Planning Your Public Key Infrastructure
|
|
Start Issuing Certificates
When the required certificate services are installed and configured, you can start issuing certificates to users, computers, and services. Keep the following considerations in mind when you start to issue certificates:
- Certificates are issued for computers within the scope of the Automatic Certificate Request settings of the domain's Group Policy. Administrators can also manually request certificates for local computers with the Certificate Request wizard or the Microsoft Certificate Services Web pages. Consider scheduling manual enrollment in stages to help distribute the administrative workload for computer enrollment.
- Smart card administrators can start issuing smart card certificates with the Smart Card Enrollment Station available on the Microsoft Certificate Services Web pages. Consider scheduling smart card enrollment in stages to help distribute the administrative workload for smart card enrollment.
- During the transition to smart cards, you usually enable both smart card authentication and the CTRL+ALT+DEL secure logon sequence. However, because this weakens network security, configure user account policy to require smart cards to log on interactively as soon as smart card users are trained and are using their cards.
Monitor the performance of certificate services closely as you start issuing certificates to ensure that CAs handle the certificate load. To correct excessive load conditions, consider adding more issuing CAs or scheduling certificate enrollment in smaller stages. Certificate renewal might also produce excessive load conditions, so adding more CAs and scheduling certificate enrollment in smaller stages can also help distribute peak renewal loads.
© 1985-2000 Microsoft Corporation. All rights reserved.