Information Technology Reference
In-Depth Information
an extra layer of security to corporate network communication. AD CS not only ensures confi-
dential communication, but can also protect corporate users and resources by providing data
integrity and authenticity.
Don't confuse a PKI in which publicly trusted CAs are used to secure
public transactions with a PKI used in a private organization. The fact that
you set up a CA in your company doesn't mean certificates issued by your
CA are trusted by the outside world.
Now that you have a general understanding of a PKI, review some terms used when imple-
menting AD CS to give you an overview of this server role:
•
Certificate revocation list (CRL)
—A list of certificates that have been invalidated before
their expiration date by the CA administrator. Reasons for certificate revocation include a
private key that has been compromised or is suspected of having been compromised or a
certificate deemed no longer necessary, such as when an employee leaves the company that
issued the certificate.
•
Certificate template
—A shell or model of a certificate used to create new certificates.
Certificate templates
define characteristics of the certificate, such as the intended use and
expiration date. In Windows Server 2008, AD CS includes more than 30 predefined certifi-
cate templates named for their intended purpose, such as Web Server for authenticating
the identity of Web servers and Smart Card Logon, which enables users to authenticate by
using smart cards. You can also create custom certificate templates.
•
Certificate distribution point (CDP)
—Identifies where the CRL for a CA can be retrieved;
can include URLs for HTTP, FILE, FTP, and LDAP locations.
•
Delta CRL
—A list of certificates revoked since the last base, or complete, CRL was pub-
lished. Using Delta CRLs reduces the amount of traffic created when downloading CRLs.
•
Enterprise CA
—A CA installation on a Windows Server 2008 server that's integrated with
Active Directory.
•
Standalone CA
—A CA installation that isn't integrated with Active Directory.
•
Enrollment agent
—A user authorized to enroll for smart cards on behalf of other users.
A new function in Windows Server 2008 is a
restricted enrollment agent
, which limits the
agent to enrolling only specific users or security groups. Restricted enrollment agents are
available only with an enterprise CA.
•
CA hierarchy
—The first CA installed in a Windows network is called the root CA. The
root CA's certificate is self-signed and distributed to Windows clients that automatically
trust the root CA. Additional CAs, called subordinate CAs, can be installed. A subordinate
CA's certificate is signed by the root CA, and because Windows clients trust the root CA,
by extension they trust subordinate CAs.
•
Online responder
—A server that supports Online Certificate Status Protocol (OCSP). This
protocol is an alternative to clients downloading CRLs periodically to check certificate
status. Clients can instead query an online responder for a certificate's status.
•
Certificate enrollment
—The process of issuing a certificate to a client. AD CS supports a
number of enrollment methods, including autoenrollment, Web enrollment, smart card
enrollment, and manual enrollment. In addition, AD CS supports Network Device
Enrollment Service (NDES), which allows network devices to obtain certificates.
•
Key management
—Users' private keys are stored in their profiles. If a private key gets lost
or corrupted, it might need to be restored. Key archival provides a method for storing a
backup of a private key, and key recovery is the process of restoring a private key.
•
Authority Information Access (AIA)
—The AIA is a path configured on a CA server that
specifies where to find the certificate for a CA.
11
Search WWH ::
Custom Search