Longhorn Server PKI

Longhorn Server Certificate Services also includes additional administrative delegation capabilities. Longhorn Server offers more granular control for delegating the PKI enrollment agent and certificate manager roles. In Windows Certificate Services an enrollment agent is an account that lets a user enroll for certificates on other users' behalves. A Windows CA administrator can assign a user the right to enroll for certificates on behalf of other users by issuing the user a special enrollment agent certificate. An example of when you'd use enrollment agents is if you wanted to allow an HR employee to preload users' smart card logon certificates on the users' smart cards. Previous Windows PKI versions don't let you control on which users' behalves an enrollment agent can enroll for a certificate, nor can you control the types of certificates (e.g., mail encryption, Web authentication) an enrollment agent can enroll for on other users' behalves. Longhorn Server's CA Properties lets you set both restrictions from the Enrollment Agents tab, which Figure 1 shows.

Longhorn Server includes a similar capability for certificate managers. Certificate managers are accounts that can approve or deny user certificate requests, as well as revoke certificates. A Windows CA administrator can assign a user the certificate manager role by giving the user the Issue and Manage Certificates permission in the CA Properties security settings. In Win2K and Windows 2003, PKI CA administrators can control which users or groups a Windows account can issue and manage certificates for. The Longhorn Server PKI adds the capability to control certificate issuance and management for a particular certificate manager based on the certificate type. For example, in Longhorn Server the CA administrator can restrict a certificate manager to issue and manage the Web authentication certificates for only those users who belong to the AD Sales group. You use Longhorn Server's CA Properties Certificate Managers tab to control certificate manager delegation.

Another useful addition to a CA administrator's toolset is the Microsoft Management Console (MMC) Enterprise PKI snap-in (PKIview.msc), which Figure 2 shows. In Windows 2003, the resource kit includes the Enterprise PKI viewer, which you must install separately. Longhorn Server includes this tool by default. CA administrators can use this snap-in to easily check the health status of all the CAs integrated with their AD environment. From the Enterprise PKI viewer you can check the validity and currentness of CA certificates, certificate revocation lists (CRLs—blacklists that contain the serial numbers of bad or revoked certificates), CRL distribution points (CDPs—locations from which PKI clients can download the latest CRLs), and Authority Information Access (AIA—locations from which PKI clients can download CA certificates).

Cryptographic Changes
Windows Certificates Services closely interacts with the OS's cryptographic engines. At the heart of Windows Vista's (the new Microsoft client OS) and Longhorn Server's cryptographic operations is a new cryptographic API, called Cryptography API: Next Generation (CNG). Microsoft will eventually use this new API to replace the current Cryptography API (CAPI), but in Vista and Longhorn Server the old and new APIs coexist—primarily for compatibility with legacy applications. The new CNG architecture is more modular and lets organizations easily add their proper cryptographic libraries (e.g., custom public key cryptographic libraries) to the Windows OS. For more information about the CNG architecture, go to Microsoft's CNG Web site (http://msdn2.microsoft.com/en-us/library/aa376210.aspx).

Thanks to CNG, Longhorn Server's Certificate Services supports state-of-the-art asymmetric ciphers such as the Elliptic Curve Digital Signature Algorithm (ECDSA) and hashing algorithms such as the Secure Hash Algorithm (SHA)-256. These ciphers are referred to in the industry as Suite B algorithms. Longhorn Server's Certificate Services can leverage Suite B algorithms to generate certificates and to secure the archival of private keys that are in the CA database. For more information about these algorithms, go to the National Security Agency's (NSA's) Suite B Cryptography Web site (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm).

To enable issuance of certificates that leverage Suite B algorithms, Longhorn Server's PKI includes additions to the certificate template properties. Certificate templates are blueprints of the different certificate types that an AD-integrated CA (aka enterprise CA) can issue. You can use the MMC Certificate Templates snap-in to manage certificate templates. The templates and their properties are stored in AD. Longhorn Server's extended certificate templates are referred to as version 3 (V3) templates. The new template properties are on the Cryptography and Request Handling tabs in a V3 certificate template's properties. Only Longhorn Server CAs can issue certificates that are based on V3 templates, and only Vista client computers and Longhorn Server computers can enroll for certificates that are based on V3 templates. V3 templates aren't available in the Certificate Authority Web Enrollment interface.

Vista and Longhorn Server also include a new common smart card Cryptographic Service Provider (CSP) that various smart card vendors' smart card subsystems can leverage. CSPs are cryptographic libraries that you can plug into the CAPI to let the Windows platform and its applications perform different types of cryptographic operations. The new common smart card CSP lets smart card vendors quickly and easily plug their smart card software into the Windows OS. But not just developers benefit from this technology; users and administrators will experience improved smart card Plug and Play (PnP) support.

Another smart card–related change that users and administrators can take advantage of in Vista and Longhorn Server is the expanded application support. For example, in Vista and Longhorn Server the Encrypting File System (EFS) can leverage smart cards to securely store a user's EFS private key. The EFS is an NTFS-based file encryption mechanism that Microsoft first introduced in Win2K. For more information about EFS in Vista and Longhorn Server, see "Vista and Longhorn Promise Enticing EFS Enhancements," November 2006, InstantDoc ID 93498.

Fundamental Changes
Although Microsoft made fewer and less visible changes to Certificates Services in Longhorn Server than in Windows 2003, these changes are no less interesting or important. For example, the new cryptographic architecture (i.e., CNG) lets Windows Certificate Services support state-of-the-art cryptography and lets organizations embed their proper cryptographic libraries. Longhorn Server Certificate Services also includes significant management enhancements. Although Microsoft doesn't plan to support upgrades from a Win2K or Windows NT 4.0 PKI, the company will support Windows 2003 PKI to Longhorn Server PKI upgrades. The benefits of Longhorn Server's improved PKI will make the upgrade well worth the effort for many organizations.