Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


May 26, 2006

Windows Server 2003 Certificate Services

New features, improved security, and more!
A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #49733
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

In Windows Server 2003, Certificate Services provides many new features that will simplify the Certification Authority (CA) administrator’s life and that support newer standards. Among the new and improved features are Version 2 certificate templates, which provide enhanced control over enrollment and certificate issuance; key archival and recovery; and delta certificate revocation lists (CRLs). Even if you haven’t considered Certificate Services in the past, you might want to do so now. In this article, I describe how to work with these key new Certificate Services features.

Enhancing Security with Certificate Services
Certificate Services is the Windows component that lets large and small enterprises install a full-blown X.509v3-based public key infrastructure (PKI). The PKI can issue certificates to users and computers to enhance security by enabling IPsec; 802.1x authentication for wireless networks; the Encrypting File System (EFS); Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to protect Web sites; smart card authentication; and Secure MIME (S/MIME) to protect email. Certificate Services is free with the server OS and lets you avoid buying certificates from a third-party CA for internal operations. (Note, however, that you might need to get third-party certificates for external security—e.g., for e-commerce Web sites.)

Each edition of Windows 2003 provides a different level of functionality for Certificate Services. In the Windows 2003 Enterprise Edition (and the Windows 2003 Datacenter Edition), Certificate Services is designed for use in enterprise environments and offers the fullest range of functionality. In the Windows 2003 Standard Edition, Certificate Services offers more functionality than the version that shipped with Windows 2000, functionality sufficient for many small-to-midsized businesses (SMBs). The Windows 2003 Web Edition doesn’t offer any PKI services but can function as a client. Table 1 compares the Certificate Services functions available in several popular Windows server versions. In addition, the Windows Server 2003 Resource Kit provides such key features as the Simple Certificate Enrollment Protocol (SCEP) add-on. For more about SCEP, go to http://www.microsoft.com/downloads/details.aspx?
displaylang=en&familyid=9f306763-d036-41d8-8860-
1636411b2d0.

Like its Win2K counterpart, Windows 2003 Certificate Services offers several installation and configuration options. You can install Certificate Services as either an enterprise CA or a standalone CA, depending on your planned use. An enterprise CA is fully integrated with your Active Directory (AD) infrastructure. Through a process called autoenrollment, you can leverage the enterprise CA to automatically issue certificates to subjects (typically users or computers) without administrative intervention. Also, many Windows security technologies (e.g., IPsec, smart card logon, 802.1x) are designed to leverage an enterprise CA. An enterprise CA is always online even if it’s a root CA.

A standalone CA, however, isn’t necessarily integrated with AD and isn’t as transparent to subjects or to Windows security technologies. A standalone CA can be an offline root CA that comes online to issue certificates for intermediate or sub CAs when required. If your organization wants to have an offline root CA, you can create a standalone CA that functions as your root CA and issue a sub CA certificate to your enterprise CA. For more information about enterprise versus standalone CAs, see "Defining CA Types and Roles," http://technet2.microsoft.com/windowsserver/en/library/1b28424c-8c62-44b6-a24f-8ea06ac5832b1033.mspx.

Installing Certificate Services
Although installing Certificate Services is straightforward, you need to plan your installation carefully. If you’re installing a new CA, you must decide whether you’ll be installing an enterprise CA or a standalone CA as your root CA. Note that it’s possible, even quite common, to install several standalone CAs, either as self-contained root CAs or sub CAs. This approach is useful if you need to create a CA for a particular application or group, especially if you also want to delegate administration. If you plan to install an offline standalone root CA, you must configure a CAPolicy.inf file to ensure that the CRLs and Authority Information Access (AIA) distribution points named in the root CA’s self-signed certificate point to online locations that users can access. For more information about planning a PKI deployment, see the white paper “Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure” at http://technet2.microsoft.com/windowsserver/en/library/32ba85e7-3ef0-44d1-b9e8-b7fe0d4907261033.mspx?mfr=true.

To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.

To install Certificate Services with the Windows Component Wizard, you begin with the following steps:

  1. Start Add/Remove Programs and click Add/Remove Windows Components to launch the Windows Components Wizard.
  2. Select the Certificate Services option to begin installation and click Next. By default, this choice installs the CA service and database and the Web-based enrollment service. If you don’t need the Web-based enrollment service (or want to install it later), you can click Details to select which components of the CA to install. A message will appear with a warning about moving or renaming the system after the component is installed. Heed this message well. Click Yes to continue the installation.
  3. Select the type of CA that you want to create from the following four choices: Enterprise Root CA, Enterprise subordinate CA, Stand-alone Root CA, and Stand-alone subordinate CA. At this point, you can also choose to configure the Cryptographic Service Provider, key length, and hashing algorithm by selecting the option to use custom settings. You should choose custom settings if you use Hardware Security Modules (HSMs)—such as those nCipher offers—to protect your CA’s private key.

As you continue to step through the wizard, you’ll be asked for configuration information (e.g., the name of the CA you’re installing, the location of the certificate database and log files). The wizard will then generate a public/private key pair for the CA to use. If Microsoft IIS is running and you’re installing the Web-based enrollment service, the wizard will prompt you with a question about whether it can temporarily stop IIS so the Web service can be added.

   Previous  [1]  2  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For advanced information about PKI and Certificate Services:
"“Understanding PKI Certificate Revocation,”"

"“Uncover PKI and Certificate Services in Windows Server 2003,”"

"“Windows Server 2003 Certificate Services,”"

"“Windows Server 2003 Key Archival and Recovery,”"


For basic information about Certificate Services:
"“Digital Certificates 101,”"

"“Configuring Your Own CA,”"

"“Securing Win2K with Certificate Services,”"

"“Certificate Authority,”"


For basic information about PKIs:
"“PKI and Windows 2000,”"

"“PKI and Your Win2K Network,”"

"“Sharing Information Securely,”"

"“Public Key Infrastructure in Windows 2000,”"


MICROSOFT RESOURCES
"“An Introduction to the Windows 2000 Public Key Infrastructure”"

"“Microsoft Windows 2000 Public Key Infrastructure”"

"“Certificate Services”"
Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Related Articles LDAP Authentication
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing