Policy and exit modules

One powerful administrative feature of Certificate Services is the ability to control and customize the behavior of the certification authority (CA) through the use of policy and exit modules.

Policy modules can determine whether a certificate request should be automatically approved, denied, or marked as Pending. Exit modules provide an opportunity to perform post-processing after a certificate is issued.

Certificate Services comes with one exit module (Certxds.dll) and one policy module (Certpdef.dll). The policy module includes two separate policies: enterprise and stand-alone. To compare a CA using enterprise policy and a CA using stand-alone policy, see Enterprise certification authorities and Stand-alone certification authorities.

As a CA administrator, you can replace these default modules with your own custom policy and exit modules or commercial policy and exit modules. In addition, if you have upgraded to XOX; XOX; or XOX Certificate Services from an earlier version of Certificate Services, you will have the option of using the policy module you have been using prior to upgrading. It will either be listed as a legacy policy module when you look at the properties of the CA or with its original name, depending on how it was created.

The policy module provided with the Microsoft CA performs the following function:

Determines the default action of a certification authority upon receiving a certificate request. Upon receiving a certificate request, a certification authority can either automatically issue a certificate or hold it as Pending until an administrator reviews the request.
Microsoft certification authorities can either issue a certificate automatically upon receiving a request or hold the request as Pending. In the majority of instances, the administrator of a stand-alone CA will want to have all incoming certificate requests set to Pending. Otherwise, because the stand-alone CA does not verify the identity of requesters via the Active Directory directory service, there is no way to verify the identity and validity of the certificate requester.

The CA can only have one policy module loaded at a time. The Windows 2000 CA policy module contained a great deal of functionality that has been integrated into the core certification authority functionality. This allows the policy module to be more easily replaced without losing functionality.

The exit module that is provided with the Microsoft CA performs the following functions:

Sends e-mail when a certification event occurs. If the CA is configured to send e-mail when specific events occur, the exit module will do so.
Allows certificate publication to the file system. If the certificate request specifies a location to publish the certificate in the file system, the exit module will do so.

Please note that this is not an exhaustive list of the functions of the exit module. Unlike the policy module, multiple exit modules can be used by a CA simultaneously.

To configure the settings of the default policy and exit modules, see Configuring the policy and exit modules. To configure e-mail sending options, see Send e-mail when a certification event occurs.

Customizing Certificate Services policy and exit modules

Programmable interfaces are included in Certificate Services for developers to create customized policy modules. For more information, refer to the Microsoft Platform Software Development Kit.

If you have created a customized policy module using the guidelines in the Microsoft Platform Software Development Kit and you want to change the policy module, see Select a different policy module.

If you have created a customized exit module using the guidelines in the Microsoft Platform Software Development Kit and you want to change or add an exit module, see Select a different exit module.