Enterprise CA—Requires Active Directory, and the host computer must be a member of that domain. IIS with Active Server Pages is required for the web interface. An enterprise CA supports the use of certificate templates. Because Active Directory is used to confirm requester identity, the certificate-application process is greatly simplified. Additionally, both user certificates and the CRL are published in AD DS.
Stand-alone CA—Active Directory is not required. These CAs are less automated, require more input from users when completing a certificate request, and do not support the use of certificate templates. Stand-alone CAs cannot be used to provide certificates for smart-card authentication to a domain. They are generally used when organizations need to utilize an extranet or the Internet.
Install your first CA Before implementing Certificate Services, most organizations will need to install a number of different CAs. It is important to know which is the starting CA.
Master It When tasked with setting up Certificate Services for her company, Mary needs to select the correct type of CA to start with.
Master It Solution Install a root CA that will provide the foundation for the Certificate Services for the organization. This CA will also establish the basic rules for issue, use, and revocation of all certificates in the PKI.
For security purposes, once the root CA has been created and its initial certificate has been created and distributed, the root CA should be taken offline and placed in a highly secure location. Subordinate issuing CAs should be used for the actual distribution of certificates to users.
Understanding CA management procedures Installing Certificate Services is only part of the story. Most administrators' duties involve the care and feeding of the CA servers. For a CA administrator, it is important to understand the types of tasks that need to be performed.
Master It Understanding the types of maintenance tasks that must be performed on CA servers is critical to keeping those servers functioning properly.
Master It Solution A CA administrator will perform two categories of management tasks: recurring and infrequent.
Recurring tasks are those performed on a daily or weekly basis. These include issuing certificates to users, revoking certificates that are no longer needed, and publishing the CRL.
Infrequent tasks are generally performed only when initially deploying a CA server, or when major changes need to be made to the CA. These include the deployment of certificate templates, performing key-archival and key-recovery services, and configuring security policies.
Was this article helpful?