Certificate Services

You can deploy Microsoft Certificate Services to issue trusted certificates in your organization. You can also obtain certificate services from third-party vendors. For more information about Microsoft Certificate Services, see “Microsoft Certificate Services” in this book. For more information about deployment choices for certificate services, see “Planning Distributed Security” in the Microsoft® Windows® 2000 Server Deployment Planning Guide.

Certificate Authorities in the Enterprise

The role of commercial CAs on the Internet is well established today. Commercial CAs follow a number of standard practices and processes. Most digital certificates in use today are obtained from commercial CAs. However, an increasing number of organizations are deploying certificate services to implement CAs for issuing certificates on their intranets.

The role and function of CAs is basically the same, whether on an intranet or on the Internet. Nevertheless, because software and machines cannot assume legal responsibility, merely deploying certificate services in an organization by itself does not create a CA. Each CA is legally responsible for the management, security, and integrity of the certificates it issues. Therefore, the CA is the group that deploys and manages a certificate server to provide certificate services for the organization. CAs perform the following services:

• Process certificate requests to verify the identity of the requestor and then issue a certificate based on the policy for that CA.
• Manage certificate audit trail from enrollment to expiration or revocation.
• Renew certificates before they expire.
• Revoke certificates as necessary.
• Maintain and publish certificate revocation lists (CRLs).
• Handle legal and liability issues for compromised security.

Each CA is certified with a CA certificate and uses its private key to sign all of the certificates it issues. Protecting each CA’s private key is crucial to ensure the continuing integrity of CA trust. For more information, see “Protecting Keys for Certification Authorities,” in “Microsoft Certificate Services” in this book.

Your organization should develop the following policies to deploy CAs properly:

• Certificate policies, which state the requirements for all certificates to be issued.
• Certification Practices Statements (CPSs), which describe how each CA is to implement the certificate policies.

Certificate Trust in the Enterprise

In Windows 2000, you can choose to trust certificates issued by the CAs you deploy or by third-party CAs. Certificates issued by nontrusted CAs are treated as invalid. You can use Public Key Group Policy to specify certificate trust for each domain. All certificates issued by a trusted CA usually are valid in the domain; however, you can use Certificate Trust Lists (CTLs) to restrict how trusted certificates can be used in a domain.

For more information about certificate trust in Windows 2000, see “Public Key Group Policy,” “Certificate Trust Lists,” and “Certification Authority Trust Chain” in “Microsoft Certificate Services” in this book.