Example: Creating a Certificate Management Plan

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A PKI cannot be effective and secure unless an organization implements a management plan that includes strategies for enrolling and renewing certificates, mapping certificates to user accounts, revoking certificates and distributing CRLs, and using key recovery.

Many organizations base their certificate enrollment and renewal methods on the level of security associated with each type of certificate and the volume of certificate requests that they anticipate. For example, an organization makes the following decisions regarding certificate enrollment and renewal:

  • Autoenrollment is the preferred enrollment method for e-mail and EFS certificate requests, which represent the majority of their certificate activity. Only clients who have already been authenticated by the network can request these certificates. The risks associated with the use of these certificates are relatively low.

  • Manual approval is required for all certificates that are needed to perform network administration and software development.

  • Manual approval is required for certificates that are issued to joint venture partners.

The basic user certificates of the organization (for e-mail and EFS) are distributed according to the domain membership of a user.

The distribution of high-security certificates is enforced with a one-to-one mapping. This is intended to further enforce the usage restrictions that have been placed on these certificates. Also, to improve the ability of the organization to define which file shares and other resources are available to their joint venture partners, a many-to-one mapping to a single account in Active Directory restricts their joint venture certificates.

Similarly, organizations are concerned about the timeliness of CRLs associated with their high-security certificates. Therefore, they decide to distribute CRLs for these CAs once a day, with delta CRLs published every two hours, or as needed. Because network bandwidth and replication can impact the distribution of CRLs and delta CRLs to their remote offices, they choose a less stringent publication schedule for their medium security CAs — new CRLs are published once a week, and delta CRLs are published at the close of every business day. Publishing at the end of the business day ensures that the updated information is replicated overnight and is available on the next business day.