How to Implement PKI

Provision for public key infrastructure certificates is built into Windows 2000 and most software that supports enterprise business computing. To learn about Windows 2000 PKI features, explore the following sections.

Creating a Local Certification Authority

You can create a local CA on your Windows 2000 server. There are several types of CAs to choose from. One type is the enterprise CA, which can issue certificates for purposes such as digital signatures, encrypted e-mail, Web authentication, and Windows 2000 domain authentication through smart cards. The enterprise CA will issue certificates based on requests from users or other entities, and it requires the use of the Active Directory™ directory service.

A stand-alone CA issues certificates based on requests from users or other entities; however, unlike the enterprise CA, it does not require the use of Active Directory. Stand-alone CAs are primarily intended for use with extranets or the Internet.

CAs can also fulfill various hierarchical roles such as root CA, subordinate CA, and issuing CA. For considerations about certification hierarchies, see "Define Certificate Policies and Certification Authority Practices" later in this chapter.

To create a local CA on your Windows   2000 – based server

1. Click Start , point to Settings , and then click Control Panel .

2. Double-click Add/Remove Programs, and click Add/Remove Windows Components.

3. Add Certificate Services and install an enterprise root CA.

For more information about installing a local certification authority, see Windows 2000 Server Help.

After you create a local CA, you can monitor and manage it by using the Certification Authority snap-in to Microsoft Management Console (MMC).

You can also view your PKI certificates.

To view your personal set of PKI certificates

1. Open Microsoft Internet Explorer.

2. On the Tools menu, click Internet Options .

3. Click the Content tab of the resulting dialog box. The buttons in the center section of this tab display your current certificates, trusted certifying authorities, and trusted software publishers.

Managing Your Certificates

To manage your certificates, use the Certificates snap-in to MMC. Note that this snap-in has two display modes, the Logical Certificate Stores display and the Certificate Purpose display. Click the Certificates node (top-level node) to highlight it. On the View menu, click Options . Familiarize yourself with each of the two display modes.

To request a new certificate while in this snap-in, right-click the appropriate node in the Certificate Purpose view and, on the All Tasks menu, click Request New Certificate .

Using the Certificate Services Web Pages

When your Windows 2000 site is operational, you can allow users to request their own certificates from your internal certification authority. You must have a CA configured and running, and IIS must also be configured and running. Access the enrollment Web pages through https:// computer_DNS_name /certsrv/.

Setting Public Key Policies in Group Policy Objects

A number of PKI policies can be set in a Group Policy object and thereby applied to computers in domain and organizational unit scope. Open the Group Policy snap-in to MMC to the appropriate Group Policy object. The PKI entries are located under Computer Configuration:

Group_Policy_Object

 — Computer Configuration

  — Windows Settings

   — Security Settings

    — Public Key Policies

bn

Certificate trust lists and CA root certificates are part of Group Policy objects, and contain the CAs to be trusted by recipients of the Group Policy. These are the Enterprise Trust and Trusted Root Certification Authority containers under Public Key Policies, respectively.