|
aku1 发表于 2004-9-25 16:02:01 |
Selecting Certificate Templates
The certificate services that you deploy and the security requirements that are specific to your organization impact the types of certificates that you issue. You can issue multiple types of certificates to meet a variety of security requirements.
The certificate templates available with an enterprise CA in Windows Server 2000 and Windows Server 2003 provide the default contents of all certificates that can be requested from a Windows enterprise CA. These certificate templates are stored in Active Directory and cannot be used with stand-alone CAs.
Certificate templates can serve a single purpose or multiple purposes. Single-purpose templates generate certificates that can be used for a single application. For example, the Smart Card Logon certificate template is designed for smart card logon only. Multipurpose templates generate certificates that can be used for a number of applications, such as Secure Sockets Layer (SSL), S/MIME, and EFS. For example, a user certificate can be used for both user authentication and EFS encryption.
Both Windows 2000 and Windows Server 2003 support single-purpose and multipurpose templates. However, Windows 2000 and Windows Server 2003 Standard Edition only support version 1 templates, which have read-only attributes that cannot be customized or extended. Windows Server 2003, Enterprise Edition supports version 2 templates, which allow you to create new certificate templates, clone an existing template, and replace templates that are already in use.
 Important
- If you are already using version 1 templates, you can upgrade them to version 2 templates. However, the domain admins in your top level domain must have full access control permissions on the version 1 templates in order to complete this upgrade. Domain administrators do not need to have full access control over the templates after the upgrade has been completed.
Both version 1 and version 2 certificate templates include the following information:
- Intended user of the certificate.
- CA that issued the certificate.
- Serial number that uniquely identifies each certificate.
- Public key value for the user identified in the subject field.
- Validity period of the certificate.
- Extensions, if any, which apply to the certificate, including additional information that can define certificate purposes, restrictions, and management.
- Digital signature of the CA, which verifies the relationship of the certificate to the issuing CA.
 Note
- You can also create your own certificate templates.
Before the certificates are issued, you need to determine the following critical information:
- Certificate key length
- Certificate validity period
- Optional certificate extensions
Note
- Certificate templates, in conjunction with the CA policy module, allow you to define certificate policy for CA certificates.
In addition, version 2 templates allow you to configure the following:
- Customized enrollment policies
- Policies related to validity periods
- Policies related to application usage
- Policies related to key usage
- Policies related to key archiving
- Certificate authorization
- Domain authentication
- Certificate administrators
- Signed enrollment agents
- Key creation
- Key and CSP types
- Certificate contents
Important
- You must upgrade the schema in an Active Directory forest to Windows Server 2003 in order to support version 2 templates. You do not need to upgrade all domain controllers to Windows Server 2003 to perform a schema upgrade.
Certificate templates can only be used when the server that is running Certificate Services is an enterprise CA. Enterprise CAs can issue a variety of certificate types based on the templates. You can configure each enterprise CA to issue only specific types of certificates. Table 16.6 lists the different types of version 1 certificate templates that are available, and the purposes for each.
Table 16.6 Version 1 Certificate Templates
| Certificate template name |
Certificate purposes |
Issued to |
| Administrator |
Code signing, Microsoft trust list signing, EFS, secure e-mail, client authentication |
Users |
| Authenticated Session |
Client authentication |
Users |
| Basic EFS |
Encrypting File System |
Users |
| CEP Encryption |
Act as a registration authority |
Users |
| Code Signing |
Code signing |
Users |
| Domain Controller |
Client authentication, server authentication |
Computers |
| EFS Recovery Agent |
File recovery |
Users |
| Enrollment Agent (Computer) |
Certificate request agent |
Computers |
| Exchange Enrollment Agent (Offline Request) |
Certificate request agent |
Users |
| Exchange User Signature |
Secure e-mail, client authentication |
Users |
| Exchange User |
Secure e-mail, client authentication |
Users |
| IPSEC |
IP Security |
Computers |
| IPSEC (offline request) |
IP Security |
Computers |
| Root Certification Authority |
Identify the root CA |
Computers |
| Router |
Client authentication |
Computers/routers |
| Smartcard Logon |
Client authentication |
Users |
| Smartcard User |
Client authentication, secure e-mail |
Users |
| Subordinate CA |
All |
Computers |
| Trust List Signing |
Microsoft trust list signing |
Users |
| User |
Authentication, secure e-mail, and EFS |
Users |
| User Signature |
Secure e-mail, client authentication |
Users |
| WebServer |
Server authentication |
Computers |
Table 16.7 lists the version 2 certificate templates that are available in Windows Server 2003 Advanced Server and the purposes for each.
Table 16.7 Version 2 Certificate Templates
| Certificate template name |
Certificate purposes |
Issued to |
| CA Exchange |
CA encryption |
Computer |
| Cross certification authority |
Qualified subordination |
Computer |
| Directory E-mail Replication |
Directory replication |
Users |
| Domain Controller Authentication |
Client authentication, server authentication |
Users |
| Key Recovery Agent |
Key recovery |
Users |
Note
- When you select and modify templates, create function-based names for the templates, such as domainA_e-mail or legal_signing. Function-based names help users to select the appropriate certificate for the task that they need to perform.
Delegating Administration of Certificate Templates
Although the majority of CA-related tasks are performed by administering the CA itself, certain tasks, including the administration of certificate templates, are controlled through Active Directory.
To delegate the administration of certificate templates:
- Right-click the Certificate Templates node in the Certification Authority snap-in and select Manage.
- Double click a certificate template.
- Under the Security tab, check the Allow boxes for the Read and Write permissions.
For more information about certificate templates, see the Distributed Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit).
|
PKI DESIGN(TEMPLE)
Windows Deployment and Resource Kits Web Site