360 likes | 374 Views
Windows 2000 Certificate Authority. By Saunders Roesser. What is a Certificate Authority (CA)?.
E N D
Windows 2000 Certificate Authority By Saunders Roesser
What is a Certificate Authority (CA)? • Straight from Microsoft: “A certification authority is a service that issues the certificates needed to run a public key infrastructure. The CA could be an external commercial CA, or it could be a CA run by your company. The certificates enable a user to log on using a smart card, send encrypted e-mail, code-sign documents, and more. Since a CA is an important trust point in an organization, most organizations will have their own CA. “
Types of MS Certificate Authorities • Enterprise CA • Stand Alone CA
Enterprise CA • An enterprise CA is used with a Windows 2000 domain and Active Directory Services. • Requires entries of user in Active Directory in order to request certificate. • Can be used in logon security. • Two subclasses: • Root • Subordinate
Standalone CA • For issuing certificates to users or computers outside a Windows 2000 domain. • Cannot be used for logon security. • Two subclasses: • Root • Subordinate
CA Organization • CAs are organized into a hierarchy • One root trust point. • Subordinates are trusted because the root node is trusted. • You can have more then one Enterprise CA in an active directory domain. As well as you can mix standalone CAs with enterprise ones.
Enterprise CA requirements • Windows 2000 Server • Windows 2000 DNS • Active Directory Services • Administrative Rights • Can be installed on a domain controller or domain member computer.
Standalone CA Requirements • Windows 2000 Server • Local Administrative Rights
The Actual Setup • Concerned with Enterprise CA setup • First, you need administrative rights in the already established Active Directory.
The Install • Use the “Add/Remove Programs” control panel. • Click “Add/Remove Windows Components” • Check “Certificate Services”. • Also check IIS if you wish to use the web based components (if it isn't already checked).
Install continued.. • Specify the Type of CA: • If Active Directory is not installed, you can only install a stand alone Certificate Authority. • If an Active Directory is detected, the Enterprise root CAoption is selected if there are no CAs already registered in the Active Directory. • If there are CAs registered in the Active Directory, the Enterprise subordinate CAoption is selected.
Install Continued • Choose Length Keys to generate: • 384 bit to 16384 bit • Used Existing Keys? • Set the CA name (common name) • Valid for time (how long till the root certificate expires) • Install Location options, including shared folders.
Install continued. • If IIS is installed, it is required to restart, to install Certificate Services on the web server. • Options to install a Commercial certificate. • That’s it.
Remove CA • If you wish to uninstall a CA, just go to “Add/Remove Programs” then “Add Windows Components” and uncheck the box for “Certificate Services”
How to Administrate a CA • Used the Certificate Authority Administrative Tool.
Administrating • From the Administrative Tool, you can: • Issue New Certificates • Revoke Certificates • See Pending Requests • Failed Requests • Policy Settings
Common Uses • Certificate for Dial-in Users • Encrypted/Non-repudiation emails • Encrypted File System • Web Server • VPN support
IIS Certificate Install • Want to make your website do SSL? • Install a certificate.
CA Web Services • http://localhost/certsrv • Can create certificates for clients
Certificate Authority • Questions? • Comments?