What s New in Windows Server 2003 Certificate Services?

What's New in Windows Server 2003 Certificate Services?

Windows Server 2003, when combined with a Windows XP Professional client computer in a Windows Server 2003 Active Directory “based network, features several enhancements and improvements to Certificate Services. These features will make more sense to you as you work your way through this chapter's discussion of PKI and Certificate Services. Some of the features you will discover are listed next :

• Version 2 certificate templates ” Version 2 templates extend the range of properties that you can configure from those provided in Version 1 templates. You now can create new certificate templates (an option sorely lacking from Windows 2000), copy existing certificate templates, and supercede certificate templates that are already in use. You need a Window Advanced Server 2003 functioning as the Enterprise Root CA.

• Integrated and enhanced key recovery ” Windows 2000 Server relied on a Data Recovery Agent (DRA) to decrypt files following the loss or damage of an encryption key. Additionally, the Exchange 2000 Server Key Management Service (KMS) ran on top of Windows 2000 Certificate Services and did not fully integrate. Windows Server 2003 allows the archival and recovery of private keys and allows the administrator to access data encrypted with a lost or damaged private key. Now Key Recovery Agents (KRAs) are used to recover lost or damaged private keys across Windows Server 2003 and Exchange Server 2003.

• Delta Certificate Revocation Lists ” Windows Server 2003 supports RFC 2459 “compliant delta Certificate Revocation Lists (CRLs) that contain only the certificates whose status has changed since the last full (base) CRL was compiled. This results in a much smaller CRL, which can be more frequently published with no adverse effects on the network or client computers. Additionally, this provides more accurate CRLs due to reduced latency periods. In Windows 2000, CRLs were typically published once per week (the default setting). Delta CRLs allow you to publish one or more times daily as required.

• CA qualified subordination ” Another part of RFC 2459, qualified subordination allows a parent CA to granularly configure what a Subordinate CA is allowed to. Examples include preventing the Subordinate CA from signing a certificate for another Subordinate CA.

• Common Criteria role separation ” By separating common CA- related tasks between several different levels of administration, you can meet Common Criteria requirements and enhance task delegation. Because roles are separated, no one individual should possess the ability to compromise the services or operation of the CA.

• Enhanced auditing ” Windows Server 2003 provides for more detailed auditing of Certificate Services by adding two new types of events: access check and system events. System events come from seven critical areas: CA service, backup and restoration, certificate requests , certificate revocations, CA security, key archival and key recovery, and CA configuration.

After your introduction to public key infrastructure (PKI) and the enhancements found in Windows Server 2003 Certificate Services, you are ready to take the first step in implementing a PKI: planning. Remember that if you fail to plan, then you must plan to fail ” especially when dealing with the sometimes confusing and complex world of PKI.