Certificate Services Blueprint
Published: March 2005
For the latest information, please see http://www.microsoft.com/wssra
This WSSRA blueprint focuses on digital certificates and how they can be deployed to help protect the security of an organization's data. Included are detailed descriptions of how certification mechanismsoperate and the decision steps involved in deploying them as part of a public key infrastructure (PKI).
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user.
The example companies, organizations,products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights undercopyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual propertyrights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, MSDN, and Windowsare either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA 00
Table of Contents
Who Should ReadThis Blueprint 1
Knowledge Prerequisites 1
Business Need 2
Enterprise Design for Certificate Services 3
Service Definition 3
What is a PKI? 3
Certificate Services 4
People, Process, and Technology 5
Service Design 6
Defining Requirements for a PKI-Enabled Infrastructure 7
Determining Secure Application Requirements 7
Determining Connectivity betweenEntities 8
Determining Certificate Requirements for Users, Computers, and Services 10
User Trusts 10
Certificate Revocation 11
Certificate Capabilities 12
Documenting Certificate Policies and Practices 13
Logical Design 14
Designing Root CAs 14
Defining a Trust Anchor for the PKI 14
Satisfying Requirements According to the Trust Scope 16
Distributingthe Root CA Certificate 17
Choosing Between Internal and External CAs 18
Internal CAs that Chain to an Internal Root 18
Internal CAs That Chain to External Root 19
External Issuing CAs 19
Determining CA Roles and Types 20
CA Roles 20
Types of CA 21
Referencing a Certification Practice Statement 22
Obtaining OID from an Existing Range 23
Creatingan OID with Microsoft Certificate Template UI or from MSDN Web 23
Selecting a Random Number OID 24
Applying a Certification Practice Statement 24
Defining a CPS at Root or Intermediate CA Level 24
Applying a CPS at Issuing CA Level 25
Selecting a Certificate Repository 26
Active Directory Repository 26
Active Directory in Application Mode (AD/AM) 27...