Basic PKI Concepts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Public key infrastructure is the term used to describe the laws, policies, procedures, standards, and software that regulate or control the operation of certificates and public and private keys. More specifically, a PKI is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction.

A PKI consists of the following basic components:

Digital certificates   Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Digital certificates provide the foundation of a PKI.

One or more certification authorities (CAs)   Trusted entities or services that issue digital certificates. When multiple CAs are used, they are typically arranged in a carefully prescribed order and perform specialized tasks, such as issuing certificates to subordinate CAs or issuing certificates to users.

Certificate policy and practice statements   The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.

Certificate repositories   A directory service or other location where certificates are stored and published. In a Windows Server 2003 domain environment, the Active Directory® directory service is the most likely publication point for certificates issued by Windows Server 2003–based CAs.

Certificate revocation lists (CRL)   Lists of certificates that have been revoked before reaching the scheduled expiration date.

Note

  • With Certificate Services in Windows Server 2003, Microsoft introduces a new type of certificate revocation list called a delta CRL, which allows you to publish information about recently revoked certificates more frequently without using the bandwidth required for publishing full CRLs.

Certificate trust lists   These are signed lists, which are located on the client, of trusted CA certificates. Certificate trust means that a certificate is part of a certificate trust list (CTL) or that the CTL contains a trusted certificate from another CA that is part of the certificate’s certificate chain. Windows Server 2003 domain administrators can use Group Policy objects (GPOs) to publish and maintain CTLs.

Key archival and recovery   A feature that makes it possible to archive and recover the private key portion of a public-private key pair, in the event that a user loses his or her private keys, or an administrator needs to assume the role of a user for data access or data recovery. Private key recovery does not recover any data or messages; it merely enables the recovery process.

Public key standards   Standards developed to describe the syntax for digital signing and encrypting of messages and to ensure that a user has an appropriate private key. To maximize interoperability with third-party applications that use public key technology, the Windows Server 2003 PKI is based on the standards recommended by the Public-Key Infrastructure (X.509) (PKIX) working group of the Internet Engineering Task Force (IETF). Other standards that the IETF has recommended also have a significant impact on public key infrastructure interoperability, including standards for Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Internet Protocol security (IPSec).