Exam Objectives Frequently Asked Questions

1.

In what format do CAs issue certificates?

2.

If certificates are so important in a PKI, why don’t I see more of them?

3.

I’ve heard that I can’t take my laptop overseas because it uses EFS. Is this true?

4.

Can I create my own personal digital signature and use it instead of a CA?

5.

Can I have a CA hierarchy that is five levels deep?

6.

Do I have to have more than one CA?

7.

How can I change the publishing interval of a CRL?

8.

Why can’t I seem to get auto-enrollment for user certificates to work?

9.

What is the default validity period for a new certificate?

1.

Microsoft certificate services use the standard X.509 specifications for issued certificates and the Public Key Cryptography Standard (PKCS) #10 for certificate requests. The PKCS #7 certificate renewal standard is also supported. Windows Server 2003 also supports other formats, such as PKCS #12, DER-encoded binary X.509, and Base64 Encoded X.509, for exporting certificates to computers running non-Windows operating systems.

2.

Many portions of a Windows PKI are hidden to the end user. Thanks to features such as auto-enrollment, some PKI transactions can be completely handled by the operating system. Most of the work in implementing a PKI comes in the planning and design phase. Operations such as encrypting data via EFS use certificates, but the user does not “see” or manually handle the certificates.

3.

Maybe. The backbone of any PKI-enabled application such as EFS is encryption. Although the U.S. government now permits the exporting of “high encryption” standards, some countries still do not allow their import. The Windows Server 2003 PKI can use high encryption, and so the actual answer depends on the country in question. For information on the cryptographic import and export policies of a number of countries, see http://www.rsasecurity.com/rsalabs/faq/6-5-1.html.

4.

Not if you need security. The purposes behind digital signatures are privacy and security, and a digital signature at first glance seems to fit the bill. The problem, however, is not the signature itself, but the lack of trust in a recipient. Impersonations become a looming security risk if you can’t guarantee that the digital signatures you receive came from the people with whom they were supposed to have originated. For this reason, a certificate issued by a trusted third party provides the most secure authentication.

5.

Yes, but that’s probably overkill for most networks. Microsoft’s three-tier model of root, intermediate, and issuing CAs will more than likely meet your requirements. Remember that your hierarchy can be wide instead of deep.

6.

No. Root CAs have the capability to issue all types of certificates and can assume responsibility for your entire network. In a small organization, a single CA might be sufficient for your purposes. For a larger organization, however, this structure would not be suitable.

7.

From the Certification Authority console, right-click the Revoked Certificates container and choose Properties. The CRL Publishing Parameters tab enables you to change the default interval for full and Delta CRLs.

8.

Remember that auto-enrollment for machines is a feature that has been around since Windows 2000, but auto-enrollment for user certificates is new to Windows Server 2003. To use this feature, you need to be running either a Windows Server 2003 or Windows XP client and you must log on to a Windows Server 2003 domain. Finally, auto-enrollment must be enabled through Active Directory’s group policy. Also, you won’t be able to auto-enroll a user unless the user account has been assigned an e-mail address.

9.

The default, which can be changed on the General tab of a new template’s property sheet, is one year. Other important settings, such as minimum key size and purpose of the certificate, can be found on the sheet’s other tabs.