Windows Security
  Home arrow Windows Security arrow Page 2 - Implementing a Public Key Infrastructure (...
ASP Free Forums 
.NET  
ASP  
ASP Code  
ASP.NET  
ASP.NET Code  
BrainDump  
C#  
Code Examples  
Database  
Database Code  
IIS  
Microsoft Access  
MS SQL Server  
Silverlight  
Visual Basic.NET  
Windows Scripting  
Windows Security  
XML  
Mobile Linux 
App Generation ROI 
IBM® developerWorks 
ASP Web Hosting  
ASP.NET Web Hosting 
Windows Web Hosting
 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
WINDOWS SECURITY

Implementing a Public Key Infrastructure (PKI), Windows Server 2003, Part I
By: Eliana Stavrou
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: 4 stars4 stars4 stars4 stars4 stars / 19
    2004-11-10

    Table of Contents:
  • Implementing a Public Key Infrastructure (PKI), Windows Server 2003, Part I
  • Defining CA types
  • Installing Microsoft Certificate Services
  • Finishing up the Installation, Conclusions

  • Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
     
     
    ADVERTISEMENT


    Implementing a Public Key Infrastructure (PKI), Windows Server 2003, Part I - Defining CA types


    (Page 2 of 4 )

    Before moving into technical details, we need to decide the type of CA we want to implement. For further information on choosing a PKI architecture, you can read my previously published article “PKI Architectures—Which one best suits you” (http://www.devshed.com/c/a/Security/PKI-Architectures-How-to-Choose-One/).

    Microsoft Certificate Services offer two types of CAs: enterprise CAs and stand-alone CAs. Each CA can be implemented as an online or offline CA. This decision is based on the sensitivity of the requirements; the stronger the security level needed, the less accessible the CA should be. The best practice is to place the stand-alone root CA offline because it is a single point of trust (if the root CA is compromised, it results in the compromisation of the entire PKI). Intermediate CAs are typically configured as offline as well. Online CAs are typically issuing CAs as they respond to certificate requests. Every Enterprise CA must be an online CA, since it requires connectivity to Active Directory at all times to obtain configuration information, validate requests, and publish certificates. However, you have to take into consideration that an online CA is subjected to a greater risk due to the network connectivity and continuous availability.

    The following table lists a set of comparison criteria between the stand-alone CA and the Enterprise CA in order to help you decide what CA type is best for your organization.

    Comparison CriteriaStand-alone CAEnterprise CA
    Active Directory supportIt issues certificates to users outside of an Active Directory environment. However, CA configuration can be published into Active Directory.It must be a member of a Windows 2000 or Windows Server 2003 Active directory domain.
    Identification of user when requesting a certificateIdentification information is captured through the Web enrollment interface.User identification information is always automatically retrieved from Active Directory.
    EnrollmentWeb Enrollment -- You cannot apply the enrollment method (automatic or pending) on individual templates.Web Enrollment or Certificates MMC (Microsoft Management Console) -- You can individually set the enrollment method (automatic or pending) on each template.
    IssuingCertificates are manually approved. -- Issue certificates based on predefined certificate template.Certificates are manually approved or they are approved through Active Directory authentication. -- Can issue certificates based on customized certificate templates.
    InstallationCan be installed on a domain controller, member server, or stand-alone server (workgroup member).Can be installed on a domain controller or a member server (the CA is registered as a forest resource). It must not be installed on a stand-alone server (workgroup member).

    More Windows Security Articles
    More By Eliana Stavrou


       · Hi to all readers,thank you for stopping by my article. As you can read in the...
     

    WINDOWS SECURITY ARTICLES

    - Which Version of Windows 7 Should You Use?
    - Choosing the Best Windows XP Firewall
    - Finding the Correct Drivers for Windows XP D...
    - Windows Network Troubleshooting: Tips and Te...
    - Windows XP Home Network Setup: Essential Ste...
    - Using Windows Recovery Console to Fix Blue S...
    - Fix Blue Screen of Death in Windows XP: Corr...
    - Storing Data with Windows Skydrive
    - Windows System Administrator`s Toolbox
    - Solving Windows Genuine Advantage Problems
    - Encrypted Browsing in Windows using OpenSSH
    - Working with the Hosts File on Windows XP
    - Inventorying HDDs Remotely on Windows
    - Inventorying RAMs Remotely on Windows
    - Vital Windows Security Guidelines





    © 2003-2009 by Developer Shed. All rights reserved. DS Cluster 4 Hosted by Hostway
    For more Enterprise Application Development news, visit eWeek