A public key infrastructure provides the foundation, components, and features that are necessary for managing certificates and private keys throughout the certificate lifecycle. The certificate lifecycle includes the following:
To manage the certificate lifecycle, a public key infrastructure must provide mechanisms to support the following management activities:
Enroll users and computers for certificates.
Distribute certificates for public use.
Publish certificate revocation lists (CRLs).
Maintain a certificate audit trail.
Users and computers must enroll to request and receive certificates from a CA. The enrollment process varies with the CA and its policies. One of the most common certificate enrollment methods is to use Web pages for certificate requesters to submit their certificate requests. When a request is received by a CA, the CA verifies whether the requester is qualified to receive the certificate and either approves or denies the request.
The certificate issuing policies for CAs vary depending on the level of verification the CA must do to verify the certificate requester's identity. Some certificate requests might be approved or denied quickly because the CA merely checks to see if the requester has a valid Internet e-mail address. Other certificate requests might take longer because the CA must verify the requester's identity through third-party agencies or by conducting background checks.
Some public key infrastructures, such as the Windows 2000 public key infrastructure, can automate the enrollment for certain types of certificates. For example, in Windows 2000, you can optionally configure Public Key Group Policy to automatically enroll Windows 2000 computers for computer certificates.
When certificates are issued, they must be distributed to the requester as well as to distribution points where other users can have access to them, as necessary. Many public key infrastructures, including the Windows 2000 public key infrastructure, can be configured to automatically distribute certificates through directories, Web pages, public folders, and e-mail.
Certificate Revocation Lists
CAs publish certificate revocation lists (CRLs) to identify certificates that have been revoked (for example, when a certificate user has left the organization or when a private key has been compromised). During the certificate validation process, software can check the CRL to determine whether the certificate is invalid. Certificates that are listed in CRLs are invalid and should not be trusted. When a revoked certificate expires, it is no longer published in the CRL. The CA uses its private key to digitally sign CRLs to prevent tampering with them.
Many public key infrastructures, including the Windows 2000 public key infrastructure, can be configured to periodically publish CRLs. CRLs can be distributed through directories, Web pages, public folders, and e-mail. The X.509 version 3 certificate format includes a field that lists the distribution points for the CRLs published by the issuing CA.
When a certificate reaches its expiration date, the certificate is invalid and can no longer be used. However, certificates can be re-issued or renewed with new, valid dates. The renewal process is similar to the enrollment process.
Certificate Audit Trail
Each CA must maintain an audit trail of certificate requests and the certificates that are issued until they expire. The audit trail records all certificate transactions including failed requests and all of the information contained in each issued certificate. It also provides the information that is required to revoke a certificate and add it to the revocation list. CA administrators can query the audit trail to locate and view information about any certificate request or any certificate that has been issued by the CA.
An audit trail is necessary to meet the security obligations of the CA and the organization. The administrators of the CA must be able to provide records of all certificate transactions. For example, when an issued certificate was used for an illegal activity or for a fraudulent transaction, CA administrators might be asked to provide records to security or law enforcement personnel.
In addition, CA administrators need audit trail records to monitor the network for security breaches. For example, administrators can view the audit trail to detect failed certificate requests or to determine whether someone has improperly obtained certificates.