Configure Certificates to Be Issued

By default, Windows 2000 enterprise CAs are installed ready to issue several certificate types. You can modify the default configuration by using the Certification Authority MMC snap-in to specify the certificate types to be issued by each CA. You can delete default certificate types that you do not want the CA to issue. You can also add more certificate types for the CA to issue.

Examples of Configurations

You can configure CAs to support multiple security functions or only one security function. Following are some ways you can configure CAs:

• For a root CA or an intermediate CA, you can configure the CA so it can issue subordinate certification authority certificates only.

• For an issuing CA that supports secure Web communication services, you can configure the CA so it can issue authenticated session, computer, and Web server certificates only.

• For an issuing CA that supports general business users, you can configure the CA so it can issue user certificates only. Likewise, you can configure a CA that supports administrators to issue administrator certificates only.

• For an issuing CA that supports smart card enrollment, you can configure the CA so it can issue smart card logon and smart card user certificates only.

Security Access Control Lists for Certificate Templates

Permission to request certificate types is controlled by the security access control lists for each certificate template. An enterprise CA grants certificate requests only for users, computers, or services that have the Enroll permission selected in the security access control list for that certificate template. The security access control lists for certificate templates are preconfigured to enable various default user accounts and security groups to enroll for certificate types.

You can use the Active Directory Sites and Services MMC snap-in to modify the security access control lists for each certificate template.

To modify the security access control lists for each certificate template

1. On the View menu, click Show Services Node .

2. Expand the Services node and the Public Key Services and Certificate Templates containers.

3. Select a certificate template in the details pane and click the Security tab of its Properties sheet. This tab shows the groups that have access to this template, and the specific permissions of each group.

For example, by default, only members of the Domain Administrators security group can request and obtain enrollment agent certificates. However, to specify that only certain members of your security department can request and obtain enrollment agent certificates, you can change the security access control list for the enrollment agent certificate template. You can remove domain admins from the access control list and add the appropriate user accounts or security groups.

For Windows 2000 stand-alone CAs, information about the certificate type must be included in the certificate request because stand-alone CAs do not use certificate templates. You can use stand-alone CAs with custom policy modules and custom certificate request applications to control the types of certificates that are issued.