This chapter concentrated on public key infrastructure (PKI) concepts on Windows Server 2003. We initially discussed the basics of PKI implementation. PKI is an asymmetric cryptography mechanism to secure information. We have two sets of keys under PKI, the public and the private key. The sender signs digital documents with the public key and sends to the receiver. This signing process has two steps. The first is to apply a hashing algorithm on top of the message. The hashed message is commonly referred to as the digest message. The digest message is then mixed with the senders key information to obtain the message to be sent. The receiver will authenticate the senders key with the help of an external CA authority (for example, VeriSign).
There are two types of certificate authorities (CAs): an enterprise CA and a stand-alone CA. An enterprise CA will communicate to the Active Directory to issue certificates. The stand-alone CA will not communicate with the Active Directory. The best practice is to use a three-tiered CA model in an enterprise. The first tier is a single root CA. The root CA will manage all the CAs in the enterprise. The root CA will directly manage the second tier . We refer to them as the policy or intermediate CAs. The number of policy CAs can change from organization to organization. The policy CAs will give instructions to issuing CAs. The issuing CAs will issue the certificates to clients .
The root CA and the policy CAs should be offline (disconnected from the network hierarchy). The issuing CAs are online to issue certificates. This is an important security measure to protect the CAs. The enterprise should have clear time windows to bring the root CAs and policy CAs online for updates (we need to update the CRL list to reflect new security measures).
The three-tier CA can be organized in many ways. They can be organized in a geographical structure to suit multinational companies. They can also be organized to reflect the organizational structure. In some cases, we need to have CAs that are independent of the governing CA (in this case, the CAs are not controlled by a root CA). A network CA structure is available to accommodate this scenario.
There are several threats against CA servers. We should be very careful with the root CA. The entire enterprises security could be in jeopardy if the root CA is compromised. We should take measures to increase physical security and use smart cards for authentication. The smart cards will enhance security with a personal identification number (PIN) in addition to the private key. We can also use hardware CSP to enhance security.
Finally, we investigated the CA server setup in Windows Server 2003. Windows Server 2003 implements a Web Enrollment Support system to request certificates. It also supports auto-enrollments and auto-renewals. Windows Server 2003 also supports delta CRL lists. We can manage the CA server using the CA MMC snap-in or the certutil.exe command-line tool.