Windows PKI serverbrain.org is a free tool that makes setting up and configuring a PKI easy. You can use this tool to create a PKI in Windows Server 2003 and 2008 environments. It also helps you to configure PKI with Windows Vista and Windows 7. You can also use this tool to set up a PKI with your Mac or Linux machines.
Configuring PKI With Windows PKI Server Brain
The ADCS role is installed on Windows servers and stores the configuration parameters for Certification Authorities. This role also stores the Security Descriptor that describes the principal actions performed on the Certification Authorities and current domain objects. This key is required to sign and encrypt files. If a user loses his or her private key, the certificate authority can archive the key.
Microsoft Management Console
The PKI View snap-in in the Microsoft Management Console enables administrators to monitor certificate authority health and view details of certificate authority certificates in Active Directory Certificate Servers. The GUI also simplifies script updating. preview implements Simple Certificate Enrollment Protocol (SCEP), a standard protocol used by software running on networks to enroll for certificates.
Provides High Assurance PKI
Configuring PKI with a Windows PKI server provides high assurance PKI. The software has several options for security management and is compatible with various operating systems. A well-defined strategy will shorten the implementation time and reduce the risk of error due to inadequate planning. If you are planning a Windows PKI installation, you should first understand all prerequisites and configuration options. This way, you can minimize errors and optimize security.
The root CA is the highest level of trust in your organization. It can issue certificates to all objects within the PKI hierarchy, including users and computers. The root CA also generates a self-signed certificate.
Configuring PKI With Windows Server 2003
The first step in configuring a PKI is to install the necessary software and certificates. Windows Server 2003 comes with a PKI add-on that stores information about the PKI. In addition, it includes 29 predefined certificate templates, which have more than double the number of Windows 2000’s PKI. In addition, this new version of PKI also comes with a built-in LDAP server.
Logical and Physical Certificate Categories
The certificate store architecture of Windows Server 2003 and XP is designed so that logical and physical certificate categories can merged together. This allows users and applications to focus on certificate functionality and storage rather than worry about where the certificates are stored. The architecture of Windows’ certificate store also allows users to merge the content of different physical stores and pass it on to multiple logical stores.
Configure the CA Roles
After configuring the PKI, the next step is to configure the CA roles. The certificate authority tool lets you assign roles to users and groups. To assign a role to a user, select the appropriate box from the Permissions for user or group field. Once you’ve done this, click Apply.
Very Useful Feature for PKI Users
The next step in configuring PKI with Windows Server 2003 is to automate the creation of new user and machine certificates. The administrator can also set a policy to automatically enroll new machines and users into the domain. This is a very useful feature for PKI users, and it is one of the key benefits of Windows 2003 over previous versions.
Configuring PKI with Windows Server 2008
You can install a PKI server on a Windows Server 2008 or Windows XP computer by following the steps outlined below. To set up a PKI server on a Windows server, you must first install the necessary components. The installation of the certificate authority requires a Windows server running an Enterprise or Datacenter edition. In addition, all new server and client authentication certificates must signed with SHA-2, including SHA-256 and SHA-512. These certificates are required for all Internet-facing services.
Alternate Server
You can install the Windows Server 2008 Certificate Authority on an alternate server if you need to. In addition, Windows Server 2008 R2 allows you to configure the permissions on a private key template. This ensures that the resulting certificate has the permissions that have configured on the template. You can also use Windows Server 2008 R2’s Certificate Services Web Services to create and manage certificate enrollments.
Server Operating System
To configure a PKI server on a Windows Server 2008 machine, you must have the enterprise SKU of the server operating system. This operating system requires you to use version two certificate templates for Auto Enrollment and Key Archival. The latter will allow you to make more configuration changes, whereas the former will only allow you to modify the certificate’s security.
Vista Client Computer
When you have done configuring the PKI server, you must ensure that the Windows Vista client computer is running the latest service pack. Also, make sure the computer’s name contains ASCII characters. If the computer is a domain member, you must create a root or enterprise domain administrator account for it.