Windows Server 2003 PKI

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use PKI-based applications on workstations and servers running Microsoft® Windows® XP Professional, Windows Server 2003, Windows® 2000, or Windows NT 4.0, as well as on workstations running Microsoft® Windows® 95 and Microsoft® Windows® 98. The ability to create and manage a PKI is available in Microsoft® Windows NT® 4.0 Server, Microsoft® Windows® 2000 Server, and Windows Server 2003. However, Windows Server 2003 provides more extensive support for a PKI.

In addition, a growing number of applications and system services that require the secure transfer of information also rely on the Windows Server 2003 PKI. Applications that are enabled for certificate-based security include Microsoft® Outlook®, Internet Explorer®, Internet Information Services, Microsoft® Exchange Server, Microsoft® Commerce Server 2000 and Commerce Server 2002, Outlook Express, and Microsoft® SQL Server™. A number of third-party applications also take advantage of the Windows Server 2003 PKI.

How a Public Key Infrastructure Works

A Windows Server 2003 PKI makes it possible for an organization to do the following:

• Publish certificates. The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates.

• Enroll clients. To participate in a PKI, users, services, or computers must request and receive certificates from an issuing CA or a Registration Authority (RA). Typically, enrollment is initiated when a requester provides unique information and a newly generated public key. The CA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate.

• Use certificates. Clients use their certificates, which are validated or invalidated in a timely manner as long as CAs and certificate revocation lists are available to verify or deny their authenticity. If they are validated, a PKI provides an easy way for users to use keys in conjunction with applications that perform public key cryptographic operations, making it possible to provide security for e-mail, e-commerce, and networks.

• Renew or revoke certificates. A well-designed PKI makes it easy for you to renew or revoke existing certificates, and to manage the trust level associated with certificates used by different clients or for different applications.

The status of a public key certificate is determined by means of the chain building process. Chain building is the process of building a trust chain, or certification path, from the end certificate to a root CA that is trusted by the security principal. Figure 16.2 shows a certification path in a two-level CA hierarchy.

Figure 16.2   Certification Path in a Two-Level CA Hierarchy

In this example, the issuing CA issued the User certificate, and the root CA issued the certificate of the issuing CA. This is considered a trusted chain, because it terminates with a root CA certificate that has been designed and implemented to meet the highest degree of trust.

The chain building process validates the certification path by checking each certificate in the certification path from the end certificate to the certificate of the root CA. If the CryptoAPI discovers a problem with one of the certificates in the path, or if it cannot find a certificate, the certification path is either considered invalid or is given less weight than a fully validated certificate.

For more information about how PKIs function, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).