certificate server on 2003 - advice on type selection

[andy smart]

Hi

We're in the process of rolling out VPN access to our network, using
hardware which we were kindly donated. One of the authorisation methods
our hardware will accept is digital certificates. I think this is likely
to be the way to go, for ease of user management as much as anything in
that I can time-limit them (we will want to provide access for short
periods of time only).

I've been reading the MS documentation and I'm not sure if I want to
include the CA server in my domain or not. One of the things that the
docs suggest is that the 'advantage' of this is the it is easy to issue
certificates autmomatically - I actually want to have very tight control
over the people to whom we issue them.

I'd be interested in hearing people's thoughts as to the best practice here.

tia
andy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBabZZqmlxlf41jHgRAvIdAJ4+RLvnyT3slNjGNtBsGYxFSycMhwCguWQb
DP2Qg1sURKB0DsxvnMHazJE=
=n2R6
-----END PGP SIGNATURE-----

 

[Miha Pihler]

Hi Andy,

You have few options to setup your CA server. First option is to have
offline CA server. This server should never be on-line. This means that you
generate your certificate request on server itself and transfer certificates
on floppy or USB drivers...

If you have active directory installed and you want control these users,
then my advice would be to install Enterprise CA (this would be enterprise
setup of CA server). Enterprise CA server integrates with AD. One option you
have after this is to control certificate issuance based on user membership
in a group. E.g. if a user is member of Engineering security group created
in AD then he can be issued certificate on specific template. You can still
hold this issuance till you have a time to examine request and manually
approve or deny certificate issuance.

Based on what you wrote, I assume you will need to modify certificate
templates and this can only be done on Windows 2003 Server Enterprise
Edition...

There are quite a few things you need to plan for. E.g. how to protect
physical access to CA server and will you have a offline root CA server and
below him issuance Enterprise CA server (this is the server that will
actually issue certificates). Next thing you should plan for where will you
publish your CRL (Certificate revocation list) so that it can be viewed from
the public, how often will you publish it etc...

Here are some very good white papers and articles from Microsoft on subject
of setting up and running Windows 2003 CA server.

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Auto-Enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike


Hi

We're in the process of rolling out VPN access to our network, using
hardware which we were kindly donated. One of the authorisation methods
our hardware will accept is digital certificates. I think this is likely
to be the way to go, for ease of user management as much as anything in
that I can time-limit them (we will want to provide access for short
periods of time only).

I've been reading the MS documentation and I'm not sure if I want to
include the CA server in my domain or not. One of the things that the
docs suggest is that the 'advantage' of this is the it is easy to issue
certificates autmomatically - I actually want to have very tight control
over the people to whom we issue them.

I'd be interested in hearing people's thoughts as to the best practice here.

tia
andy

 

[andy smart]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miha Pihler wrote:
| Hi Andy,
|
| You have few options to setup your CA server. First option is to have
| offline CA server. This server should never be on-line. This means
that you
| generate your certificate request on server itself and transfer
certificates
| on floppy or USB drivers...
|
| If you have active directory installed and you want control these users,
| then my advice would be to install Enterprise CA (this would be enterprise
| setup of CA server). Enterprise CA server integrates with AD. One
option you
| have after this is to control certificate issuance based on user
membership
| in a group. E.g. if a user is member of Engineering security group created
| in AD then he can be issued certificate on specific template. You can
still
| hold this issuance till you have a time to examine request and manually
| approve or deny certificate issuance.
|
| Based on what you wrote, I assume you will need to modify certificate
| templates and this can only be done on Windows 2003 Server Enterprise
| Edition...
|
| There are quite a few things you need to plan for. E.g. how to protect
| physical access to CA server and will you have a offline root CA
server and
| below him issuance Enterprise CA server (this is the server that will
| actually issue certificates). Next thing you should plan for where
will you
| publish your CRL (Certificate revocation list) so that it can be
viewed from
| the public, how often will you publish it etc...
|
| Here are some very good white papers and articles from Microsoft on
subject
| of setting up and running Windows 2003 CA server.
|
| New features:
| http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
| Operations guide:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
| Managing PKI:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
| Best Practices:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
| Auto-Enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
| Certificate templates -
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
| Key archival -
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
| Advanced certificate enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
| web enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
| EFS:
| http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
| CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
|
| Mike
|
| |
| Hi
|
| We're in the process of rolling out VPN access to our network, using
| hardware which we were kindly donated. One of the authorisation methods
| our hardware will accept is digital certificates. I think this is likely
| to be the way to go, for ease of user management as much as anything in
| that I can time-limit them (we will want to provide access for short
| periods of time only).
|
| I've been reading the MS documentation and I'm not sure if I want to
| include the CA server in my domain or not. One of the things that the
| docs suggest is that the 'advantage' of this is the it is easy to issue
| certificates autmomatically - I actually want to have very tight control
| over the people to whom we issue them.
|
| I'd be interested in hearing people's thoughts as to the best practice
here.
|
| tia
| andy
|
|
Hi Mike


Thanks, that was the kind of guidence I was looking for. I'll go off and
peruse the white papers.

On first reading of your email using Enterprise and then popping people
into groups sounds like a good plan. We'd be issuing certificates for
differing lengths of time so we could, presumably, pick our groups to
cater for that.

andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBai7Dqmlxlf41jHgRAmi5AJ9qtn25qDNgwl0ObJOXpYKmEimwZgCgz6j4
s1wmRwRrbSVNH98iOiHaPME=
=6Sdv
-----END PGP SIGNATURE-----