Certificate Server Manager. Certificate Server Manager in
Certificate Server manages four lists: issued certificate, failed request,
pending request, and revoked certificate. Certificate Server Manager also
performs other administrative functions, such as backup and restoration of keys
and certificates and configuration of policy and exit modules.
Certificate Server stores issued certificates in the issued certificate
list and publishes them in AD. The server's policy module compares the request
information against the server's defined policies to determine whether the
server should grant, deny, or suspend a certificate request. If the policy
module finds that the request matches a policy, the module composes certificate
properties such as a subject name, public key, email address, organization name,
and key usage and certificate path and generates an X.509v3 certificate. The
server's exit module sends the issued certificate to the client and publishes it
in AD. Certificate Server rejects a certificate request if the policy module
finds unmatched criteria in a policy. For example, if the client requests a
sales certificate but doesn't belong to the sales group in the sales certificate
template's access control list (ACL), Certificate Server rejects the request.
The server places rejected requests in the failed request queue. If the policy
module can't find a policy to match against a request, the server will save the
request in the pending request list for a manual process a CA administrator or
security systems administrator must perform.
Using Certificate Server, you can revoke client certificates if users
compromise their private key or leave the company. Certificate Server stores
revoked certificates in the revoked certificate list and publishes the list in
AD, so applications that use certificates can verify a certificate's status from
the revoked certificate list. Certificate Server can automatically update the
revoked certificate list at intervals you define, such as once a day. You can
also manually update the revoked certificate list immediately after certificate
revocation.
Certificate Server is an open platform on which you can develop your own
policy and exit modules with the SDK if the defaults don't meet your
requirements. For example, if you want to publish certificates in a separate
directory from AD, you can write a new exit module to replace the default exit
module in Certificate Server. Using Certificate Server Manager, you can also
easily back up CA private keys and certificates and all issued and revoked
certificates to files so that you can restore them in case of disaster.
Certificate policies. Certificate Server in Win2K
automatically installs a set of default certificate templates in a group policy
object (GPO) in AD. A certificate template consists of a list of definable
policies governing how to generate and use the certificate. For example,
you can use a certificate for secure mail, client authentication, and EFS, and
you can use the certificate's public key for digital signature and data
encryption. The certificate template includes an ACL in which you can specify
which users and groups in AD can request the certificate. The GPO is a security
policy store in which you can define security policies for users and machines.
The default public key security policies in the GPO contain several user
certificate templates, such as User and Administrator, and machine certificate
templates, such as Web Server and Computer. Certificate Server preinstalls these
default templates to its policy settings. Screen 3, page 100, shows Certificate
Server's policy settings in the right-hand pane of the MMC management window.
If the default templates don't meet all your needs, you can create custom
certificate templates in the GPO. For example, I added a Sales certificate
template to the policy settings, as Screen 3 shows. When you create a custom
certificate template, you need to use the Group Policy Editor to manipulate the
GPO of the certificate server. (I named my GPO "CA" Policy, as you see
in the left pane of Screen 3.) The GPO contains two certificate template
folders-- User Settings and Computer Settings. User Settings holds
the user certificate templates, and Computer Settings holds the machine
certificate templates. To create a new template, use the template creation
wizard in one of the template folders. Then, add the newly created template to
the policy settings in Certificate Server Manager.
You can also configure the automatic certificate request settings in User
Settings and Computer Settings to let a user's computer automatically receive a
particular certificate the next time the user logs on to AD. For example, if you
add the Sales certificate template to the automatic certificate request
settings, everyone in the Sales group will receive the certificate the next time
they log on to AD.
Register
