Introduction (Implementing and Administering Certificate Templates in Windows Server 2003)
Updated: August 13, 2009
Applies To: Windows Server 2003 with SP1
The scope of this white paper is to discuss the best practices in designing, administering, and implementing version 2 Certificate Templates using Windows Server 2003, Enterprise Edition and Enterprise Certification Authorities (CAs).
Terms Used in this White Paper
Application Constraints A constraint that limits what purposes a certificate can be used for in a qualified subordination configuration. A presented certificate must contain the required application constraint to be accepted by the partner organization.
Authority Information Access (AIA) A certificate extension that contains URL locations where the issuing CAs certificate can be retrieved. The AIA extension can contain HTTP, FTP, LDAP, or FILE URLs.
Certificate Revocation List (CRL) A digitally signed list issued by a CA that contains a list of certificates issued by the CA that have been revoked. The list includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificates revocation status; also referred to as a base CRL.
CRL Distribution Point (CDP) A certificate extension that indicates where the certificate revocation list for a CA can be retrieved. This extension can contain multiple HTTP, FTP, FILE, or LDAP URLs for the retrieval of the CRL.
Delta Certificate Revocation List (delta CRL) A type of CRL that contains the list of certificates revoked since the last base CRL was published. Delta CRLs are often used in environments where numerous certificates are revoked to optimize bandwidth utilization.
Issuance Policy Constraints A constraint that defines what issuance practices must be followed for certificates to be trusted by your organization. Issuance policy object identifiers in your organization are mapped to the matching object identifiers in a partner organization, so that object identifiers in presented certificates are recognized by your public key infrastructure (PKI).
Name Constraints A constraint that limits what names are permitted or excluded in certificate requests submitted to a CA.
Online Certificate Status Protocol (OCSP) A protocol that allows real-time validation of a certificates statusthe CryptoAPI makes a call to an OCSP responder and the OCSP responder provides an immediate validation of the revocation status for the presented certificate. Typically, the OCSP responder uses CRL checking for maintaining its status information.
Public Key Infrastructure (PKI) A PKI provides an organization with the ability to securely exchange data over a public network using public key cryptography, thus ensuring privacy by preventing the interception of communications. A PKI consists of Certification Authorities (CAs) that issue digital certificates, directories that store the certificates (including Active Directory in Windows 2000 and Windows Server 2003), and X.509 certificates that are issued to security entities on the network. The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified.
Security Principal A user, security group, or computer account that can be assigned permissions in a Windows Server 2003 discretionary access control list (DACL).
Subject Key Identifier (SKI) A certificate extension included in CA certificates that contains a hash of the CA certificates public key. This hash is placed in the Authority Key Identifier (AKI) extension of all issued certificates to facilitate chain building.