To maintain secure network connection, public key infrastructure (PKI) usually used to maintain the security of the data transfer by the network and very useful in many commerce areas such as e-commerce and internet banking and sending email.
In the PKI involve different roles, software and digital certificates need to be created, distributed and stored by different computer(server). Active Directory Certificate Services in windows server is for the Server Manager create digital certificates, public key cryptography and digital signature capabilities for the organization.
After establishing the service of AD Certificate Services, digital certificates can be issued and managed by the server manager for making authentication of computer, different user and establish account on the network. All different kind of digital certificates have different purposes, and all share common function are making encryption for public key and providing digital signatures, also providing authentication by confirming certificate key with different user, device and account.
Certification Authority Web Enrollment is a role providing different web pages by using web browser for the user connecting to the CA for requesting certificates or CA’s certificate.
As the server issued several certificates, backup must be setup for keeping the certificated safe and recoverable in case of any accident such as theft of smart card or accidental reformat of the server.
Key archival and key recovery agent play an import role to doing the back up of certificates. In order to making a key archival, a key recovery agent must be set up first by using the MMC Dashboard to create a certificate under the name of “key recovery agent”. This will create a Key Recovery Agent Certificate for the server manager to enroll as a key recovery agent to obtain Key Recovery Agent certificate.
After that the manager can use mms for creating copy of all issued certificated by enabling key archival.
User Certificate can be used in different situation so there are so many different types of certificate template to fulfill different purpose. For example, “Code Signing certificate” is for the programmer to sign application code for testing the software for make user that the management system and end user can be sure of the software is trusted. Also “Smartcard Logon” certificates are for the issuing the smart card. Authenticate the card from the active directory and provide the login identity..
https://en.wikipedia.org/wiki/Public_key_infrastructure
https://www.sciencedirect.com/topics/computer-science/user-certificate
Albert's blog 