Determining Certificate Requirements for Users, Computers, and Services
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After you have identified the security technologies that you need to implement to meet the business needs of your organization, you need to identify the categories of users, computers, and services that will use these technologies and for which you need to provide certificate services. For example, certificate use might be based on job function, location, organizational structure, or a combination of these three, or all computers or users in the organization might use certain certificate applications.
For each of the groups that you have identified, you need to determine:
The types of certificates to be issued. This is based on the security application requirements of your organization and the design of your PKI infrastructure.
The number of users, computers, and applications that need certificates. This number can include as few as one or as many users, computers, or applications as are in an entire organization.
The physical location of the users, computers, and applications that need certificates. Different certificate solutions might be required for users in remote offices or for users who travel frequently than are required for users in the headquarters office of an organization. Also, requirements can differ based on geography. For example, you might want to restrict users in one country/region from using their certificates to access data in an organizational business unit in another country/region.
The level of security that is required to support the users, computers, and applications that need certificates. Users who work with sensitive information typically require higher levels of security than other members of the organization.
The number of certificates required for each user, computer, and application. In some cases, one certificate can meet all requirements. Other times, you need multiple certificates to enable specific applications and meet specific security requirements.
The enrollment requirements for each certificate that you plan to issue. For example, do users have to present one or more pieces of physical identification, such as a driver’s license, or can they simply request a certificate electronically?
For a worksheet to assist you in identifying user certificate requirements, see “Summary of User Certificate Requirements” (DSSPKI_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Summary of User Certificate Requirements" on the Web at http://www.microsoft.com/reskit).