Certificate Services overview

Certificate Services provides customizable services for issuing and managing certificates used in software security systems employing public key technologies. For background information about public key cryptography and the benefits of having a public key infrastructure (PKI), see Public key infrastructure.

You can use Certificate Services in the Windows® operating system to create a certification authority (CA) which will receive certificate requests, verify the information in the request and the identity of the requester, issue certificates, revoke certificates, and publish a certificate revocation list (CRL).

For more information about CAs, see Certification authorities

Certificate Services can also be used to:

• Enroll users for certificates from the CA using the Web or the Certificates Microsoft Management Console (MMC) snap-in, or transparently through autoenrollment.
• Use certificate templates to help simplify the choices a certificate requester has to make when requesting a certificate, depending upon the policy used by the CA.
• Take advantage of the Active Directory® directory service for publishing trusted root certificates, publishing issued certificates, and publishing CRLs.
• Implement the ability to log on to a Windows operating system domain using a smart card.

Certificate policy

A certificate policy is a set of instructions or rules that are used when processing certificate requests, issuing certificates, revoking certificates, and publishing CRLs. These instructions are a combination of administrative policy and configuration settings on the CA.

When you install Certificate Services, the CA is configured with a default set of rules and settings. These define CA-specific settings such as the CA's certificate, its default issuance behavior, and its key recovery agents. The CA may also install a number of preconfigured certificate templates, which define what information a certificate request must have and how to process incoming requests for a certificate based on that template. The combination of applying CA settings and certificate template settings, plus the defined administrative guidelines, results in the certificate policy that governs the operation of a CA.

Processing certificate requests

A user can request certificates using Microsoft® Internet Explorer 5.0 or later or a browser such as Netscape Navigator 4.7x or later. In addition, a user can use the Certificates snap-in to request a certificate from an enterprise CA or an administrator can configure certificate autoenrollment to transparently request and install certificates for users.

When a user initiates a certificate request, a cryptographic service provider (CSP) on their computer generates a public key and private key pair for the user. The user's public key is sent with their necessary identifying information to the CA. If the user's identifying information meets the CA criteria for granting a request, the CA generates the certificate, which is retrieved by the client application and stored locally. For more information about certificates, see Understanding Certificates.

Security considerations for CAs

CAs are valuable resources, and you should provide them with a high degree of protection. Specific actions that should be considered include:

• Physical protection. Since CAs represent highly-trusted entities within an enterprise, you should protect them from tampering, depending on the inherent value of the certification made by the CA. Physical isolation of the CA server, in a facility accessible only to security administrators, can dramatically reduce the possibility of such attacks.
• Restoration. A CA might be lost if there is a hardware failure. This can create a number of administrative and operational problems, and can prevent revocation of existing certificates. Certificate Services supports the backup of a CA using Backup so that it can be restored at a later time. This is an important part of the overall CA management process.
• Key management. The CA's keys are its most valuable asset, because the private key provides the basis for trust in the certification process. Cryptographic hardware modules can provide tamper-resistant key storage and isolate the cryptographic operations from other software running on the server. This reduces the likelihood of a CA key being compromised. Certificate Services supports cryptographic service providers (CSPs) from other sources, but the documentation included with Windows is specific to the software CSPs that are included with Windows. If you use a CSP from another source, you should confirm with the vendor that the CSP can work with Certificate Services.

Customizing Certificate Services

Certificate Services includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Refer to the Microsoft Platform Software Development Kit for information about customizing Certificate Services.

For more information about Certificate Services, see Understanding Certificate Services