Planning Your Public Key Infrastructure

Identify Your Certificate Requirements

Before you can determine what PKI certificate services are needed, you must identify the applications you want to deploy that require digital certificates. You must also identify all uses for certificates, what users, computers, and services will require certificates, and what types of certificates you intend to issue. You can deploy Microsoft Certificate Services, or you can obtain other certificate services to support your public key needs. Identify the categories of users, computers, and services that will need certificates and determine the following information for each category:

Name or description
Reason certificates are needed
Number of entities (users, computers, or services)
Location of users, computers, and services

You need to provide certificate services to support the identified categories for each business unit and location in your organization. The certificate services you deploy are determined by the types of certificates to be issued, the number of entities that need certificates, and where the groups are located. For example, you might be able to deploy two issuing CAs to provide certificates for all the administrator groups in your organization. However, since there are many more business users than administrators in your organization, you might need to deploy separate issuing CAs in each facility to meet the needs of business users.

For more information about security solutions that use digital certificates, see "Choosing Security Solutions That Use Public Key Technology" in the Microsoft Windows 2000 Server Resource Kit Distributed Systems Guide.

Basic Security Requirements for Certificates

Several basic factors affect overall security when you use certificates. For the certificates you intend to use, specify the requirements for the following factors:

Length of the private key. In a typical deployment, user certificates have 1,024-bit keys and root CAs have 4,096-bit keys.
Cryptographic algorithms that are used with certificates. The default algorithms are recommended.
Lifetime of certificates and private keys and the renewal cycle. Certificate lifetimes are determined by the type of certificate, your security requirements, standard practices in your industry, and government regulations.
Special private key storage and management requirements. For example, storage on smart cards and nonexportable keys.

The standard settings for certificates issued by Microsoft Certificate Services can meet typical security needs. However, you might want to specify stronger security settings for certificates that are used by certain user groups. For example, you can specify longer private key lengths and shorter certificate lifetimes for certificates used to provide security for very valuable information. You can also specify the use of smart cards for private key storage to provide additional security.

Determining Which Certificate Types to Issue

Identify the types of certificates you intend to issue. The types of certificates you issue depend on the certificate services you deploy and the security requirements you have specified for the certificates you intend to issue. You can issue certificate types that have multiple uses and that meet different security requirements.

For enterprise CAs, you can issue a variety of certificate types based on certificate templates and account privileges in a Windows 2000 domain. You can configure each enterprise CA to issue a specific selection of certificate types. Table 12.2 lists the different types of certificate templates available, and their purposes.

Table 12.2 Certificate Templates and Purposes

Certificate template name	Certificate purposes	Issued to
Administrator	Code signing, Microsoft trust list signing, EFS, secure e-mail, client authentication	People
Certification authority	All	Computers
ClientAuth	Client authentication (authenticated session)	People
CodeSigning	Code signing	People
CTLSigning	Microsoft trust list signing	People
Domain Controller	Client authentication, server authentication	Computers
EFS	Encrypting File System	People
EFSRecovery	File recovery	People
EnrollmentAgent	Certificate request agent	People
IPSECIntermediateOffline	IP Security	Computers
IPSECIntermediateOnline	IP Security	Computers
MachineEnrollmentAgent	Certificate request agent	Computers
Machine	Client authentication, server authentication	Computers
OfflineRouter	Client authentication	Computers/routers
SmartcardLogon	Client authentication	People
SmartcardUser	Client authentication, secure e-mail	People
SubCA	All	Computers
User	Encrypting File System, secure e-mail, client authentication	People
UserSignature	Secure e-mail, client authentication	People
WebServer	Server authentication	Computers
CEP Encryption	Certificate request agent	Routers
Exchange Enrollment Agent (Offline Request)	Certificate request agent	People
Exchange User	Secure e-mail, client authentication	People
Exchange User Signature	Secure e-mail, client authentication	People

For stand-alone CAs, you can specify certificate uses in the certificate request. You can also use custom policy modules to specify the certificate types to be issued for stand-alone CAs. For more information about developing custom applications for Microsoft Certificate Services, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

The types of certificates issued by third-party certificate services are determined by the specific features and functions of each third-party product. For more information, contact the vendor for the certificate service.