The first step of a PKI implementation is to design the root CA. The root CA has a self-signed certificate that must not be compromised. There is only one root CA in a Windows Server 2003 environment.
The root CA should communicate with at least two intermediary CAs (one for issuing internal certificates and one for external). The intermediary or policy CAs should control multiple issuing CAs who will submit the certificate to users.
There are two types of CAs. The enterprise CAs will communicate to an Active Directory and issue automatic certificates. The certificate information can be obtained by the Windows account information and the Active Directory settings.
The stand-alone CAs do not communicate with an Active Directory. They issue certificates with the approval of a CA administrator. They can be configured to issue automatic certificates; however, it is not recommended.
An enterprise can design its CA structure according to the location or the organization structure. These will be based on the three-tiered CA model. You can also adapt a network trust model where the cross certificates will enable access to independent CAs across multiple independent IT departments.
The root and the intermediary CAs should be offline. They can be made offline by shutting down the computer, CA service, or configuring as a Windows Server 2003 stand-alone server that is disconnected form the domain.
You can also use hardware CSPs and smart cards to enhance CA security in the enterprise. Smart cards will force the user to have the key in the smart card and to provide a PIN number to confirm authenticity.
Install the Windows Server 2003 Service on an NTFS system. Do not use a FAT file system. This will use Windows authentication details and smooth access to Active Directory.
Windows Server 2003 introduces a Web Enrollment Support system. This system will enable you to issue certificates to Web pages and manage them.
You can issue, deny, revoke, and reissue certificates using the CA MMC. You can also use the command-line utility certutil.exe .
Any user can request a certificate through the Web Enrollment Support system. The request will sit in a pending queue until the CA administrator approves it. The CA administrator will issue or deny the certificate using the MMC console. The pending certificate is moved to issued certificates or denied certificate folders depending on the action.
It is recommended to enable auditing on the CA server. This will monitor the activity on the server. The audit trail can be viewed in the Security log of the Event log .
You might need to revoke the certificates and renew the key pair if you detect any unauthorized activities. These activities can be monitored using the audit trail.
Windows Server 2003 also supports a new auto-enrollment and auto-renewal features.