mvϻ�Z@ D;+BWE2P-�8\WW 8Mv
sQb qUܩW@n.(
涏_ {
(鵀-Do{
C3{CQ+UWC
R%8W 5-Cl]q
�n@9
KD@]W]Z
qr
~bK_@{
%U{/j_{el_,m8J.7�
{unB\HJ(}K\sa$Krê$u4ݓ.=A~XI]q.~`Pђe_y_{&Y
{%Y_
.9MK.o8�||þ$"EZ{J\
h
%̿IT8}P
/q+8K^
7*w x]Ra˫oֹ[
TT|]h<NU_O+6v9z;;0ǼU^tMvÈeaٿ}egxvuWDm VMU
spQ~I^{
QֲT鍴jl~+"ͭ^;k)52
?nhmрj6
i`7`xi[Q
)
N\-^Dy sOU6daBZlP7 -2d0ɀA'P0
6yC
6
ߪ
bOUj3V
&ޖPz`mYk@ml\W4셠zm{_
i$�o'cX
Dl{(Wl@eѾ8%,AX@0֜mhYA"aKvZ9Y"LUaQ[
p5mm2
`
\;
Q|%{S@6
BJrApBZ~_Ed} 4EVqRƏScϱ@�S___
ΒPS
:=-WΠtX1<Cׇ/noSOn
RmB7m(}W]ϨZ8W]pe_8wm_
.$.
|zF=_!?*_4\U_x*/l粭Co}\^?rHo.Fh|B{O
mеa7T*$^HT3c*ں%0 EzLPí
J:ӂCJF2=L|J)�BHl-H=GJAP=XkAFb9|
BR9~Zʠ9
RR9ʃ 9
sq
l
sz[
=@%e["zOZs?2h
G_[$zs7l-XH9䓚ZhɢWR#,
AbkEsQ4XJ)1DZE6_3 )> 0co
L $2Y EeE "SI[HR,å
kAEbsXmD
s]Z-Hl,z+&IB)9Ҳ議D$Z=APJ=܂X$R9[$=JAP=kAFb9XQC)0z-܂ָsm
sAnn$) J=d*V
[-ZJ)
siGbRz[
=hnA$
zT8
"[!7SB]R-Eˈl-HܦR71vSb-HlM
u(nEZJ|o
~9-ւzT
R=u*[ɉ\J)Sbl-HO
R=x{
[=AH\J)Sl-HǍO|
o(҃קE-HHl#萾R7WЕ۴"a\J)1@E&l-HCn
JAPz>-ւso!
s{Q
2[==J)�
bEHl-H=GnJAP=kAGb9踠
BR9踸
R[Q8@υ u(G]=A
bk
G9� rR
9"
sH{a
RR
^$l9`(Į
l-H= {(quAE-Hl+uq.$@gu+-"H,ppppppppp!z0Uf6
nw:cM&ij*cKbZu5hYbMfZlK뽈WN}j4Nle{%~ج/4絝=
IպMmJ9}[aX&SMT*P4!ݶX❱6 ,
~̫b*vRXдr3Pjsjd
ȎɆYİ)4,0El܌T_7;E&Ȕ*]l|T~0ʃzA(
;,0+٫:ִk>C-sH鹌i73hMVƢYI@^҆Qy<y۬Lҳ.v^E TF۴
sK|@D^69&8eCFlP\V5u>)"2$%Qܔr\ZW
nb5q#3XV"tHwW<0-D;ZL~i?ӻ&�6SrSylg,`yV))Oi\ܨW<).躾5,|>3t㷗7mdFM9)ԃ�*x4ň==c
rRb»2L3}AOX3,L8\Ot[M'dOz-f&J$O&Y4@HͧT9b^B&yQ'[)K?yQi_"__siK
XQZ&g1v7f
¡*ƙe|gؒieiK/
I`\ %A=!CatC1zD7wRQQՉ
͆[rL`!6j5V
U.j.iЃY5V0
S Q_3 %qQ
ӯ24*;0
z
-
|GĸsS�r=,C@Q> @s{#K
H'_>*_*LJ9@ П#`k
W$LH5qdAK'
]3-<7X Li]U;LN,Tr3@
EÛ҆YV)Y??U&dT
ȵOFRbdK�zMjI$+5uie,>I,b}j`0D2BUJn{
+%J9}\/$(O*YS;PHS߅cߟcSn:*E E#ZvH
HɡOVt>OҖ$1uĠ祟f.4Vx
"E`"Y@YSM
aY`@X͞xpu
Hdt)
ryMK*
sIӯX#B*|RQnl;}[RG=[;O>A?>ԋ|7
TȀYO(�P!}I
4
*'OBЄl'M#o"8 ޠ:'%*s}0*�.',֩ֆrhOxBt
_�,*
iE lbT@:@
W??A;B7
!HzOYeLPv
QtAT
\E@7E2!&f#@NMIQDq
0;Bʍw1slUYyvg!vdڎa7
|
a';.?sQaP4?kDE2Ed)~ʑ^@m
wߋѴ}+>Ve
M!
`I_Ba h})ގ?S F
![hѵ#1ɎO)6
Ѽ2^pgww
$<a=wHW
>;QwT
w@Gg`9
p
p)4F2qz4-;,r9^(m;SEЋ^b\�v�Cg|XZw`oѢkz:F£Ogp`t6Z
~n#�1^ՎBuGr~li8;<wIn#Ŭ("ڶղ l�
EhH#}
ŁWHN+
Buưpvtcoi(wUq
(yą
!�[܅F;!]8
B,9U::r>^ cir2
|hU:_zE<w kzaȽa>͡
xXB
[wiiF
м.\ֿ
�Y�BE"�p��OLLrdUYSӭUj}jVWRq%%P,EIWr1s%H?P#pH
0BS�#3F��_Yϰ+J~S{eWUg;ER_(
bؐ
ذw\}8e)Kt2dŜ;ɓrɚ4rYI���X'T~7,%. K"HR?uHNB
ۉD }$VNT|c
Xk7#U^Zwuv͔:dNWܙ|X GW
gefv:֗1i)uW0''o-iש`?.�s
mw{^u ntNQf&Ghݽ!Ԩ3qA;
@Z[&N%gJ;M;gg
x^s~TbR}ׇ|=
朒_wXO hgF~!^ ~'U5
!UBe<Z]wwha]ο{%X̓_&e?ʅGaQ0gX]jFRҝw?my&)
sSOQxgk*Δ/m&
J
]^
{9
D
rԕOm}$ϟ@!2<yQ@h
[ٍcwnaf~b'}BUXY
s-sc9co
e83=xy|a&YG^sXSuҾ#x
|z^a
52}Km0<`,4s
(cҟ4l&\el
l};"ПmkoX6/@Q(7cįcb^ѧxx`
NLUy^uʰƏwE;0F:3NC;̟dNFQu!wq0{;#
*.-
,&
ȁujސmF_,\OVM,<ZO*ߞ\2? D
ڢP{*?!ĬUflJ
wik#Mw'Cbb\`̎\�p
O9^k'sjT4?='vĭ8].wOj
_i`�B"hTeFoA:xwr%{ȷ;%;dI_<%ۅN-1P=SQ>{(\25}}P8@:ӿF˚w֍/b<cp:ͺߧ
tZ4W7~`JW
X]b\ֺҰ
ݑ3G;̶`
xm7E5B$={Թ@m
gsG7E@
}ȻxpwfHn
j4WCXgs:
CcN힣>/#g0
?hY<L B
b0>.ϓ
>Z
>
tg~yO\:`xdrWȱxix-}1[YN
8R
}m0L*gb
w~x n?ВN8
1^W%~_9(L1Mhvn_5c>Z%0ML1,#c:!e2A{XN,q[lx*gjcvWNi9BZV KTM/}rg:r8w.Ir liDت9ioSq
̵a9^>Һa ao$T7(f180Vl⟤WUPWy)
Ҫ3
3
gL71Hq͜IUr)agc `4J_!{mG6w!FTek{亖+"uRĕU.
z4,WYNg\Ovwjn|J(Su>hُzl bgҤUJ*qw0;7h3jD^KaHVU
G<lpvN8w)eSa<]f4?FC
G
x̆
],kcǖ;K{yaIG4u$
#[
IQyw쁩Q߱D1
/V7+94! )
N,Z }!J.؆ Rv a!hx\{
6$[)ptz{F'f_\+G2@aO6З<J#ĂZ&4Ll*v
(f �0Ŀ'5!.i
ޜ9X,
M0QtE9*A)u{% ;]}ͭ{&2anxrb`(hJʋf
0t.
OT+7LK0C<wO^NwK@;07L_Hٕ~"/z֬0ǖx=H`
&^R^HUK)
0
#:CGM !ab\Uאhc\#2DO弮
MuIC9ɁC
^oDy
}B
h^xuB`ZU6Yf
0}F[|O&(a
`qK(^Kj8)%ze
87b7 8XD[
͠'
(AŚtiQ$
q bS:A72ʐ~7E:н
B|H
yK�{1Du
0T
]ByeR^C.&],ĪvNVѧ$
#Y٫}U1fcx4VvaB4
H�ҹce{w"c0}N"Ec(䰐E<mӘP$ݟ{;qzwj''q]i-qO⺯aT#C`io JW#D,L26FtYl
fFc 'ez
/1fPϵ
X
;lT1&nnO B>
(]O4*#?%ԗ,vKThrǿgu1 Cq1} > Зbݏ0"#lh}r=0:
PDNab܃2Xc
(c1iY_o4C*W
+c-a&ԑ1%J0prK
c
⒴aa4T
1hQ_2B'!5
i'@LccUaXΐT
ݠlX+i]
C2%2LBm6_\N 1UrڷK /rCZ쑏^Aúef&
8>7
-' H菍z"&|a{
R$&y~3On:DFEF
Ñ
ǮbsWYΊnu+"~܅2L5207i,Eqr aJ?jP
JgCBdo ː7"o}la0)vC(u"k?
#~4ꮁ]?+ۡHL%�LȜ0?b$LЩiFdˉ8z3e=p*
hEqL>\ʡ]hh�g!s1D&b8D8-t5Atǘ#̲Q0qc9-x4G\2L5m*E]`Ι
{
v yUi?4c!
0DMZw�2
<Kɖ{-P :Fu
',!Nj
NqֻXM"nBH%f
ӭƧى,tk<"s�h E/ )F<h-hRA2aW tۢ)<v
Hq&>w=:n8ChJ
>aaL bh9
w:Ă&aa+#r2.Z~<"+IAcLj MQ)0ؽh?FrbFaU9zDFVWd?ıZ.JuC\ lX$nm
dCL
`Ii/~
&\XM?i@A@d)| _7`itKa@W
J@W@,װ$@q``̨E4űvp?+''qԀv8(4JSbx_0dIA
;`wG2
P *yes,(qVb
`
ۯ*0pYV/Q فbv_權#
( }7m,@QW̞
HD
`
eI;k,vFɻ1bX
T` (Jay\]h
lKGR{dR g0^E&ICIM
uC`FX&|%
!1C
;cVy44`ܫǎ)i�
\aɱˤ9pۑ@%X&v]VY�$
jctII2ĉI2a
Ayk
b]Y|0rJFfAYO ypB,:wG,v
PxT,[Ѡm`AK(T{ ,PWp X@@*n Y.N99
Zր20 61M
RH2.IAШ/c�ю&BQI0vjv
N[�agv/DԂ
ز>8_uj%:%X
Q O#SAh:KQc�\
1
Tll$iP6*v,˶,qHY*<%L
'Xev X1+4<0(oJ0
b
[M
6x%9(ĝM Fc)@x,!dH%
!iaɑ
hKKcA�!!�S%Aд+vjP8Yξw
iA@QlK mWb6#yY$;RL/NbM\A
bκW^ls
X
�%I\&- yWhK`l|,^
,٪5e
G-${AK�dA; <8#,^3
dX6?A$p|
A
j&54_ 00(l%
S@d1;5
xMcB
D
H
bd%J+^T]0
l$!٨%
vkkn{*d5
H
(.%i8YפֆܔYMdY��IcKN
nJ!
R!;QH�)1@o$ObdP̚@�*
/&.'kB
~`^djGmSm ͳ4KLٖL
x$Ŕ(m3bpK^h5dKPT@bS@
䆒1r֊=Rt+
c1CK
cJ @I2ă
6px,!խgqݶZ&j?(əR α'KNJ]CY-PoL}Uf.2eʪEM.3srT*=??z%,ۃ+w33%{FiӬ,$N.{Ms^}"W_oj[p>
ҙxԺmVH.fG
[^{ǹpuW헽~Lv1q9
9~ggLɽ(K9¾Z?ܮ6
7n/
YQb:V;a}U&uCS}GXMmZ#rҲSj6-ʱ|ӂE
\yAiYj*N78~ljf+oj't
I)tmREG-/
_t Ub?==݄# ܚ-cx
swΜ9:V<zS&'>ȁ7~
36l'
msۢ
p3Vv:8 ^lCQIjsfbvZ?@~<x٫Nzf
=P] mt~>¥o\dܤmϥqO<˭nzۗkOr
TYc-6wYhlbR
גԼř,m+:U7E)8wZowozJENM]ً6
ojo?sy_M
_qpmf"0'
_R+2#4Oi?G:~+GGp[bc:g]q> 8<[/Q6-a3̍/:vqt[X&9Kwb~jw
jFr1{#'6<z-\o n3P'r7LnU{d![hZq-s
{ZAn\=<9(BJ7m}ۏZbv{m}5[IE'[6E5o{Mp] j-Z)Fk>=֕8-CnV_f
@6Q־ۯeη6E>Ӆ[~|5JU(G>-6:X%Z{05SDVN8{u2cc:2k^If,
rWwѥSzݩqpO}vrInCU?
v]}{KmhvԹ6%vh
Z V"ޯUjUdT:iH
WYU$b*ɔV"Me^U*RTڴ,D*<C8eH$NVY0e*3haf
nLZVE" 7
z
6J\XbY*Ҫ%, ZEBJygeV$gNYi!eVcUV$4%
"H]VERYwB_%gfM|04
'e$gVȖY.ގo㣛UWk+HP+.I7`
4rF(WFUT3\"=;jM x\}mgL`ޗjU]Z%2mua7zM&і&#nRgyW Kq{ZvO/aZY_im.axBs]6/:DOKOM
y_'264رnl^B wӶDFu5%
6((/{&ҧlvQ~tJ֗J&=Kr;j%k눻
v
Edxȏpq}nۭIۊh'G}~UgM(:㞞`uH[JI|(H3[j./ԈqEDZB[nLMK>5t7"(,OToMG_jߊˎ]%wVRrnre<*q5=E.il)AEvzh{8Я
Bk_C?4)̓]s'S*2#)/9]Ui+(ˉǤlTU/u"V-/
X-]\d [71í&-wu xDqkBQ_˖<.gSMYh4kiIZϠ(
Mؖ.
+&}pJ)m~_N3K͜) mwc+W7{P1daކ;cQ:#.lg0ژ 1=3�ZwE.Y"2F#@o$
|H`z郕s;'5{q |/?j 8�SZ>Ԩ;`~}ĮFG5=
T!u>}ֺ
v6t3[y^+;enmzcAI'KcO6ֳ6ёqڛ'o훿e
7["
NjL7 % R;Mkqw_lƨ)eO/k϶/D?;I&bTێlJvK?WRftE@fx\3!c!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !����
������(��������e��������������������������,+������xh������b������D������1�����<�����D�����X�����