In this article I want to talk about the different types of Certification Authorities that can be deployed in a Windows Server infrastructure. The type of CA you choose to deploy depends on your network requirement and you should study carefully before deciding to deploy such infrastructure. Note that once you deploy an Enterprise or Standalone CA, you cannot change it later. When you install the CA Role on a Windows Server, the wizard will prompt you to select either a Standalone or Enterprise Certification Authority (CA).
Windows Server 2008 offers support for four types of CA:
Enterprise CA – can be deployed in an Active Directory domain and uses Group Policy to replicate digital certificates within your network. GP is also used to publish certificate revocation lists to AD. Enterprise CA uses the concept o certificate templates to issue certificates in an automated manner. The way a template is configured determines how data is generated from Active Directory. For example, certificate names are generated from AD, but you’ll need to configure this feature in the certificate template. Enterprise CA offers support for autoenrollment which is used to issue certificates automatically by applying certificate template permissions. When a certificate is requested, the local CA will verify if the user/computer has the necessary permissions to request the certificate. This is achieved by verifying certificate permissions that were previously configured.
Standalone CA – does not require an Active Directory infrastructure. Because Standalone CA does not integrate with AD, all features supported by the Enterprise CA do not apply anymore. For example, a user must provide all needed information when requesting a certificate. Autoenrollment is not supported with Standalone CAs. Administrators must also accept incoming certificate requests manually thus increasing the overall workload of Sysadmins.
A Root CA sits at the top of the PKI (Public Key Infrastructure) architecture. A Root CA is the most trusted entity within the network. These servers must be as secured as possible because if a Root CA is compromised then all certificate infrastructure must be rebuild. Root CAs are usually used to issue certificates for Subordinate CA and are kept offline to ensure highest security is provided.
Subordinate CA sits under the Root CA and is used to issue certificates for users and computers. An enterprise ca use multiple Subordinate CAs within the network. If one of these Subordinate CA is compromised then the Root CA can revoke its certificate thus protecting the rest of the network. Only certificates issued by the compromised Subordinate CA must be replaced.
These are the four types of Certification Authority supported by Windows Server 2008 Editions. Hope this article will serve you well in better understating this technology. We will talk about Windows Server Certificate Authority in future articles so stay tuned for the following posts from IT training day.