Introduction (Advanced Certificate Enrollment and Management)
Updated: June 30, 2010
Applies To: Windows Server 2003 with SP1
Complex infrastructure environments and branch-office deployment environments often dictate unique and advanced management techniques to manage a PKI or certificate deployment to remote servers. Network and infrastructure services, such as domain controllers, Internet Authentication Servers (IAS), Internet Information Services (IIS), and other stand-alone applications, often require X.509 certificate enrollment or provisioning to provide or enable secure protocols, messaging, or application services. In many of these deployment scenarios, automatic system provisioning or even traditional certificate enrollment may not be possible due to one or more reasons, such as:
Stand-alone servers with no relationship to an Active Directory® domain
Firewalls blocking required communication ports
Complete lack of connectivity without a virtual private network (VPN) or Internet Protocol Security (IPSec) certificate credential to authenticate to the master network
For example, a branch office domain controller may be connected to the central site only through a firewall, and only port 25 is open for Simple Mail Transfer Protocol (SMTP) replication. The domain controller cannot automatically or manually enroll a domain controller certificate over Remote Procedure Call/Distributed Component Object Model (RPC/DCOM) and, therefore, SMTP replication will fail. Because the certification authority is located in the central site and the firewall is blocking RPC traffic, the branch office domain controller cannot contact the certification authority to enroll its certificate. In this situation, a domain controller certificate must be requested, processed, and installed in an asynchronous or offline process. This white paper explains several remote deployment scenarios along with the step-by-step procedures to perform X.509 certificate enrollment to implement a secure infrastructure.
Although it is preferable to describe and support all environments, it is not always possible due to technology limitations or documentation requirements. This white paper documents and focuses on domain controller certificate enrollment for Windows 2000 and Windows Server™ 2003 domain controllers from a Windows 2000 or Windows Server 2003 stand-alone certification authority (CA) as well as from a Windows Server 2003 enterprise CA. Because of technical constraints, manual certificate enrollment from a Windows 2000 enterprise CA is not covered in detail.
In this white paper, it is assumed that all domain controllers have been configured and function properly. It is also assumed that the CA has been implemented according to the recommended best practices by Microsoft® as documented in the white paper at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
To provide a high-level overview of an advanced enrollment scenario, the following diagrams illustrate step-by-step references of the various procedures and processes that are described in detail in later sections.