Autoenrollment
The Microsoft marketing platform for Windows Server 2003 is:“The Windows Server 2003
family helps organizations do more with less.” One of the ways that Windows Server 2003
helps you do more with less is through the use of certificate autoenrollment, which is
defined as “a process for obtaining, storing, and updating the certificates for subjects
without administrator or user intervention.” Certificate autoenrollment allows clients to
automatically submit certificate requests and retrieve and store certificates. Autoenrollment
is managed by the administrator (or other staff members who have been delegated
authority) through the use of certificate templates so that certificates are obtained by the
appropriate target and for the appropriate purpose.Autoenrollment also provides for auto-
mated renewal of certificates, allowing the entire certificate management process to remain
in the background from the perspective of the user.
EXAM WARNING
Windows Server 2003 Enterprise Edition or Windows Server 2003 Datacenter
Edition is required to configure certificate templates for autoenrollment requests.
From a planning perspective, you will want to decide if autoenrollment is right for your
organization and which users or groups should be configured to use autoenrollment. Say
that Wally’s Tugboats has a roaming sales force that needs access to network resources while
on the road.Typically, these sales associates are novice computer users who have no interest
in learning about functions such as Web enrollment; their sole purpose is to sell tugboats.
Through autoenrollment, the administrator of Wally’s Tugboats can specify that members of
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 217
Separating Web Enrollment from the CA Server
In some environments, it could be beneficial to separate the Web enrollment server
from the CA server. For example, you might not want to have the IIS service run-
ning on a domain controller that is also functioning as a CA server for security pur-
poses—specifically that Active Server Pages (ASP) must be enabled on the IIS server
in order for Web enrollment to function.
For this reason, a separate Windows Server 2003 server can be configured to
function as the front-end Web enrollment server for the PKI. If you should choose

to install the Web enrollment pages on a separate computer from the CA, the com-
puter account must be trusted for delegation within Active Directory. For more
information on delegation, see www.microsoft.com/technet/treeview/
default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/538
.asp. For more information on using a separate server for Web enrollment services,
go to www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/
windowsserver2003/proddocs/standard/sag_CSprocsInstallWebClient.asp.
Head of the Class…
272_70-296_04.qxd 9/26/03 11:02 AM Page 217
the SalesTeam group in Active Directory have the ability to autoenroll for a certificate.We
walk through the process of setting up autoenrollment later in this chapter, when we discuss
objective 5.1, configuring PKI within Active Directory.
EXAM W
ARNING
Remember that autoenrollment is used for the automatic enrollment of users, not
computers.
Using Smart Cards
In our discussion of the different types of CAs, we mentioned that the key difference
between enterprise CAs and standalone CAs is that enterprise CAs tie into the Active
Directory directory services. Another benefit that comes from the use of enterprise CAs
with Active Directory is the use of smart cards for logging into a Windows Server 2003
domain. Although smart cards are covered in much more depth in Chapter 5 of this book,
we wanted to take a few moments here to discuss the planning process for using smart
cards with PKI.
Unlike Windows 2000, which used smart cards primarily for user logon,Windows
Server 2003 uses smart cards for a variety of functions. As the system administrator, you
need to work with your IT group to plan for the use of smart cards. Specifically, you will
want to discuss:
■
Business needs for smart cards

■
Smart card usage
■
Smart card enrollment
Defining a Business Need
Defining a business need for smart cards in today’s environment is much easier than it was
even just a few years ago.With the increase in information theft and the reduction in cost
of security tools such as smart cards, many organizations are willing to examine their own
security practices for areas of improvement. Let’s say that Wally’s Tugboats operates a 24/7
sales center, which is staffed almost exclusively by temporary employees.Turnover and lack
of proper temporary employee screening is a huge issue within the sales center. As the
administrator, you can easily justify the need for a smart card implementation in the sales
center for purposes of authentication and nonrepudiation.
Smart Card Usage
As we mentioned, Microsoft has taken smart card usage a bit further than was previously
available in Windows 2000.The additional ways that smart cards can be used in Windows
www.syngress.com
218 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
EXAM
70-296
OBJECTIVE
5.2.3
272_70-296_04.qxd 9/26/03 11:02 AM Page 218
Server 2003 include storing administrative credentials and mapping network shares. Part of
the planning process for the deployment of smart cards is to determine exactly what the
smart cards will be used for. In our business need example, it was pretty clear that we
needed the smart cards for user authentication. However, you could find that you can
extend the smart card offering beyond simple user authentication.
Smart Card Certificate Enrollment
By default, users are not allowed to enroll for a smart card logon certificate. In order for a

user to enroll for a smart card logon certificate, a system administrator must grant the user
(or a group of which the user is a member) access rights to the smart card certificate tem-
plate. Microsoft recommends that users enrolling for smart card certificates use smart card
enrollment stations that have been integrated with certificate services. Enterprise CAs have
smart card enrollment stations installed by default, allowing an administrator to handle
requests for and installation of smart card certificates on behalf of the user. By having an
administrator handle the entire smart card enrollment process, there is no need to grant
users access rights to the smart card certificate template.
As part of the planning process, you need to decide where smart card enrollment sta-
tions will be placed. Since enrollment stations are configured by default on CAs, you will
want to make sure that the enrollment stations are stored in a secure location. Smart cards
should be treated the same as any other type of security token (ID badges, access cards, etc.)
and kept secure from general users and outside parties.
E
XAM WARNING
You could get a question relating to the types of smart cards available for use with
Windows Server 2003. The following types of smart cards are the only ones that
can be used with Windows Server 2003:
■
Gemplus GemSAFE 4k
■
Gemplus GemSAFE 8k,Infineon SICRYPT v2
■
Schlumberger Cryptoflex 4k,
■
Schlumberger Cryptoflex 8k
■
Schlumberger Cyberflex Access 16k
Configuring Public Key
Infrastructure within Active Directory

In this section, we apply the information we’ve previously discussed and implement PKI
into an Active Directory-enabled Windows Server 2003 network. Using the Wally’s
Tugboats Inc. example, let’s walk through each step necessary to creating a functional and
fluid PKI.The good news is, most of the real grunt work is done; we have gone over the
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 219
EXAM
70-296
OBJECTIVE
5.1
272_70-296_04.qxd 9/26/03 11:02 AM Page 219
components of a PKI, considered the decisions necessary to plan the PKI, and thought
about the features that Windows Server 2003 brings to a PKI. Now we get to turn all the
paperwork and thought processes into a functional PKI.
Throughout this section, we discuss each step of the implementation and configuration
process and perform several exercises that correspond to each step.The most logical first
step is to review the methods that we can use to install certificate services onto our
Windows Server 2003 machine. Keep in mind that the purpose of this section is to con-
figure PKI within AD, which makes the assumption that you have already installed Active
Directory onto your server. In order to perform these next few steps, you need to have
access to the cabinet files for Windows Server 2003 (on CD, a local folder on your hard
drive, or on a network share).
Although we could come up with several variations of installing certificate services
onto a Windows Server, there are essentially two main ways to accomplish this task:
■
Insert the Windows Server 2003 CD into your CD-ROM drive and click Install
optional Windows components (see Figure 4.13).
■
Or click Start | Control Panel | Add or Remove Programs and click
Add/Remove Windows Components.

In Exercise 4.01, we begin installing the certificate services.You can choose either
installation method as long as you are running the installation on a server that exists within
a Windows Server 2003 Active Directory domain.
www.syngress.com
220 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.13 The Windows Server 2003 Autorun Splash Screen
272_70-296_04.qxd 9/26/03 11:02 AM Page 220
E
XERCISE 4.01
INSTALLING
WINDOWS SERVER 2003 CERTIFICATE
SERVICES
For our example, let’s install an online enterprise root CA on one of the
domain controllers within the wallystugboats.com domain. You need to have
IIS installed on the server before beginning this exercise. Let’s begin by
inserting the CD into the server’s CD-ROM drive:
1. Insert the Windows Server 2003 CD into your CD-ROM drive and click
Install optional Windows components.
2. When the Wizard Components window opens, place a check mark in
the Certificate Services box. Notice the warning message that appears,
informing you that once you install certificate services, you will not be
able to rename the server (see Figure 4.14). Click Yes to clear the
warning message, and click Next to continue.
3. As we mentioned at the beginning of the exercise, we’re going to be
configuring this CA as the enterprise root CA for the
wallystugboats.com domain. Select Enterprise Root CA from the CA
Type window, as shown in Figure 4.15, and click Next.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 221
Figure 4.14 Certificate Services Warning Message

Figure 4.15 Certificate Services CA Type Selection Window
272_70-296_04.qxd 9/26/03 11:02 AM Page 221
4. Enter a common name for your certificate authority. This is the name
by which the CA will be known within your enterprise as well as in
Active Directory. In our example, we use certserv as our common
name. Next, adjust the validity period so that the certificates issued by
this CA are valid for 3 years instead of 5 years. Notice that the expira-
tion date is now exactly three years from when you changed this set-
ting. Click Next to continue.
N
OTE
At this stage, the key pair is being generated.
5. Accept the defaults for the database file and database log locations
and click Next. Windows will begin configuring the CA components.
Windows will need to stop the IIS services in order to complete the cer-
tificate services installation.
N
OTE
If you are warned about Internet Information Services not being installed and Web
enrollment support not being available, click Cancel. You will need to install IIS
prior to installing your CA in order to support Web enrollment.
6. Web enrollment will also require that ASP be enabled. Note the
warning about the potential security vulnerabilities by enabling ASP, as
shown in Figure 4.16, and click Yes.
7. Click Finish when the installation has completed.
www.syngress.com
222 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.16 ASP Warning Message
272_70-296_04.qxd 9/26/03 11:02 AM Page 222
Web Enrollment Support

If you received the warning message about IIS not being installed, you probably noticed
that Web enrollment support was not enabled.Web enrollment relies on the IIS service for
the publication of the Web enrollment Web pages and components. IIS provides the user
with the front-end interface that serves for the automatic back-end certificate creation. In
Exercise 4.02, we use the Web enrollment services to request a certificate.
TEST D
AY TIP
If you are faced with a question on the exam that involves Web enrollment not
being accessible, read through the scenario again to see if there is any mention of
IIS being installed on the server. If IIS is not installed, you know that Web enroll-
ment will not work.
EXERCISE 4.02
U
SING WEB ENROLLMENT TO REQUEST A CERTIFICATE
In this exercise, we create a request for a Web server certificate. In order to
perform this exercise, you need to have a server running Windows Server 2003
with certificate services installed. You can perform the exercise from either the
server itself or another client with network connectivity to the server. Let’s
begin the exercise by opening a Web browser window:
1. In the Address window of your Web browser, type
http://localhost/certsrv and press Enter if you are doing this exercise
from the server. If you are attempting the exercise from another
machine, enter the name of the machine in place of localhost (for
example, http://myCAserver/certsrv or

2. On the Microsoft Certification Services Welcome page, shown in Figure
4.17, click Request a certificate.
3. On the Request a Certificate page, click advanced certificate request.
4. On the Advanced Certificate Request page, click Create and submit a
request to this CA.

5. Since we are going to be requesting a Web server certificate, click the
drop-down list under Certificate Template and select Web Server.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 223
272_70-296_04.qxd 9/26/03 11:02 AM Page 223
6. Next, enter the information for the offline template. This is the subject
information that will be associated with the certificate, as illustrated in
Figure 4.18.
7. For purposes of this exercise, you can leave the rest of the information
as it is. Next, scroll to the bottom of the page and click the Submit
button. If you receive a warning about a potential scripting violation,
click Yes to continue.
8. The server will process the certificate and present you with an option to
install the new certificate. At this stage, you could install the certificate
on the appropriate Web server. The enrollment process is complete.
www.syngress.com
224 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.17 The Microsoft Certification Services Welcome Page
Figure 4.18 Entering the Certificate Information
272_70-296_04.qxd 9/26/03 11:02 AM Page 224
Creating an Issuer Policy Statement
We are discussing issuer policy statements as part of the installation process, but technically
they need to be configured before certificate services is installed. By configuring your CA to
present its policy statement, users can see the policy statement by viewing the CA’s certifi-
cate and clicking Issuer Statement. However, for the policy statement to appear, the file
CAPolicy.inf must be properly configured and placed in the systemroot directory (typically,
C:\WINDOWS). Before you implement your issuer policy statement, it’s always a good
idea to run it by upper management and legal staff as permitted, since the policy statement
gives legal and other pertinent information about the CA and its issuing policies, as well as
limitations of liability. For more information on issuer policy statements, visit

www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win-
dowsserver2003/proddocs/datacenter/sag_CS_Setup.asp. Figure 4.19 shows the issuer
policy statement for www.verisign.com, an Internet CA.
The following code shows a sample CAPolicy.inf file:
[Version]
Signature=”$Windows NT$”
[CAPolicy]
Policies=UsagePolicy
[UsagePolicy]
OID=1.1
Notice=”Certificates issued from this certification authority (CA)
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 225
Figure 4.19 The Issuer Policy Statement for VeriSign
272_70-296_04.qxd 9/26/03 11:02 AM Page 225
are intended for the sole usage of user authentication of Wally’s
Tugboats employees. Any misuse of this system may be punishable
by law.”
EXAM WARNING
For the exam, you need to remember the name of the issuer policy statement file,
where the file is stored, and when in the CA installation process it should be cre-
ated and placed in the directory.
Managing Certificates
Once you have configured your CA server, you’ll want to examine some of the various
ways that you can manage your certificates. One of the biggest advantages of Windows
Server 2003 is the range of management tools you have at your disposal. In this section, we
take a look at four different aspects of managing certificates:
■
Managing certificate templates
■

Using autoenrollment
■
Importing and exporting certificates
■
Revoking certificates
Managing Certificate Templates
In a Windows PKI, certificate templates are used to assign certificates based on their
intended use.When requesting a certificate from a Windows CA, a user is able to select
from a variety of certificate types that are based on certificate templates.Templates take the
decision-making process out of users’ hands and automate it based on the configuration of
the template as defined by the systems administrator. Now, in Windows Server 2003, you
also have the ability to modify and create certificate templates as needed. In Exercise 4.03,
we duplicate an existing certificate template for use with autoenrollment. Before we move
onto the exercise, let’s quickly recap the subject of certificate autoenrollment.
Using Autoenrollment
As we’ve discussed, autoenrollment is an excellent tool that Microsoft developed for PKI
management in Windows Server 2003.Although it does reduce overall PKI management,
autoenrollment can be a little tricky to configure. First, your Windows Server 2003 domain
controller must also be configured as a root CA or an enterprise subordinate CA. In Exercise
4.03, we walk through the steps of configuring autoenrollment in your organization.
www.syngress.com
226 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
272_70-296_04.qxd 9/26/03 11:02 AM Page 226
NOTE
Windows Server 2003 Enterprise Edition or Datacenter Edition is required to con-
figure certificate templates for autoenrollment requests.
EXERCISE 4.03
CONFIGURING AUTOENROLLMENT
As we mentioned, you first need to configure your domain controller as a root
CA or an enterprise subordinate CA. If you have not yet done this, you can

refer back to Exercise 4.01 and install certificate services on your domain con-
troller. Let’s begin configuring our CA for autoenrollment:
1. Click Start | Administrative Tools | Certification Authority. When the
Certification Authority management tool opens, right-click Certificate
Templates and click Manage (see Figure 4.20). The certificate tem-
plates management tool will open.
2. Next we need to create a template for autoenrolled users. You can
either create a new template or duplicate an existing template. For our
example, we duplicate the User template by right-clicking the User
template and selecting Duplicate Template.
3. In the Properties of the New Template window (see Figure 4.21), enter
User Autoenrollment in the Template Display Name window.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 227
Figure 4.20 The Certification Authority Tool
272_70-296_04.qxd 9/26/03 11:02 AM Page 227
4. Click the Security tab to adjust the permissions assigned to this tem-
plate. This is where you can designate groups to have the ability to
autoenroll for a certificate. For our example, we’re going to allow all
domain users to autoenroll. In the Group or user names field, click
Domain Users. In the Permissions for Domain Users list, check
Autoenroll in the Allow column and ensure that Enroll is also allowed
(see Figure 4.22).
5. Click OK to save the new template. You can now close the certificate
templates management tool.
Next we need to authorize our CA to issue autoenrollment certifi-
cates. Essentially, without having a CA enabled to issue certificates to our
User Autoenrollment template group, it’s simply a dormant template.
www.syngress.com
228 Chapter 4 • Implementing PKI in a Windows Server 2003 Network

Figure 4.21 Properties of New Template Window
Figure 4.22 The Security Tab of the New Template
272_70-296_04.qxd 9/26/03 11:02 AM Page 228
6. Maximize your Certification Authority management tool, and right-click
Certificate Templates. Select New | Certificate Template to Issue
from the context menu.
7. Select User Autoenrollment from the list of templates and click OK
(see Figure 4.23).
8. Next we need to adjust the Group Policy to allow for users in the GPO
to autoenroll for certificates. Click Start | Administrative Tools |
Active Directory Users and Computers.
9. Right-click the domain name (in our example, wallystugboats.com),
and click Properties.
10. Click the Group Policy tab of the domain properties, and then click the
Edit button.
11. In the console tree, click User Configuration | Windows Settings |
Security Settings | Public Key Policies.
12. In the details pane, double-click Autoenrollment Settings.
13. In the Autoenrollment Settings Properties window (see Figure 4.24),
check the box next to Renew expired certificates, update pending
certificates, and remove revoked certificates as well as Update cer-
tificates that use certificate templates and click OK.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 229
Figure 4.23 Selecting the User Autoenrollment Template
272_70-296_04.qxd 9/26/03 11:02 AM Page 229
14. Close Active Directory Users and Computers. Your PKI is now ready
for certificate autoenrollment.
Importing and Exporting Certificates
There could come a time when you need to import a certificate for a computer, user, or

service account to use. For instance, you might be installing a certificate that was sent in a
file by another CA or restoring a lost certificate from a system backup. Likewise, you might
need to export a certificate for backup or to copy it.Windows Server 2003 allows you to
import certificates from a standard format and place them within your certificate store.The
reverse is true of exporting certificates; certificates are extracted from the certificate store
and placed in a file that uses a standard certificate storage format.
TEST DAY TIP
Remember that Active Directory can be used in a Windows Server 2003 PKI as a
certificate store.
Certificate imports are handled through the Certificates snap-in and can be accom-
plished quite easily by right-clicking the logical store where you want to import the certifi-
cate, selecting All Tasks | Import from the contect menu (see Figure 4.25), and following
the on-screen instructions. Likewise, you can export a certificate by right-clicking the indi-
vidual certificate and selecting Export from the context menu.
www.syngress.com
230 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.24 The Autoenrollment Settings Properties Window
272_70-296_04.qxd 9/26/03 11:02 AM Page 230
Revoking Certificates
As we mentioned earlier, revocation of a certificate invalidates a certificate as a trusted secu-
rity credential prior to the original expiration of the certificate. A certificate can be revoked
for a number of reasons:
■
Compromise or suspected compromise of the certificate subject’s private key
■
Compromise or suspected compromise of a CA’s private key
■
Discovery that a certificate was obtained fraudulently
■
Change in the status of the certificate subject as a trusted entity

■
Change in the name of the certificate subject
Through the Windows interface, Microsoft has simplified the process of revoking cer-
tificates. In Exercise 4.04, we walk through the steps of revoking a certificate.
EXERCISE 4.04
REVOKING A CERTIFICATE
In this exercise, we walk through the steps necessary to revoke a certificate
that has been issued by a Windows Server 2003 CA. In our exercise, we use the
Web server certificate that we created using Web enrollment.
1. Open the Certification Authority management tool by clicking Start |
Administrative Tools | Certification Authority.
2. Click Issued Certificates.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 231
Figure 4.25 Importing a Certificate
272_70-296_04.qxd 9/26/03 11:02 AM Page 231
3. In the details pane, right-click the Web server certificate for Wally’s
Tugboats. From the context menu, click All Tasks and then click Revoke
Certificate.
4. You will be prompted for a reason to revoke the certificate (see Figure
4.26). Let’s assume that our certificate is being revoked, because this
particular Web server is no longer in service. Select Cease of Operation
from the context menu, and click Yes.
5. Your certificate has been revoked.
Configuring Public Key Group Policy
In Windows 2000, you learned about the advantages of using Group Policy to administer
your Windows 2000 network. One area that you might not be aware of in terms of Group
Policy functionality is its tie-in with PKI. Although it is not necessary for you to use PKI
Group Policy settings in your organization, they give you additional flexibility and control
of CA trusts and certificate issuance.Three areas that we will discuss relation to Group

Policy are :
■
Automatic Certificate Request
■
Certificate Trust Lists (CTLs)
■
Common Root Certificate Authorities
Automatic Certificate Request
As we discussed earlier, you can have users automatically enroll for certificates within a
Windows Server 2003 network.You also have the ability to force computers to automati-
cally request and install certificates from a CA. As with user autoenrollment, this feature is
helpful in reducing the amount of administrative effort in ensuring that computers have the
appropriate certificates to perform cryptographic operations within your environment.
www.syngress.com
232 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.26 Choosing a Reason for Certificate Revocation
272_70-296_04.qxd 9/26/03 11:02 AM Page 232
Automatic certificate enrollment allows computers within a Group Policy object (GPO) to
automatically request the certificates from the CAs designated within the Group Policy.The
actual certificate request occurs the first time that a computer associated with a specific
GPO boots up on the network and authenicates with Active Directory.
EXAM W
ARNING
Remember, this topic is different from autoenrollment. These certificates stay with
the computer and are assigned the first time that the computer signs into the net-
work after it has been assigned a Group Policy.
Managing Certificate Trust Lists
Another feature of Group Policy interaction with PKI is the ability to create and distribute
a certificate trust list (CTL). A certificate trust list is a list of root CA certificates that are con-
sidered trustworthy for particular purposes. In other words, Certificate Authority A might

be trustworthy for client authentication but not for IPSec. Certificate Authority B might be
trustworthy for secure e-mail but not for client authentication. It is also possible to have
multiple CTLs within an organization, allowing you to separate CTLs based on use and
assign particular CTLs to particular GPOs, which can then in turn be assigned to specific
domains, sites, or OUs.
Common Root Certificate Authorities
Lastly, you can establish common trusted root CAs. Some organizations might decide that it
is not in their best interests to host CAs within their domains. In other cases, they could use
a combination of internal and external CAs for their PKI.Whatever the case, you can use
Group Policy to make computers and users aware of common root CAs that exist outside
your domain.
EXAM WARNING
Remember that this discussion applies only to CAs that exist outside your organiza-
tion. Users and computers will already be aware of CAs that are part of your
Windows Server 2003 environment and will trust them by default.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 233
272_70-296_04.qxd 9/26/03 11:02 AM Page 233
Publishing the CRL
On several occasions throughout this chapter, we have alluded to the fact that the CRL
must be published in order for CAs and certificate users to be aware of certificates that have
been revoked, regardless of the reason they have been revoked. In Windows Server 2003,
there are two methods for publishing the CRL:
■
Scheduled publication
■
Manual publication
Scheduled Publication
One of the features of certificate services is that every CA automatically publishes an
updated CRL after an interval of time specified by the CA’s administrator.This interval of

time is known as the CRL publish period. After the initial setup of a CA, the CRL publish
period is set to one week (based on the local computer’s time, starting from the date when
the CA is first installed).
EXAM WARNING
Don’t confuse a CRL publish period and the validity period of a CRL. The validity
period of a CRL is the period of time that the CRL is considered authoritative by a
verifier of a certificate.
Manual Publication
You can also publish a CRL on demand at any time, such as when a valuable certificate
becomes compromised. Choosing to publish a CRL outside the established schedule resets
the scheduled publication period to begin at that time. In other words, if you manually pub-
lish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted.
It is important to realize that clients that have a cached copy of the previously pub-
lished CRL will continue using it until its validity period has expired, even though a new
CRL has been published. Manually publishing a CRL does not affect cached copies of
CRLs that are still valid; it only makes a new CRL available for systems that do not have a
cached copy of a valid CRL.
Backup and Restoring Certificate Services
As important as it is to back up a file server or domain controller in your Windows Server
2003 network, it is just as important to back up a CA in a Windows Server 2003 PKI.As
with any other type of server, a CA is vulnerable to accidental loss due to hardware or
storage media failure. Microsoft provides basic backup functionality in Windows Server
www.syngress.com
234 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
272_70-296_04.qxd 9/26/03 11:02 AM Page 234
2003, which you can use to back up the system state data for the server. If you do not want
to use Microsoft’s Backup program(although this would be the best method), you can also
use the Certification Authority snap-in to back up private key information, the certificate
that the CA uses for digital signatures, and the certificate database itself. In Exercise 4.05,
we walk through the steps of using the Certification Authority management tool.

EXERCISE 4.05
CERTIFICATION AUTHORITY BACKUP AND RECOVERY
In this example, we use one of our CA servers in the Wally’s Tugboats domain
to back up and restore the CA’s private key, CA certificate, certification
database, and database log:
1. Open the Certification Authority management tool by clicking Start |
Administrative Tools | Certification Authority.
2. Right-click the name of the CA. In our example, we use the certserv CA
server. From the context menu, select All Tasks, and then choose Back
up CA.
3. Click Next at the Welcome screen.
4. Next we need to select the items we want to back up and the location
to store them. In the Items to Back Up window (see Figure 4.27), check
Private key and CA certificate and Certification database and certi-
fication database log. In addition, select a location where you want to
store your backup files. For our example, we’ll store them in a directory
on our hard drive. If this were a real scenario, you would likely want to
store the backup on another server. Click Next to continue.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 235
Figure 4.27 The Items to Back Up Window
272_70-296_04.qxd 9/26/03 11:02 AM Page 235
6. Next you need to select a password to gain access to the private key
and certification file. You should choose a password that is difficult to
figure out but one that you will also be able to remember. In our
example, we use tugb0atz. Enter the password and re-enter it in the
password confirmation box, and click Next.
7. Click Finish to complete the backup process.
Next let’s revoke a certificate within our CA database. If you’re unsure how
to revoke a certificate, follow the steps in Exercise 4.04. Once the certificate

has been revoked, we’re going to restore our CA database in order to recover
the certificate.
8. Open the Certification Authority management tool by clicking Start |
Administrative Tools | Certification Authority.
9. Right-click the name of the CA. In our example, we use the certserv CA
server. From the drop-down menu, select All Tasks and then select
Restore CA.
10. You will be prompted to stop the certificate services. Click OK to stop it.
11. Click Next at the Welcome screen.
12. For our example, we’ll restore only the database and the database log.
In the Items to Restore window (see Figure 4.28), check Certificate
database and certificate database log. You also need to enter the
location of the stored data. Click Next to continue.
13. Click Finish to complete the restore process. Once the restore is com-
plete, you will be prompted to start certificate services. Click Yes to
restart the service.
www.syngress.com
236 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Figure 4.28 Items to Restore Window
272_70-296_04.qxd 9/26/03 11:02 AM Page 236
14. Take a look at your issued certificates. You should see the certificate
that you revoked.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 237
More Work to Be Done
After you have restored your CA to a functional state, your work is still not done.
You need to check the IIS services on the CA. If the IIS metabase is damaged or
missing, IIS will not start, which will cause the certificate services Web pages to fail
as well. You can use the IIS snap-in to back up and restore the IIS metabase. If you
cannot restore a clean copy of the metabase, you can also recreate it. Once you

have recreated the metabase, you need to use the command-line tool certutil to
reconfigure the IIS server to support the CA Web pages. For more information on
backup and restore of the IIS metabase, visit www.microsoft.com/technet/tree-
view/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/data-
center/mb_rely_backuprestore.asp. You can also learn more about the certutil
command-line tool at www.microsoft.com/technet/treeview/default.asp?url=/
technet/prodtechnol/windowsserver2003/proddocs/standard/sag_cs_certutil8.asp.
New & Noteworthy…
272_70-296_04.qxd 9/26/03 11:02 AM Page 237
Summary of Exam Objectives
We began this chapter with an overview of the core components and concepts behind a
public key infrastructure, or PKI.Although this discussion might seem elementary to some
of you, it’s important to take a step back and review the basics before moving forward with
new concepts—like learning to walk before you run.We discussed the makeup of a digital
certificate and the information needed by a certificate authority (CA) to produce a certifi-
cate.We also discussed the different types of CA models: standalone, chain-of-trust, and
hierarchical. Each of the CA models has its own pros and cons and serves a purpose based
on what you are trying to accomplish with your PKI. Since this is a Microsoft exam, we
also covered the core components that make up a Windows Server 2003 PKI and the role
each component plays.
Next we discussed the decision-making process behind the planning of a Windows
Server 2003 PKI. Each step in the decision-making process requires some additional
resources and some in-depth thought prior to moving forward.As we saw, each decision is
subjective in that there is no clear-cut answer to each step and the answers will vary based
on the organization.
Last, we stepped through implementing PKI into Active Directory, walking through
several of the features that you have at your disposal for managing your PKI. Understanding
each of these features is important not only for passing the exam but also for day-to-day
management of a Windows Server 2003 PKI.
Exam Objectives Fast Track

Overview of Public Key Infrastructure
 Encryption is the foundation of such security measures as digital signatures, digital
certificates, and the public key infrastructure that uses these technologies to make
computer transactions more secure. Computer-based encryption techniques use
keys to encrypt and decrypt data.
 PKI makes it possible for one entity to trust another by providing privacy,
authentication, nonrepudiation, and integrity.
 Asymmetric encryption is commonly referred to as public key cryptography because
different keys are used to encrypt and decrypt the data.
 The most widely used type of encryption is symmetric encryption, which is aptly
named because it uses one key for both the encryption and decryption processes.
 Symmetric encryption is also commonly referred to as secret key encryption and
shared-secret encryption; all three terms refer to the same class of algorithm.
www.syngress.com
238 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
272_70-296_04.qxd 9/26/03 11:02 AM Page 238
Components of Public Key Infrastructure
 In a hierarchical model, a root CA functions as a top-level authority over CAs
beneath it, called subordinate CAs. The root CA also functions as a trust anchor to
the CAs beneath it. A trust anchor is an entity known to be sufficiently trusted and
therefore can be used to trust anything connected to it.
 X.509 is the standard used to define a digital certificate. Section 11.2 of X.509
describes a certificate as allowing an association between a user’s distinguished
name (DN) and the user’s public key.The DN is specified by a naming authority
(NA) and used as a unique name by the CA, which will create the certificate.
 Microsoft Windows PKI has four fundamental components. Each of these
components serves a separate function within the PKI configuration. Some
components you will manage directly, and some are more “behind the scenes”;
you will not interact with the latter on a day-to-day basis unless you also develop
applications requiring PKI functionality.The four fundamental components of the

Windows PKI are Microsoft Certificate Services, Active Directory, CyptoAPI, and
CAPICOM.
Planning the Windows
Server 2003 Public Key Infrastructure
 There are five recommended steps for designing a Windows PKI: define the
certificate requirements, create a CA infrastructure, extend the CA infrastructure,
configure certificates, and create a management plan.
 In a certification hierarchy, a root CA is the most trusted type of CA within the
PKI. Protection of the root CA is critical since a compromise of the root CA
impacts the security of the entire organization.
 The Web enrollment interface provides for an easy means for users to perform
many of the common CA services, including requesting a new certificate,
requesting a CA’s certificate revocation list (CRL), requesting a CA’s own
certificate, enrolling smart card certificates, and checking the status of a pending
certificate requests.
 By default, users are not allowed to enroll for a smart card logon certificate. In
order for a user to enroll for a smart card logon certificate, a system administrator
must grant the user (or a group in which the user is a member) access rights to
the smart card certificate template.
 Certificate autoenrollment allows clients to automatically submit certificate
requests, retrieve, and store certificates. Autoenrollment also provides for
automated renewal of certificates, allowing the entire certificate management
process to remain in the background from the perspective of the user.
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 239
272_70-296_04.qxd 9/26/03 11:02 AM Page 239
Configuring Public Key
Infrastructure within Active Directory
 In a Windows PKI, certificate templates are used to assign certificates based on
their intended use.When requesting a certificate from a Windows CA, a user is

able to select from a variety of certificate types that are based on certificate
templates. A template takes the decision-making process out of the hands of users
and automates it based on the configuration of the template as defined by the
system administrator.
 For a policy statement to appear on a Windows Server 2003 CA, the file
CAPolicy.inf must be properly configured and placed in the system root directory
(typically, C:\WINDOWS).
 A certificate can be revoked for a number of reasons, including: compromise or
suspected compromise of the certificate subject’s private key; compromise or
suspected compromise of a CA’s private key; discovery that a certificate was
obtained fraudulently; change in the status of the certificate subject as a trusted
entity; or change in the name of the certificate subject.
Q: When should autoenrollment be used?
A: This is at the discretion of the administrator. For example, autoenrollment might be
used in an environment with a high turnover rate, such as a telemarketing company.
Rather than occupying an IT staff ’s time creating certificates, the process can be auto-
mated when the user signs on for the first time.
Q: The recommended steps for designing a PKI are discussed in the chapter, but they’re
kind of vague. Can you expand on some of the steps?
A: The fact is, the steps seem vague because the answers are very subjective based on indi-
vidual environments. For example, creating a management plan is based on the culture of
the organization. In other words, Company ABC might feel that that publishing certifi-
cates on a diskette is a secure and reasonable distribution method. However, Company
XYZ could feel that certificates should be distributed and stored on a smart card.
www.syngress.com
240 Chapter 4 • Implementing PKI in a Windows Server 2003 Network
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in

this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
272_70-296_04.qxd 9/26/03 11:02 AM Page 240
Q: Why would I want to use the backup and restore method offered in the Certificate
Services management tool and not just use my third-party backup software?
A: The answer here is speed.Typically, it’s much faster to restore the CA components from
a separate drive, network share, or removable media than it is to search a tape backup
medium such as a DAT.
Q: Smart cards sound like the way to go for securing digital certificates. Is there any
downside to using smart cards?
A: From a technology standpoint, no. However, depending on your organization, you
could find that smart card implementations are out of reach financially due to the price
of the cards and readers. However, this situation has changed and will continue to
change over time.
Self Test
1. You have installed certificate services on a Windows Server 2003 server named
CA101.somecompany.com.Your boss has decided that he wants to change all the
servers to a naming convention that is more descriptive to the organization. He wants
to rename CA101.somecompany.com to certserver.somecompany.com.You explain to
your boss that renaming a server with certificate services is not a good idea.Which of
the following answers best describes the reason that you should not rename the server?
A. Once a server has joined an Active Directory domain, you cannot change the
name without reloading the server.
B. The server name is bound to the CA information in Active Directory, and
changing the name would invalidate certificates that have been issued by the
server.
C. DNS will not allow for the renaming of a CA server.
D. You can change the name of the CA server, as long as you use the certutil.exe –R
option prior to the server rename, so that all the clients and subordinate servers
are aware of the name change.

E. None of the above.
2. You have installed certificate services on a Windows Server 2003 server, but after
installation you are unable to open the Web enrollment Web site.What must you do in
order to run Web enrollment on the server?
www.syngress.com
Implementing PKI in a Windows Server 2003 Network • Chapter 4 241
272_70-296_04.qxd 9/26/03 11:02 AM Page 241