Certificate Services Best practices

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificate Services Best practices


Plan your public key infrastructure (PKI) before deploying certification authorities (CAs)

Place database and transaction log files on separate hard drives

  • As in many databases, the certification authority's database is a file on the hard drive. In addition to this file, other files serve as the transaction logs and receive all modifications to the database before the changes are made. Because these files may be accessed frequently and simultaneously, it is best to keep the database and transaction logs on separate hard drives or high-performance disk configurations, such as striped volumes.

    For more information, see Disk Management.

Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise

If you are going to use a custom policy module for a Microsoft CA, install Certificate Services using stand-alone policy and then replace stand-alone policy with your custom policy

  • Replacing enterprise policy on a certification authority with a custom policy is not supported and will have unpredictable results.

When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in

Do not issue certificates to users or computers directly from the root certification authority

Back up the CA database, the CA certificate, and the CA keys

  • This is essential to protect against the loss of critical data. The CA should be backed up on a regular basis (daily, weekly, monthly), based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA. Full backups should be used to provide the fastest recovery and most reliable data redundancy possible.

    For more information, see Backing up and restoring a certification authority.

Ensure that key lifetimes are long enough to avoid renewal issues

  • A certification authority can issue a certificate with a lifetime equal to or less than the remaining lifetime on its own CA certificate. When the CA certificate has less valid time remaining than the renewal overlap period on issued certificates, the issued certificates are very short lived. In this case, it is possible that clients will be unable to renew their certificates. To avoid this, ensure the CA certificate is renewed long enough before the certificates it issues become short lived.

    For more information, see Renew a root certification authority and Renew a subordinate certification authority.

Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester

Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

  • Web enrollment pages provide a simple but insecure method for users to obtain certificates from the CA. The communication between the client and the Web server could be forged or altered in route, compromising security. To mitigate the risk of this occurring, you can use Secure Sockets Layer (SSL) communications between the client and the Web server. This will provide both confidentiality and integrity of the certificate request and response.

    For more information, see Configuring SSL on your server and Set up certification authority Web enrollment support.