Certificate Services can be installed during the installation of Windows 2000 or later using the Add/Remove Programs applet within the Control Panel. If you are installing a root CA, a certificate is automatically generated during the installation process and signed with the server's public and private keys. The process is slightly different if you are installing a subordinate CA. Instead of generating a self-signed certificate, a certificate request must be submitted to a root CA for authorization. Before the subordinate CA can be used, the certificate must be issued and installed by the root. To install Certificate Services, follow these steps:
Table 9.1. CA Identifying Information
Configuring Certificate ServicesAfter Certificate Services are installed, you can use the Certificate Authority to perform most management tasks and to configure the CA. You can open the Certificate Authority snap-in from the Administrative Tools menu. As shown in Figure 9.5, each CA has a set of configurable options available through its Properties window. The General tab provides some basic information about the CA, such as the name assigned to it, the CSP, and the hash algorithm. These settings were initially configured during the installation of Certificate Services. Figure 9.5. Configuring the properties for a CA.
Policy modules enable an administrator to control the behavior of a certificate authority and determine the action that a CA will take when it receives a certificate request. These modules determine whether certificate requests should be issued, denied , or marked as pending when they are received. By selecting the Configure button from the Policy Module tab, you can change the default behavior when a request is received (see Figure 9.6). Keep in mind that the policy module cannot be changed for an enterprise CA because it uses Active Directory to determine the identity of requestors and whether they have permission to request the certificate type. However, on a Standalone CA, the policy module can be changed. The certificate requests will most often be set to pending. Figure 9.6. Configuring the policy module.
The exit module is used to control any post processing of issued certificates, such as publishing them to Active Directory or to a file system. By selecting the Configure button from the Exit Module tab, you can configure a certificate authority to publish issued certificates to Active Directory and/or a file system (see Figure 9.7). It also determines where the Certificate Revocation List is published. Figure 9.7. Configuring the exit module.
As shown in Figure 9.8, the Storage tab provides information about where the Configuration data is stored. This data can be stored in Active Directory or on a shared folder; it is configured during the installation of Certificate Services. Remember, with an Enterprise CA, the configuration information is stored in Active Directory by default, whereas on a Standalone CA, the information is stored locally. Figure 9.8. Viewing the Configuration data storage location.
The Security tab allows you to configure CA access privileges. By default, Authenticated Users are assigned the enroll and read permission. These permissions are enabled for all users who are logged on to the domain to request certificates allowing them to request certificates from the CA. The local Administrators group, Domain Admins, and Enterprise Admins group are also granted the Manage permission, which gives them full control of the CA. If the default permissions do not meet your requirements, you can use the Security tab shown in Figure 9.9 to modify them. Figure 9.9. Configuring security for a CA.
Certificate TemplatesCertificate templates outline a certificate based on its intended use. They contain preset configurations for common types of certificates and outline the intended use of the certificate. The preset configurations are used to issue certificates, thereby simplifying the process of requesting and issuing certificates. When a user attempts to request a certificate from a CA, the user might be able to choose from a number of certificate templates, depending on the configured permissions. Several certificate templates are included with Windows 2000. The templates that are available depend on the type of CA being installed. For example, when an Enterprise CA is configured, the following templates are installed:
The templates listed within the Policy Settings container are the default templates that the CA can issue. Other templates can be added within the Certificate Authority Manager if necessary. For example, if your organization deploys SmartCards, you can add the SmartCard Logon and SmartCard User certificates to the Policy Settings container. To do so, right-click the Policy Settings container, point to New, and click Certificate to issue. From the Select Certificate Template window shown in Figure 9.10, select the template you want to add and click OK. Figure 9.10. Configuring additional templates.
A template's ACL (access control list) controls which users can enroll for that type of certificate. The ACL determines the type of access a user has to an object. Each template has default permissions that can be edited if necessary. Certificate requests are granted only for those users and computers who have been assigned the enroll permission. To edit the ACL of a certificate template, follow these steps:
|