Identify Your Certificate Requirements

Before you can determine what PKI certificate services are needed, you must identify the applications you want to deploy that require digital certificates You must also identify all uses for certificates, what users, computers, and services will require certificates, and what types of certificates you intend to issue. You can deploy Microsoft Certificate Services, or you can obtain other certificate services to support your public key needs. Identify the categories of users, computers, and services that will need certificates and determine the following information for each category:

  • Name or description

  • Reason certificates are needed

  • Number of entities (users, computers, or services)

  • Location of users, computers, and services

You need to provide certificate services to support the identified categories for each business unit and location in your organization. The certificate services you deploy are determined by the types of certificates to be issued, the number of entities that need certificates, and where the groups are located. For example, you might be able to deploy two issuing CAs to provide certificates for all the administrator groups in your organization. However, since there are many more business users than administrators in your organization, you might need to deploy separate issuing CAs in each facility to meet the needs of business users.

For more information about security solutions that use digital certificates, see "Choosing Security Solutions That Use Public Key Technology" in the Microsoft   Windows   2000 Server Resource Kit Distributed Systems Guide .

Basic Security Requirements for Certificates

Several basic factors affect overall security when you use certificates. For the certificates you intend to use, specify the requirements for the following factors:

  • Length of the private key. In a typical deployment, user certificates have 1,024-bit keys and root CAs have 4,096-bit keys.

  • Cryptographic algorithms that are used with certificates. The default algorithms are recommended.

  • Lifetime of certificates and private keys and the renewal cycle. Certificate lifetimes are determined by the type of certificate, your security requirements, standard practices in your industry, and government regulations.

  • Special private key storage and management requirements. For example, storage on smart cards and nonexportable keys.

The standard settings for certificates issued by Microsoft Certificate Services can meet typical security needs. However, you might want to specify stronger security settings for certificates that are used by certain user groups. For example, you can specify longer private key lengths and shorter certificate lifetimes for certificates used to provide security for very valuable information. You can also specify the use of smart cards for private key storage to provide additional security.

Determining Which Certificate Types to Issue

Identify the types of certificates you intend to issue. The types of certificates you issue depend on the certificate services you deploy and the security requirements you have specified for the certificates you intend to issue. You can issue certificate types that have multiple uses and that meet different security requirements.

For enterprise CAs, you can issue a variety of certificate types based on certificate templates and account privileges in a Windows 2000 domain. You can configure each enterprise CA to issue a specific selection of certificate types. Table 12.2 lists the different types of certificate templates available, and their purposes.

Table   12.2 Certificate Templates and Purposes

Certificate template name

Certificate purposes

Issued to

Administrator

Code signing, Microsoft trust list signing, EFS, secure e-mail, client authentication

People

Certification authority

All

Computers

ClientAuth

Client authentication (authenticated session)

People

CodeSigning

Code signing

People

CTLSigning

Microsoft trust list signing

People

Domain Controller

Client authentication, server authentication

Computers

EFS

Encrypting File System

People

EFSRecovery

File recovery

People

EnrollmentAgent

Certificate request agent

People

IPSECIntermediateOffline

IP Security

Computers

IPSECIntermediateOnline

IP Security

Computers

MachineEnrollmentAgent

Certificate request agent

Computers

Machine

Client authentication, server authentication

Computers

OfflineRouter

Client authentication

Computers/routers

SmartcardLogon

Client authentication

People

SmartcardUser

Client authentication, secure e-mail

People

SubCA

All

Computers

User

Encrypting File System, secure e-mail, client authentication

People

UserSignature

Secure e-mail, client authentication

People

WebServer

Server authentication

Computers

CEP Encryption

Certificate request agent

Routers

Exchange Enrollment Agent (Offline Request)

Certificate request agent

People

Exchange User

Secure e-mail, client authentication

People

Exchange User Signature

Secure e-mail, client authentication

People

For stand-alone CAs, you can specify certificate uses in the certificate request. You can also use custom policy modules to specify the certificate types to be issued for stand-alone CAs. For more information about developing custom applications for Microsoft Certificate Services, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .

The types of certificates issued by third-party certificate services are determined by the specific features and functions of each third-party product. For more information, contact the vendor for the certificate service.