Planning certificate deployment

Article
09/26/2008

Microsoft Forefront Threat Management Gateway uses digital certificates in a number of common scenarios:

Publishing a Web server or Outlook® Web Access server over an HTTPS connection.
Publishing a non-Web server over an HTTPS connection.
Configuring a VPN site-to-site connection with L2TP/IPsec or IPsec tunneling.

The following table summarizes the type of certificates used in these scenarios.

Scenario	Certificate Type (Intended Purpose)	Issued by
Web publishing: authenticate the Forefront TMG computer to the external user	Server certificate	Public certificate authority (CA)
Web publishing: authenticate the backend Web server to the Forefront TMG computer	Server certificate	Public CA or Local CA
Server publishing: authenticated the published non-Web server to the external user	Server certificate	Public CA
VPN site-to-site (L2TP/IPsec or IPsec tunnel)	Ipsec certificate	Local CA (recommended)

Setting Up a Local Certification Authority

You can use Microsoft Certificate Services to set up a local CA to issue certificates. A local Microsoft CA can be one of two types:

**Standalone CA—**This type of CA is useful when there is no domain environment and automatic deployment of certificates to users and computers is not required. This type of CA has the following characteristics:

Active Directory is not required.
The CA has no knowledge of the user or computer requesting the certificate. Information is explicitly supplied when the request is made.
All requests for certificates are set to "pending" until approved by the CA administrator.
You cannot use the Certificate Request wizard in Certificate Services to request or manage certificates. You must use a Web page.
The user account requesting the certificate must be defined locally on the standalone CA computer if client certificates are required, you must define the user account requesting the certificate locally on the standalone CA computer.
You cannot add or remove certificate templates from the standalone CA.
You must add the self-signed standalone CA certificate manually to the Trusted Root Certification Authorities store of the requesting computer. There is some limited domain support when a standalone CA is installed by a domain user in a domain. In this case, the CA root certificate is added to the Trusted Root Certification Authorities store for all domain users and computers.

Enterprise CA—This type of CA uses Active Directory to verify that users, computers, and services requesting certificates have authorization to receive the type of certificate they are requesting. Certificates and Certificate Revocation Lists (CRL) are published by the CA to Active Directory. You can use the Certificate Request Wizard in Certificate Services to request and manage certificates.

The following sections describe the main steps required to install and configure a local Microsoft standalone or enterprise CA. These sections only provide an overview of the configuration steps for a local CA. For a more complete list, see the topics in Understanding Certificate Services at Microsoft TechNet.

Installing a root CA

The root CA is the top-level CA. The root CA should not be used to issue certificates to users or computers. Instead, you should set up a CA hierarchy of subordinate CAs. The root CA can be kept offline and brought online only to perform tasks related to subordinate CAs and CRLs.

To install an enterprise CA, you must be a member of the Enterprise Admins group. To install a standalone CA that will store certificates in Active Directory, you must be a member of the Domain Admins group. To install a standalone CA that will not use Active Directory, you must be a member of the Administrators group on the local server.