A Microsoft Active Directory Certification Authority is responsible for attesting to the identity of users, computers, and organizations. The CA authenticates an entity and vouches for that identity by issuing a digitally signed certificate. The CA can also manage, revoke, and renew certificates. The CA can be public or private. A public CA provides certification services, typically for a fee, to the public over the Internet. A private CA provides this service to the members of a delimited population such as the employees of a business or members of some other private group.
If the security of the generated keys and certificates needs to be enhanced, the Microsoft Active Directory Certification Authority needs to be configured to use a Hardware Security Module (HSM). When the HSM module is enabled with Microsoft Active Directory Certification Authority, this strengthens the protection of keys and certificates.