Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Chapter 13. Implementing a Secure PKI

Before you can implement public key infrastructure (PKI), you must educate yourself and staff on the technology, plan implementation, and develop policies. After all this, implementation is still a complicated process. Product documentation and many excellent articles on the Microsoft web site explain implementation. However, it is easy to get lost in the details. Installing a simple two-tier CA hierarchy with appropriate security is not a daunting task, yet the first time you must wade through all the details can be confusing.

Implementing a two-tier hierarchy is described in the following sections. First, instructions for installing and configuring a secure, offline root CA are provided, and then steps for installing and configuring a single enterprise subordinate CA are detailed. In this example, a Windows Server 2003 Enterprise Edition member server is used as the subordinate CA so that examples of configuring V2 templates can also be discussed. If you want to use a Windows Server 2003 Standard Edition member server as the subordinate CA, you may; however, V2 templates will not be available. The Windows Server 2003 forest must also be in Windows Server 2003 functional mode to customize the templates.

Your PKI implementation may be more complicated. You may decide or require another tier. You may install multiple issuing CAs, and you may need to provide cross-certification with another hierarchy. You can use the information in this chapter to begin. In addition to providing best practices for a simple two-tier hierarchy, many of these practices can scale to a larger implementation. This example can also serve as a simple test PKI implementation in which to learn how to deploy an offline root CA, configure an Enterprise CA, and work with templates.

The following steps are part of the implementation plan: