Understanding AD RMS Certificates

Applies To: Windows Server 2008 R2, Windows Server 2012

The different components of Active Directory Rights Management Services (AD RMS) have trusted connections that are implemented by a set of certificates. Enforcing the validity of these certificates is a core function of AD RMS technology. Each piece of rights-protected content is published with a license that expresses its usage rules, and each consumer of that content receives a unique license that reads, interprets, and enforces those usage rules. In this context, a license is a particular type of certificate.

AD RMS uses an XML vocabulary to express usage rights for rights-protected content called eXtensible rights Markup Language (XrML).

The certificates and licenses used by AD RMS are connected in a hierarchy, so that the AD RMS client can always follow a chain from a particular certificate or license through trusted certificates, up to a trusted key pair.

The following table lists the certificates and licenses that are used by AD RMS:

Certificate or License Purpose Content

Server licensor certificate (SLC)

The SLC is created when the AD RMS server role is installed and configured on the first server in the cluster. It generates a unique SLC for itself that establishes its identity, called self-enrollment, and has a validity time of 250 years. This enables the archiving of rights-protected data for an extended period of time. A root cluster handles both certification, by issuing a rights account certificate (RAC), and licensing rights-protected content. Other servers added to the root cluster share an SLC. In complex environments, licensing-only clusters can be deployed, which generate their own SLC.

The SLC contains the public key of the server.

Client licensor certificate (CLC)

The CLC is created by the AD RMS cluster in response to a request from the client application. The CLC is sent to the client while it is connected to the organization's network and grants the user the right to publish rights-protected content when the client is not connected. The CLC is tied to the RAC of the user, so that if the RAC is not valid or not present, the user is not able to access the AD RMS cluster.

The CLC contains the client licensor public key, along with the client licensor private key that is encrypted by the public key of the user who requested the certificate. It also contains the public key of the cluster that issued the certificate, which is signed by the private key of the cluster that issued the certificate. The client licensor private key is used to sign publishing licenses.

Machine certificate

The machine certificate is created on the client computer the first time that an AD RMS-enabled application is used. The AD RMS client in Windows Vista and Windows 7 automatically activates and enrolls with the root cluster to create this certificate on the client computer. This certificate identifies a lockbox on a computer or device that is correlated with the logged-on user profile.

The machine certificate contains the public key of the activated computer. The corresponding private key is contained by that computer's lockbox.

Rights account certificate (RAC)

The RAC established a user's identity in the AD RMS system. It is created by the AD RMS root cluster and provided to the user when first attempting to open rights-protected content.

A standard RAC identifies a user by account credentials in the context of a specific computer or device and has a validity time measured in number of days. The default validity time for a standard RAC is 365 days.

A temporary RAC identifies a user based on account credentials only and has a validity time measured in number of minutes. The default validity time for a temporary RAC is 15 minutes.

The RAC contains the public key of the user and the private key of the user encrypted with the public key of the activated computer.

Publishing license

The publishing license is created by the client when content is saved with rights-protection. It specifies the users that can open the rights-protected content, under which conditions the content may be opened by the user, and the rights that each user will have to the rights-protected content.

The publishing license contains the symmetric content key for decrypting the content, which is encrypted with the public key of the server that issued the license.

Use license

The use license specifies the rights that apply to the rights-protected content in the context of a specific authenticated user. This license is tied to the RAC. If the RAC is not valid or not present, the use license cannot be used to open the content.

The use license contains the symmetric content key for decrypting the content, which is encrypted with the public key of the user.

Additional references