Information Technology Reference
In-Depth Information
These attributes specify something about the holder: their identity, what they're allowed
to do with the certificate, and so on. The attributes and the public key are bound together
because the certificate is digitally signed by the entity that issued it. Anyone who wants to
verify the certificate's contents can verify the issuer's signature.
Certificates are one part of what security experts call a
public-key infrastructure (PKI)
.
A PKI has several different components that you can mix and match to achieve the desired
results. Microsoft's PKI implementation offers the following functions:
Certificate Authorities
CAs issue certificates, revoke certificates they've issued, and
publish certificates for their clients. Big CAs like Thawte and VeriSign do this for millions
of users. If you want, you can also set up your own CA for each department or workgroup
in your organization. Each CA is responsible for choosing which attributes it will include
in a certificate and what mechanism it will use to verify those attributes before it issues the
certificate.
Certificate Publishers
They make certificates publicly available, inside or outside an
organization. This allows widespread availability of the critical material needed to support
the entire PKI.
PKI-Savvy Applications
These allow you and your users to do useful things with
certificates, such as encrypt email or network connections. Ideally, the user shouldn't have
to know (or even be aware of) what the application is doing—everything should work
seamlessly and automatically. The best-known examples of PKI-savvy applications are web
browsers such as Internet Explorer and Firefox and email applications such as Outlook.
Certificate Templates
These act like rubber stamps. By specifying a particular template
as the model you want to use for a newly issued certificate, you're actually telling the CA
which optional attributes to add to the certificate as well as implicitly telling it how to
fill some of the mandatory attributes. Templates greatly simplify the process of issuing
certificates because they keep you from having to memorize the names of all of the
attributes you may potentially want to put in a certificate.
learn More about PKi
When discussing certificates, it's also important to mention PKI and its definition. The
exam doesn't go deeply into PKI, but I recommend you do some extra research on your
own because it is an important technology and shouldn't be overlooked. PKI is actually a
simple concept with a lot of moving parts. When broken down to its bare essentials, PKI
is nothing more than a server and workstations utilizing a software service to add secu-
rity to your infrastructure. When you use PKI, you are adding a layer of protection. The
auto-enrollment Settings policy determines whether users and/or computers are auto-
matically enrolled for the appropriate certificates when necessary. By default, this policy
is enabled if a certificate server is installed, but you can make changes to the settings, as
shown in Exercise 6.5.
Search WWH ::
Custom Search