FAQ - Windows PKI

F: What is a Windows CA?

A: A Windows CA is the basic component of a public key infrastructure (PKI). It issues and administers digital certificates for public keys. A digital certificate is used by client or server applications for encryption, strong authentication and digital signature purposes.

F: What is the name of the Windows CA software?

A: Within Windows Server 2008, the software is called "Active Directory Certificate Services" (ADCS). Former Windows versions call it "Windows Certificate Services".

F: How to install the Windows CA?

A: The Windows CA can be installed as an enterprise CA integrated in a Windows domain or as a standalone CA. Basic requirement is a Windows Server installation.

F: What is the difference between an enterprise CA and a standalone CA?

A: An enterprise CA support certificate templates, autoenrollement is integrated in the Microsoft Active Directory. An enterprise CA is suitable to issue user certificates. A standalone CA does not support these features and is primarily used for Root CA or Policy CA installations.

F: Which impact has the Windows Server Edition on the Windows CA?

A: The Windows Server Edition specifies the functionality of the windows CA. Windows Server Enterprise or Datacenter Editions provide the complete functionality. Windows CAs included in Windows Server Standard Editions support only Version 1 certificate templates, no key archiving, role separation or autoenrollment.

F: What is a certificate template?

A: Certificate templates configure the content and registration workflow of certificates. It is e.g. possible to configure the distinguished name or the path of the CRL distribution points. Additionally, a certificate manager can be specified, who approves incoming certificate requests.

F: What are V1, V2 and V3 templates?

A: With Server 2008, 3 versions of certificate templates exist:
Version 1 certificate templates were introduced with Windows Server 2000 and cannot be modified. It is only possible to set the user access rights.
Version 2 certificate templates were introduced with Windows Server 2003 and can be individually configured.
Version 3 certificate templates were introduced with Windows Server 2008 and support the new Microsoft Crypto-API with new encryption and hash algorithms. Only Windows Server Enterprise or Datacenter Editions can issue certificates using V2 or V3 certificate templates.

F: What kinds of revocation checks are supported?

A: Windows 2003 certificate services support revocation checks using certificate revocation lists CRL and Delta-CRL). Windows 2008 ADCS support CRL and Online Certificate Status Protocol (OCSP).

F: What is autoenrollment?

A: Autoenrollment describes the automated enrollment and renewal of digital certificates. It is supported by Windows Enterprise CAs on Windows Server Enterprise or Datacenter Editions. Autoenrollement is configured using group policies. Digital certificates can be enrolled with or without user interaction.

F: What is an enrollment agent?

A: An enrollment agent is used to request certificates on behalf of other user. The enrollment agent is primarily used for smartcard enrollment.

F: Are there any problems deploying smartcards?

A: Several problems can occur. E.g, if encryption certificates are enrolled, one has to ensure that the private encryption key is archived. This functionality depends on the smartcard and cryptographic service provider.

F: What is key backup and recovery?

A: Key backup describes the secure storage of the private encryption key. This is necessary to recover encrypted data, if the private key is lost. Key archival is configured in the certificate template and the key recovery process is performed by so called key recovery agents.

F: Is role separation supported?

A: Windows 2003 and Windows 2008 CAs support the Common Criteria role separation. Several user roles exist to increase the security of the CA. The following roles exist:
CA Administrator - Manages the CA and is allowed to configure the certificate templates.
CA Manager - Authorizes certificate requests and revokes certificates. The CA manager is allowed to recover private keys.
Auditor - Analyses the security event log.
Backup Operator - Performs the backup of the CA database, configuration and keys.

F: Where will be the certificates published?

A: The enterprise CA publishes certificates into the active directory. User certificates are published to the corresponding user entries. Client applications like MS Outlook automatically search for these certificates to send encrypted emails.

F: Is the Windows CA ISIS/MTT compatible?

A: Yes, but the configuration has to be adapted. It is e.g. necessary to the certificate encoding to UTF8 and to mark the key usage as critical.

F: What is a HSM?

A: A Hardware Security Module (HSM) is a hardware component to generate and store private keys of a Windows CA. Additionally, a HSM perform cryptographically operations. One can differentiate between dedicated and attached HSMs. Dedicated HSMs are directly connected to one CA, whereas attached HSMs can be used by multiple CAs.

F: What is a CTL?

A: A certificate trust list (CTL) is a signed list of CA hashes of trustworthy CAs. A CTL is distributed using group policies and restricts the key usage for each CA.