Re: Enterprise Certificate Authority question

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 10/12/04 

Date: Tue, 12 Oct 2004 18:34:44 +0200

Hi,

Certificate Authority (CA) is a service that comes with Windows 2000 or
Windows 2003 (and with Windows NT it was an add-on from option pack)... It
is a service that provides certificates to users, computers and services.
Company usually decides to setup their own CA when they need to protect
their resources (network communication, access to files, ...), but they
don't want to use 3rd party commercial CA agencies (using commercial CA
agencies is usually related to high cost if company has high number of
employees that would require such certificates). Still there is nothing
stopping you from using your own CA setup on Windows server to securely
share resources with outside world (e.g. business partners)...

You have few installation options. One option (standalone CA setup) doesn't
require domain. The other option (enterprise CA setup) requires domain
(active directory). You can then combine standalone CA (usually not
connected on the network) and subordinate enterprise CA that is connected to
the network (it needs to access AD)... On this subordinate CA server all
user (and other) certificates are issued...

Here are some white papers on Microsoft PKI based on Windows 2003 server...

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Auto-Enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike

"T0GGLe" <jehova1@dsl.pipex.com> wrote in message
news:5a657c10.0410120807.d0e5c87@posting.google.com...
> Hi,
>
> sorry to put a dumbass question up here but i have a good look around
> (imo) and i can't find information explaining
> certificates/certification authority in active directory.
> My questions are thus :-
>
> What is a certification authority - what purpose does it serve?
>
> Do you need one in AD?
>
> What is the basic structure?
>
> All the info i can find is regarding troubleshooting it but cannot
> find info relating to a top down explanation of it as per my
> questions, and would really appreciate some help on this one, even if
> it's just rediection to useful info out there on the web.
> Or if some clever bugger wants to flex their intellect and has a bit
> of time I'd find it really handy please...
> Thx.
>
> ps the reason why i need to find out is because when i "view
> containers" under the enterprisePKI snap in that comes with the 2k3
> res kit and look at the CDP container tab my base crl certificate has
> failed and expired, which could explain a few event log errors we've
> been getting.

Relevant Pages

  • RE: updates after format
    ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
    (microsoft.public.windows.mediacenter)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Windows Update repeats
    ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
    (microsoft.public.windowsupdate)
  • Re: sfc /scannow wont run
    ... or upgrade installs but I definitely know retail versions do. ... If you have Windows XP Pro installed then do not purchase a Windows XP Home ... This behavior can occur if the certificate for VeriSign time stamping ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Double authentication (User & Machine) with VPN SSL
    ... If you've got Windows and IIS, ... server machine using the typical IPSec policy and normal IPSec certs. ... Double authentication with VPN SSL ... - our users will soon have a certificate in a USB token; ...
    (Security-Basics)