Identify Your Certificate Requirements
Before you can determine what PKI certificate services are needed, you must identify the applications you want to deploy that require digital certificates You must also identify all uses for certificates, what users, computers, and services will require certificates, and what types of certificates you intend to issue. You can deploy Microsoft Certificate Services, or you can obtain other certificate services to support your public key needs. Identify the categories of users, computers, and services that will need certificates and determine the following information for each category:
Name or description
Reason certificates are needed
Number of entities (users, computers, or services)
Location of users, computers, and services
You need to provide certificate services to support the identified categories for each business unit and location in your organization. The certificate services you deploy are determined by the types of certificates to be issued, the number of entities that need certificates, and where the groups are located. For example, you might be able to deploy two issuing CAs to provide certificates for all the administrator groups in your organization. However, since there are many more business users than administrators in your organization, you might need to deploy separate issuing CAs in each facility to meet the needs of business users.
For more information about security solutions that use digital certificates, see "Choosing Security Solutions That Use Public Key Technology" in the Microsoft Windows 2000 Server Resource Kit Distributed Systems Guide .
Basic Security Requirements for Certificates
Several basic factors affect overall security when you use certificates. For the certificates you intend to use, specify the requirements for the following factors:
Length of the private key. In a typical deployment, user certificates have 1,024-bit keys and root CAs have 4,096-bit keys.
Cryptographic algorithms that are used with certificates. The default algorithms are recommended.
Lifetime of certificates and private keys and the renewal cycle. Certificate lifetimes are determined by the type of certificate, your security requirements, standard practices in your industry, and government regulations.
Special private key storage and management requirements. For example, storage on smart cards and nonexportable keys.
The standard settings for certificates issued by Microsoft Certificate Services can meet typical security needs. However, you might want to specify stronger security settings for certificates that are used by certain user groups. For example, you can specify longer private key lengths and shorter certificate lifetimes for certificates used to provide security for very valuable information. You can also specify the use of smart cards for private key storage to provide additional security.
Determining Which Certificate Types to Issue
Identify the types of certificates you intend to issue. The types of certificates you issue depend on the certificate services you deploy and the security requirements you have specified for the certificates you intend to issue. You can issue certificate types that have multiple uses and that meet different security requirements.
For enterprise CAs, you can issue a variety of certificate types based on certificate templates and account privileges in a Windows 2000 domain. You can configure each enterprise CA to issue a specific selection of certificate types. Table 12.2 lists the different types of certificate templates available, and their purposes.
Table 12.2 Certificate Templates and Purposes
Certificate template name |
Certificate purposes |
Issued to |
|---|---|---|
Administrator |
Code signing, Microsoft trust list signing, EFS, secure e-mail, client authentication |
People |
Certification authority |
All |
Computers |
ClientAuth |
Client authentication (authenticated session) |
People |
CodeSigning |
Code signing |
People |
CTLSigning |
Microsoft trust list signing |
People |
Domain Controller |
Client authentication, server authentication |
Computers |
EFS |
Encrypting File System |
People |
EFSRecovery |
File recovery |
People |
EnrollmentAgent |
Certificate request agent |
People |
IPSECIntermediateOffline |
IP Security |
Computers |
IPSECIntermediateOnline |
IP Security |
Computers |
MachineEnrollmentAgent |
Certificate request agent |
Computers |
Machine |
Client authentication, server authentication |
Computers |
OfflineRouter |
Client authentication |
Computers/routers |
SmartcardLogon |
Client authentication |
People |
SmartcardUser |
Client authentication, secure e-mail |
People |
SubCA |
All |
Computers |
User |
Encrypting File System, secure e-mail, client authentication |
People |
UserSignature |
Secure e-mail, client authentication |
People |
WebServer |
Server authentication |
Computers |
CEP Encryption |
Certificate request agent |
Routers |
Exchange Enrollment Agent (Offline Request) |
Certificate request agent |
People |
Exchange User |
Secure e-mail, client authentication |
People |
Exchange User Signature |
Secure e-mail, client authentication |
People |
For stand-alone CAs, you can specify certificate uses in the certificate request. You can also use custom policy modules to specify the certificate types to be issued for stand-alone CAs. For more information about developing custom applications for Microsoft Certificate Services, see the Microsoft Platform SDK link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources .
The types of certificates issued by third-party certificate services are determined by the specific features and functions of each third-party product. For more information, contact the vendor for the certificate service.