Longhorn Server Certificate Services also includes additional administrative
delegation capabilities. Longhorn Server offers more granular control for delegating
the PKI enrollment agent and certificate manager roles. In Windows Certificate
Services an enrollment agent is an account that lets a user enroll for certificates
on other users' behalves. A Windows CA administrator can assign a user the right
to enroll for certificates on behalf of other users by issuing the user a special
enrollment agent certificate. An example of when you'd use enrollment agents
is if you wanted to allow an HR employee to preload users' smart card logon
certificates on the users' smart cards. Previous Windows PKI versions don't
let you control on which users' behalves an enrollment agent can enroll for
a certificate, nor can you control the types of certificates (e.g., mail encryption,
Web authentication) an enrollment agent can enroll for on other users' behalves.
Longhorn Server's CA Properties lets you set both restrictions from the Enrollment
Agents tab, which Figure 1 shows.
Longhorn Server includes a similar capability for certificate managers. Certificate
managers are accounts that can approve or deny user certificate requests, as
well as revoke certificates. A Windows CA administrator can assign a user the
certificate manager role by giving the user the Issue and Manage Certificates
permission in the CA Properties security settings. In Win2K and Windows 2003,
PKI CA administrators can control which users or groups a Windows account can
issue and manage certificates for. The Longhorn Server PKI adds the capability
to control certificate issuance and management for a particular certificate
manager based on the certificate type. For example, in Longhorn Server the CA
administrator can restrict a certificate manager to issue and manage the Web
authentication certificates for only those users who belong to the AD Sales
group. You use Longhorn Server's CA Properties Certificate Managers tab to control
certificate manager delegation.
Another useful addition to a CA administrator's toolset is the Microsoft Management
Console (MMC) Enterprise PKI snap-in (PKIview.msc), which Figure
2 shows. In Windows 2003, the resource kit includes the Enterprise PKI viewer,
which you must install separately. Longhorn Server includes this tool by default.
CA administrators can use this snap-in to easily check the health status of
all the CAs integrated with their AD environment. From the Enterprise PKI viewer
you can check the validity and currentness of CA certificates, certificate revocation
lists (CRLs—blacklists that contain the serial numbers of bad or revoked
certificates), CRL distribution points (CDPs—locations from which PKI
clients can download the latest CRLs), and Authority Information Access (AIA—locations
from which PKI clients can download CA certificates).
Cryptographic Changes
Windows Certificates Services closely interacts with the OS's cryptographic
engines. At the heart of Windows Vista's (the new Microsoft client OS) and Longhorn
Server's cryptographic operations is a new cryptographic API, called Cryptography
API: Next Generation (CNG). Microsoft will eventually use this new API to replace
the current Cryptography API (CAPI), but in Vista and Longhorn Server the old
and new APIs coexist—primarily for compatibility with legacy applications.
The new CNG architecture is more modular and lets organizations easily add their
proper cryptographic libraries (e.g., custom public key cryptographic libraries)
to the Windows OS. For more information about the CNG architecture, go to Microsoft's
CNG Web site (http://msdn2.microsoft.com/en-us/library/aa376210.aspx).
Thanks to CNG, Longhorn Server's Certificate Services supports state-of-the-art
asymmetric ciphers such as the Elliptic Curve Digital Signature Algorithm (ECDSA)
and hashing algorithms such as the Secure Hash Algorithm (SHA)-256. These ciphers
are referred to in the industry as Suite B algorithms. Longhorn Server's Certificate
Services can leverage Suite B algorithms to generate certificates and to secure
the archival of private keys that are in the CA database. For more information
about these algorithms, go to the National Security Agency's (NSA's) Suite B
Cryptography Web site (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm).
To enable issuance of certificates that leverage Suite B algorithms, Longhorn
Server's PKI includes additions to the certificate template properties. Certificate
templates are blueprints of the different certificate types that an AD-integrated
CA (aka enterprise CA) can issue. You can use the MMC Certificate Templates
snap-in to manage certificate templates. The templates and their properties
are stored in AD. Longhorn Server's extended certificate templates are referred
to as version 3 (V3) templates. The new template properties are on the Cryptography
and Request Handling tabs in a V3 certificate template's properties. Only Longhorn
Server CAs can issue certificates that are based on V3 templates, and only Vista
client computers and Longhorn Server computers can enroll for certificates that
are based on V3 templates. V3 templates aren't available in the Certificate
Authority Web Enrollment interface.
Vista and Longhorn Server also include a new common smart card Cryptographic
Service Provider (CSP) that various smart card vendors' smart card subsystems
can leverage. CSPs are cryptographic libraries that you can plug into the CAPI
to let the Windows platform and its applications perform different types of
cryptographic operations. The new common smart card CSP lets smart card vendors
quickly and easily plug their smart card software into the Windows OS. But not
just developers benefit from this technology; users and administrators will
experience improved smart card Plug and Play (PnP) support.
Another smart card–related change that users and administrators can
take advantage of in Vista and Longhorn Server is the expanded application support.
For example, in Vista and Longhorn Server the Encrypting File System (EFS) can
leverage smart cards to securely store a user's EFS private key. The EFS is
an NTFS-based file encryption mechanism that Microsoft first introduced in Win2K.
For more information about EFS in Vista and Longhorn Server, see "Vista and
Longhorn Promise Enticing EFS Enhancements," November 2006, InstantDoc ID 93498.
Fundamental Changes
Although Microsoft made fewer and less visible changes to Certificates Services
in Longhorn Server than in Windows 2003, these changes are no less interesting
or important. For example, the new cryptographic architecture (i.e., CNG) lets
Windows Certificate Services support state-of-the-art cryptography and lets
organizations embed their proper cryptographic libraries. Longhorn Server Certificate
Services also includes significant management enhancements. Although Microsoft
doesn't plan to support upgrades from a Win2K or Windows NT 4.0 PKI, the company
will support Windows 2003 PKI to Longhorn Server PKI upgrades. The benefits
of Longhorn Server's improved PKI will make the upgrade well worth the effort
for many organizations.