Free! Registration is required.
PKI, which is rooted in asymmetric cryptography (i.e., cryptography that uses different keys for encryption and decryption), offers strong security services to internal and external users, computers, and applications. Such services are increasingly important in today's IT environment. This eBook provides a starting point for understanding the PKI and certificate services available in Windows Server 2003. The eBook will cover topics such as trust relationships, trust management, validating digital certificates, certificate autoenrollment, certificate revocation, and key archival and recovery - as well as the limitations of PKI and certificate services in Windows.
Over the past several years, using the public key infrastructure (PKI) to authenticate users and secure network communications has become increasingly popular. Rather than being one technology, PKI is a combination of services, encryption technologies, and PKI-enabled applications. PKI's basic premise is the use of digital certificates to identify users and machines and to securely transmit traffic between them.
On the authentication level, these digital certificates are similar to a passport. Just as a government authority issues a passport to validate your identity to immigration officials, a Certificate Authority (CA) issues digital certificates to verify your identity to a network application. For PKI to work, both parties must trust the CA so that they can assume that the digital certificate accurately and truthfully identifies users and resources. For example, let's say I connect to a Web server to order a book. When I get ready to connect to the bookstore’s ordering site to enter my credit card number, not only do I need to ensure that the site has a digital certificate that confirms its identity, but I also need to trust the CA that issued the digital certificate. To see a list of the CAs that you can trust, go to the Internet Explorer (IE) Tools menu, select Internet Options, select the Content tab, click the Certificates button, and select the Trusted Root Certification Authorities tab. As you can see, external trusted CAs typically established by third-party companies such as Thawte.
In addition to securing Web sites and Web communications, network applications can use PKI to secure email, sign software digitally, support smart card logons, provide IP Security (IPSec) authentication, and encrypt data locally through the Encrypting File System (EFS). Although each application or service functions uniquely, they all require using PKI to issue and use digital certificates.
This eBook provides a starting point for understanding the PKI and certificate services available in Windows Server 2003. Each chapter covers topics such as trust relationships, trust management, validating digital certificates, certificate autoenrollment, certificate revocation, and key archival and recovery – as well as the limitations of PKI and certificate services in Windows.
Chapter 1 looks at the core component of the Windows Server 2003 PKI software – the Certification Authority (CA). To help you better understand how CAs and PKI have evolved in Windows 2003, we examine the components of the latest Certificate Services architecture and the differences between establishing an enterprise CA and a standalone CA in Windows 2003.
Chapter 2 helps you answer a fundamental PKI question: Which public keys are trustworthy? The answer to that question starts with trust in a CA. In Chapter 2, we look at how PKI trust models provide a technological framework for managing the trust relationships between CAs and PKI users and between CAs.
Chapter 3 builds on what you'll learn in Chapter 2 by explaining how PKI administrators manage PKI-user-side trust decisions. In this context, the concept of a trust anchor (i.e., a CA that the PKI user explicitly trusts under all circumstances) is particularly important. The enhanced trust features of Windows 2003 PKI simplify PKI user-side trust management and enable PKI users to make some trust decisions on their own. Every PKI user should have some understanding of how he or she can make basic PKI trust decisions.
In Chapter 4, we examine certificate validation, a key part of the process of authenticating users and systems and securing network communications through the use of digital certificates. Certificate validation is a complex topic. The next time you have a problem with an invalid certificate, your knowledge of the basics of Windows certificate validation that you gain from this chapter might help you narrow down possible causes for the problem and make solving it a little easier.
In Chapter 5, we look at how certificate autoenrollment in Windows Server 2003, Windows XP, and Windows 2000 automatically creates certificates for users and machines. Autoenrollment handles certificate enrollment, certificate renewal, and certain housekeeping tasks, such as removing revoked certificates from a user's or machine's certificate store and downloading trusted root CA certificates and cross-certificates.
Chapter 6 explores an important aspect in the design of a PKI: certificate revocation or, more specifically, automated revocation checking. Certificate revocation ensures that the PKI system adds a certificate's serial number to a blacklist, called the certificate revocation list (CRL), when a PKI user's private key is compromised. This chapter stresses that certificate revocation checking is a crucial PKI service, and reliable revocation checking is an important part of a trustworthy PKI service.
Chapter 7 talks about key archival and recovery, PKI services that organizations can use to recover lost, stolen, or unavailable private encryption keys. Key archival and recovery are requirements in PKI-enabled applications, such as secure mail applications, that deal with persistent data. This chapter examines how to set up automatic Windows 2003 PKI key archival and recovery and how archival and recovery work.
In Chapter 8, you'll learn how to use certificates to secure your wireless LAN (WLAN). This chapter shows you the simplest way to implement 802.1x and certification-based authentication on a typical network of Windows XP and Windows 2000 computers and a Win2K domain.
Chapter 9 offers a short set of frequently asked questions (FAQs) related to using PKI and certificate services.
— Jan De Clercq, Brett Hill, John Savill, and Randy Franklin Smith