Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


May 26, 2006

Windows Server 2003 Certificate Services

New features, improved security, and more!
A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #49733
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

In Windows Server 2003, Certificate Services provides many new features that will simplify the Certification Authority (CA) administrator’s life and that support newer standards. Among the new and improved features are Version 2 certificate templates, which provide enhanced control over enrollment and certificate issuance; key archival and recovery; and delta certificate revocation lists (CRLs). Even if you haven’t considered Certificate Services in the past, you might want to do so now. In this article, I describe how to work with these key new Certificate Services features.

Enhancing Security with Certificate Services
Certificate Services is the Windows component that lets large and small enterprises install a full-blown X.509v3-based public key infrastructure (PKI). The PKI can issue certificates to users and computers to enhance security by enabling IPsec; 802.1x authentication for wireless networks; the Encrypting File System (EFS); Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to protect Web sites; smart card authentication; and Secure MIME (S/MIME) to protect email. Certificate Services is free with the server OS and lets you avoid buying certificates from a third-party CA for internal operations. (Note, however, that you might need to get third-party certificates for external security—e.g., for e-commerce Web sites.)

Each edition of Windows 2003 provides a different level of functionality for Certificate Services. In the Windows 2003 Enterprise Edition (and the Windows 2003 Datacenter Edition), Certificate Services is designed for use in enterprise environments and offers the fullest range of functionality. In the Windows 2003 Standard Edition, Certificate Services offers more functionality than the version that shipped with Windows 2000, functionality sufficient for many small-to-midsized businesses (SMBs). The Windows 2003 Web Edition doesn’t offer any PKI services but can function as a client. Table 1 compares the Certificate Services functions available in several popular Windows server versions. In addition, the Windows Server 2003 Resource Kit provides such key features as the Simple Certificate Enrollment Protocol (SCEP) add-on. For more about SCEP, go to http://www.microsoft.com/downloads/details.aspx?
displaylang=en&familyid=9f306763-d036-41d8-8860-
1636411b2d0.

Like its Win2K counterpart, Windows 2003 Certificate Services offers several installation and configuration options. You can install Certificate Services as either an enterprise CA or a standalone CA, depending on your planned use. An enterprise CA is fully integrated with your Active Directory (AD) infrastructure. Through a process called autoenrollment, you can leverage the enterprise CA to automatically issue certificates to subjects (typically users or computers) without administrative intervention. Also, many Windows security technologies (e.g., IPsec, smart card logon, 802.1x) are designed to leverage an enterprise CA. An enterprise CA is always online even if it’s a root CA.

A standalone CA, however, isn’t necessarily integrated with AD and isn’t as transparent to subjects or to Windows security technologies. A standalone CA can be an offline root CA that comes online to issue certificates for intermediate or sub CAs when required. If your organization wants to have an offline root CA, you can create a standalone CA that functions as your root CA and issue a sub CA certificate to your enterprise CA. For more information about enterprise versus standalone CAs, see "Defining CA Types and Roles," http://technet2.microsoft.com/windowsserver/en/library/1b28424c-8c62-44b6-a24f-8ea06ac5832b1033.mspx.

Installing Certificate Services
Although installing Certificate Services is straightforward, you need to plan your installation carefully. If you’re installing a new CA, you must decide whether you’ll be installing an enterprise CA or a standalone CA as your root CA. Note that it’s possible, even quite common, to install several standalone CAs, either as self-contained root CAs or sub CAs. This approach is useful if you need to create a CA for a particular application or group, especially if you also want to delegate administration. If you plan to install an offline standalone root CA, you must configure a CAPolicy.inf file to ensure that the CRLs and Authority Information Access (AIA) distribution points named in the root CA’s self-signed certificate point to online locations that users can access. For more information about planning a PKI deployment, see the white paper “Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure” at http://technet2.microsoft.com/windowsserver/en/library/32ba85e7-3ef0-44d1-b9e8-b7fe0d4907261033.mspx?mfr=true.

To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.

To install Certificate Services with the Windows Component Wizard, you begin with the following steps:

  1. Start Add/Remove Programs and click Add/Remove Windows Components to launch the Windows Components Wizard.
  2. Select the Certificate Services option to begin installation and click Next. By default, this choice installs the CA service and database and the Web-based enrollment service. If you don’t need the Web-based enrollment service (or want to install it later), you can click Details to select which components of the CA to install. A message will appear with a warning about moving or renaming the system after the component is installed. Heed this message well. Click Yes to continue the installation.
  3. Select the type of CA that you want to create from the following four choices: Enterprise Root CA, Enterprise subordinate CA, Stand-alone Root CA, and Stand-alone subordinate CA. At this point, you can also choose to configure the Cryptographic Service Provider, key length, and hashing algorithm by selecting the option to use custom settings. You should choose custom settings if you use Hardware Security Modules (HSMs)—such as those nCipher offers—to protect your CA’s private key.

As you continue to step through the wizard, you’ll be asked for configuration information (e.g., the name of the CA you’re installing, the location of the certificate database and log files). The wizard will then generate a public/private key pair for the CA to use. If Microsoft IIS is running and you’re installing the Web-based enrollment service, the wizard will prompt you with a question about whether it can temporarily stop IIS so the Web service can be added.

   Previous  [1]  2  3  Next 


Learning Path For advanced information about PKI and Certificate Services:
"“Understanding PKI Certificate Revocation,”"

"“Uncover PKI and Certificate Services in Windows Server 2003,”"

"“Windows Server 2003 Certificate Services,”"

"“Windows Server 2003 Key Archival and Recovery,”"


For basic information about Certificate Services:
"“Digital Certificates 101,”"

"“Configuring Your Own CA,”"

"“Securing Win2K with Certificate Services,”"

"“Certificate Authority,”"


For basic information about PKIs:
"“PKI and Windows 2000,”"

"“PKI and Your Win2K Network,”"

"“Sharing Information Securely,”"

"“Public Key Infrastructure in Windows 2000,”"


MICROSOFT RESOURCES
"“An Introduction to the Windows 2000 Public Key Infrastructure”"

"“Microsoft Windows 2000 Public Key Infrastructure”"

"“Certificate Services”"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Articles LDAP Authentication
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement