The Certificate Services service supports the Active Directory Certificate Services (AD CS) server role as part of Windows Server 2008 R2 to enable a business to act as its own certification authority (CA). It issues and manages digital certificates for smart card logon and for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec.

The AD CS server role is not installed by default. Administrators must install it through Server Manager, at which time the Certificate Services role service is also installed. If Certificate Services stops or if you disable it after installation, certificate requests are not accepted and certificate revocation lists (CRLs) and delta CRLs are not published. If the service stops long enough for CRLs to expire, existing certificates fail to validate.

Certificate Services relies on RPC and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024.

Certificate Services is not supported on a Server Core installation of Windows Server 2008, but it is supported on a Server Core installation of Windows Server 2008 R2 in addition to the Standard, Enterprise, and Datacenter editions of Windows Server 2008 and Windows Server 2008 R2.

The following table identifies the application protocol, network protocol, and ports used by Certificate Services: