New features in Certificate Services

XOX; XOX; and XOX have a number of new features and improvements related to Certificate Services and public key infrastructure (PKI). A few new procedures are also provided to demonstrate certificate template editing features and certificate autoenrollment for users and computers.

New PKI features

XOX; XOX; and XOX implement new PKI features and improvements.

• Editable certificate templates and the Certificate Templates MMC snap-in

  Certificate templates were available in Windows 2000 Certificate Services, but they could not be modified or changed. There is a new Certificate Templates MMC snap-in that enables administrators to:

  • Create a new certificate template by duplicating and renaming an existing template.
  • Modify template properties such as certificate validity period, renewal period, cryptographic service provider (CSP), key size, key archival
  • Establish and apply enrollment policies, issuance policies and application policies.

    For example, in Windows 2000, a user can enroll themselves for a certificate or an enrollment agent certificate can enroll for a certificate on their behalf. A significant issue with this scenario is that an enrollment agent can enroll for any user in the enterprise. This means the enrollment agent certificate is very powerful and only very trusted people may have access to it. However, there are many scenarios where it is necessary to restrict which account an enrollment agent can request. For example, a manager may need to be able to enroll their reports or a local administrator may need to be able to issue smart card for people in his building. It is possible to delegate who may approve a certificate enrollment and whom an enrollment agent may enroll.

  • Allow for autoenrollment for certificates based on the template.
  • Set access control on certificate templates to establish which users or computers can enroll and autoenroll for certificates.

  There are now two different versions of certificate templates for Windows server operating systems. Windows 2000 clients and certificate services can only use version 1 templates. XOX and Windows Server 2003 family clients and certificate services will support both version 1 and version 2 templates. Version 1 templates are read-only, but when they are duplicated, the duplicate template is an editable version 2 template.

• Certificate autoenrollment and autorenewal for all subjects

  In Windows 2000, it was possible to autoenroll for EFS certificates and computer certificates, however, autoenrollment for users was not possible. The new autoenrollment feature improves both the user and computer enrollment experience. A member of the Enterprise Admins group can specify the types of certificates that any entity should automatically be issued. The enterprise administrator controls autoenrollment by setting security permissions on certificate templates using the Certificate Templates snap-in. A XOX or Windows Server 2003 family client then accesses the templates in the Active Directory directory service and, if access has been granted, then it will enroll for those certificates.

  For an example of establishing autoenrollment for user certificates, see Certificate Services example implementation: Establishing autoenrollment for user certificates.

  Autorenewal is a new feature similar to autoenrollment and the same mechanism on the templates is used to control who can autorenew a certificate. Every certificate in the certificate store that has a template extension can potentially be autorenewed by the system. This means that applications no longer need to worry about certificates expiring.

• Delta CRLs

  Many applications require up-to-date certificate revocation status information. This requires the certification authority (CA) to frequently publish a new certificate revocation list (CRL). A CRL is the entire list of revoked certificates, so for a CA with a large amount of issued certificates, this can become a very large list. Even if there are no changes, a CA has to republish the entire list so that applications have the latest information, which involves a lot of repetition. Frequent publication of large objects will in turn generates a large amount of replication traffic.

  XOX; XOX; and XOX have a new feature called delta CRLs, an option in RFC 2459. Delta CRLs are CRLs which contain the list of changes in revocation status from a full "base" CRL. Because delta CRLs are a list of changes and not a restatement of the entire CRL, they are typically much smaller and generate significantly less replication traffic than large base CRLs.

• Role-based administration

  Certificate Services in XOX; XOX; and XOX allows for the separation of roles for the management and maintenance of a CA. Role separation is not enforced by default, but you can select to enforce assigned roles.

  For more information, see Role-based administration.

• Key archival and recovery

  You can configure a CA to archive the keys associated with the certificates it issues. If necessary, you can then recover lost keys through the use of a key recovery agent certificate.

  For more information, see Certificate Services example implementation: Key archival and recovery.

• Event auditing

  Event auditing provides the ability to log most events that occur on a CA. This can be useful for monitoring the activities of a CA or the administrative functions, such as certificate issuance and role changes.

  For more information, see Configure event auditing.

• Qualified subordination

  Qualified subordination is an extension of standard CA subordination that allows you to:

  • Define the namespaces for which a subordinate CA will issue certificates.
  • Specify the acceptable uses of certificates issued by a qualified subordinate CA.
  • Enable a certificate to be used in separate certification hierarchies.

  For more information, see Qualified subordination.

• New Certutil.exe commands

  certutil -dspublish [cert|crl]

  Publishes the CA certificate or the certificate revocation list to Active Directory

  For examples of using certutil -getkey and certutil -recoverkey to recover archived keys, see Certificate Services example implementation: Key archival and recovery.