Export (0) Print
Expand All

Example: Defining Certificate Requirements

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An organization decides to implement a public key infrastructure because a number of business units within the organization are using certificate services independently. The business units use similar infrastructures that include many of the same components — such as CAs and certificate templates — and have similar goals. Therefore, the organization develops a PKI with a central corporate root that also allows individual business units to implement certificate services for their specific needs.

The organization chooses to use certificate services for the following:

  • E-mail

  • Internet authentication

  • Encrypting File System

  • Software code signing

  • Smart card logon

In addition, they identify the following requirements:

  • All users throughout the organization are required to use certificates in order to secure e-mail traffic.

  • Individual business units need to use Internet authentication to facilitate the sharing of data on their local networks with their joint venture partners.

  • All users are able to use Encrypting File System.

  • Developers and network administrators must use software code signing for the custom applications and scripts of the organization.

  • Administrators are required to log on using a smart card before they can perform certain tasks, such as administering domain controllers.

The organization then divides these requirements into the following security classifications:

  • Medium security, which includes the e-mail and EFS certificates.

  • Internal high security, which includes the software code signing and smart card logon certificates, and serves the needs of network administrators and developers.

  • External high security, which includes the Internet authentication certificates and meets the need of the organization to share information with joint venture partners.

Figure 16.4 shows an example of the User Certificate Requirements worksheet that the organization created to summarize these classifications.

Figure 16.4   Example of a User Certificate Requirements Worksheet

User Certificate Requirements Worksheet Example

For a worksheet to assist you in documenting your certificate requirements, see "User Certificate Requirements" (DSSPKI_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "User Certificate Requirements" on the Web at

After they have planned the trust relationships for the internal CA infrastructure and extended external CA infrastructure, the organization can design its certificates and certificate management processes. Administrators must examine the security and user requirements to develop a secure certificate services solution. For more information about designing certificates and configuring CAs, see "Creating a Certificate Management Plan" later in this chapter.

Community Additions

© 2016 Microsoft