Example: Configuring Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After an organization has defined its certificate requirements, internal PKI configuration, and external infrastructure, it needs to determine the certificate lifetimes, encryption key lengths, renewal policies, and other restrictions, if any, that apply to the use of each type of certificate. Figure 16.17 shows the certificate design decisions of one organization.

Figure 16.17   Example of a Windows Server 2003 Certificate Lifecycle Plan Worksheet

For a worksheet to assist you in documenting your certificate lifecycle plan, see "Windows Server 2003 Certificate Lifecycle Plan" (DSSPKI_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Windows Server 2003 Certificate Lifecycle Plan" on the Web at https://www.microsoft.com/reskit).

All certificates are issued by Windows Server 2003 CAs. The certificates for the people working for the business partners (for the extranet) can be issued by the Windows Server 2003 CA or by the CA of the business partner. CTLs allow the extranet domain to trust the certificates of the business partners. Where appropriate, stand-alone CAs provide flexible lifetimes for CAs. The renewal of certificates with new keys limits the amount of time that keys are in use and reduces the risk of key compromise.

This organization does not have unusual security requirements that require the use of one cryptographic algorithm over another. Therefore, they chose to accept the default cryptographic algorithms that have been established for each type of certificate and CA.

The certificates issued to the business partners of this organization are constrained by namespace, by path length, and to specific applications. In addition, the corporation uses policy mapping to specify the authentication procedures required of business partner users who are issued certificates to access the resources of the first organization.