New features in Certificate Services
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
New features in Certificate Services
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition have a number of new features and improvements related to Certificate Services and public key infrastructure (PKI). A few new procedures are also provided to demonstrate certificate template editing features and certificate autoenrollment for users and computers.
New PKI features
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition implement new PKI features and improvements.
Editable certificate templates and the Certificate Templates MMC snap-in
Certificate templates were available in Windows 2000 Certificate Services, but they could not be modified or changed. There is a new Certificate Templates MMC snap-in that enables administrators to:
Create a new certificate template by duplicating and renaming an existing template.
Modify template properties such as certificate validity period, renewal period, cryptographic service provider (CSP), key size, key archival
Establish and apply enrollment policies, issuance policies and application policies.
For example, a user can enroll themselves for a certificate or an enrollment agent certificate can enroll for a certificate on their behalf. A significant issue with this scenario is that an enrollment agent can enroll for any user in the enterprise. This means the enrollment agent certificate is very powerful and only very trusted people may have access to it.
Allow for autoenrollment for certificates based on the template.
Set access control on certificate templates to establish which users or computers can enroll and autoenroll for certificates.
- Create a new certificate template by duplicating and renaming an existing template.
Certificate autoenrollment and autorenewal for all subjects
In Windows 2000, it was possible to autoenroll for EFS certificates and computer certificates, however, autoenrollment for users was not possible. The new autoenrollment feature improves both the user and computer enrollment experience. A member of the Enterprise Admins group can specify the types of certificates that any entity should automatically be issued. The enterprise administrator controls autoenrollment by setting security permissions on certificate templates using the Certificate Templates snap-in. A Windows XP or Windows Server 2003 family client then accesses the templates in the Active Directory directory service and, if access has been granted, then it will enroll for those certificates.
For an example of establishing autoenrollment for user certificates, see Certificate Services example implementation: Establishing autoenrollment for user certificates.
Autorenewal is a new feature similar to autoenrollment and the same mechanism on the templates is used to control who can autorenew a certificate. Every certificate in the certificate store that has a template extension can potentially be autorenewed by the system. This means that applications no longer need to worry about certificates expiring.
Many applications require up-to-date certificate revocation status information. This requires the certification authority (CA) to frequently publish a new certificate revocation list (CRL). A CRL is the entire list of revoked certificates, so for a CA with a large amount of issued certificates, this can become a very large list. Even if there are no changes, a CA has to republish the entire list so that applications have the latest information, which involves a lot of repetition. Frequent publication of large objects will in turn generates a large amount of replication traffic.
Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition have a new feature called delta CRLs, an option in RFC 2459. Delta CRLs are CRLs which contain the list of changes in revocation status from a full "base" CRL. Because delta CRLs are a list of changes and not a restatement of the entire CRL, they are typically much smaller and generate significantly less replication traffic than large base CRLs.
Certificate Services in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition allows for the separation of roles for the management and maintenance of a CA. Role separation is not enforced by default, but you can select to enforce assigned roles.
For more information, see Role-based administration.
Key archival and recovery
You can configure a CA to archive the keys associated with the certificates it issues. If necessary, you can then recover lost keys through the use of a key recovery agent certificate.
For more information, see Certificate Services example implementation: Key archival and recovery.
Event auditing provides the ability to log most events that occur on a CA. This can be useful for monitoring the activities of a CA or the administrative functions, such as certificate issuance and role changes.
For more information, see Configure event auditing.
Qualified subordination is an extension of standard CA subordination that allows you to:
Define the namespaces for which a subordinate CA will issue certificates.
Specify the acceptable uses of certificates issued by a qualified subordinate CA.
Enable a certificate to be used in separate certification hierarchies.
- Define the namespaces for which a subordinate CA will issue certificates.
New Certutil.exe commands
certutil -dspublish [cert|crl]
Publishes the CA certificate or the certificate revocation list to Active Directory
For examples of using certutil -getkey and certutil -recoverkey to recover archived keys, see Certificate Services example implementation: Key archival and recovery.