In many organizations, public key infrastructure (PKI) services (i.e., certificate
services) are commonly used IT infrastructure building blocks. The certificate
services bundled in Windows server OSs can generate a wide range of X.509-formatted
digital certificates without incurring additional licensing costs. Organizations
can use these certificates to secure mission-critical applications such as email
exchanges, Web communications, administrators' and users' Windows logon processes,
and code signing of inhouse-developed code.
In Windows Longhorn Server, the next version of the server OS that's due for
release sometime in 2007, Microsoft includes the newest version of its enterprise
PKI software. In this article I highlight the most important Longhorn Server
PKI enhancements and explain how organizations can use these features to their
advantage. Longhorn Server's PKI has the most features of any Windows PKI version
so far. In addition, Microsoft made installing Windows Certificate Services
easier than ever in Longhorn Server.
Longhorn PKI Components
When you install Longhorn Server's Certificate Services, you'll immediately
notice that Control Panel no longer includes an Add or Remove Programs applet.
You can use Longhorn Server's Add Roles Wizard to install Certificate Services.
This wizard is accessible from the Initial Configuration Tasks screen, which
opens after you first log on to a freshly installed system, and the Server Manager
screen, which you can use at any time to configure server settings. Longhorn
Server's PKI functionality is referred to as Active Directory Certificate Server
in the Add Roles Wizard, as Web Figure 1
(http://www.windowsitpro.com, InstantDoc ID 95172), shows. Longhorn Server's
Server Manager also includes a wizard to remove Certificate Services, called
the Remove Roles Wizard.
The new Server Manager and its associated wizards
are the results of Microsoft's engineering efforts to make
Windows a more componentized OS. When you install the
Active Directory (AD) Certificate Server role, you'll notice
that it comprises four optional subcomponents: the Certification Authority, Certificate Authority Web Enrollment,
Simple Certificate Enrollment Protocol (SCEP), and Online
Certificate Status Protocol (OCSP) components. Microsoft
also refers to these subcomponents as role services.
The first two components (i.e., Certification Authority and Certificate Authority
Web Enrollment) were also available in previous versions of Windows Certificate
Services. The Certification Authority is Microsoft's certificate and revocation
list-generation engine; the Certificate Authority Web Enrollment is a set of
Web pages that lets users use a Web interface to enroll for certificates. The
SCEP component was previously included in both the Windows 2000 Server and Windows
Server 2003 resource kits. The SCEP allows network devices such as routers and
switches to easily enroll for certificates on a Windows Certification Authority
(CA). The OCSP component provides a new service that wasn't available in previous
Windows versions. Certificate users and applications can use the OCSP component
to obtain real-time certificate status information (e.g., whether a certificate
is still valid or has been revoked). Microsoft acquired a company named Alacris
to obtain the OCSP logic. The Longhorn Server OCSP implementation is compliant
with Request for Comments (RFC) 2560. OCSP client-server communications leverage
HTTP and port 80 and don't require additional open network ports.
Server Manager's straightforward user interface and improved error and warning
logic help ease the installation, configuration, and removal of Windows components.
For example, when you install the Certificate Authority Web Enrollment component,
if the Microsoft IIS Web server isn't already present on the local machine,
the wizard prompts you to also install the IIS Web server role. Previously,
administrators needed to ensure that IIS was successfully installed before installing
the Certificate Authority Web Enrollment component.
Server Manager also reduces the number of
required installation steps. A good example of
this improvement is the Microsoft SCEP component installation. In previous Windows versions, you could add SCEP support after the
Certificate Services installation by installing
the SCEP services that were included in the
resource kit. In Longhorn Server you can use
one wizard to install the Certificate Services
and SCEP support. In addition, the SCEP logic
is bundled with Longhorn Server. To reduce
support costs and ease Windows administrators' lives, Microsoft included most of the
utilities that were previously in the resource
kit. Get used to the idea: Longhorn Server has
no resource kit!
Another important change that you need to be aware of when you plan to install
Longhorn Server's Certificate Services is that not all PKI features are available
in Longhorn Server Standard Edition. Only the certificate services that are
bundled with Longhorn Server Enterprise Edition are feature-full. Table
1, provides an overview of the PKI feature set differences between these
two Longhorn Server editions. Longhorn Server Standard Edition's PKI is adequate
for organizations with few certificate needs (e.g., organizations that need
only Secure Sockets Layer—SSL—server certificates), but organizations
that use certificates to secure important mission-critical data and that have
many PKI-enabled applications need the Longhorn Server Enterprise Edition PKI.
PKI Management Enhancements
A long-awaited PKI management feature is the addition of CA-specific performance
counters. These counters are particularly useful for monitoring and managing
Windows CAs. For example, you can use the performance counters to create reports
on overall CA performance (e.g., number of failed requests, average certificate
request processing time). ISPs or organizations might need such reports to illustrate
their conformance with service level agreements (SLAs).
In Longhorn Server, administrators can use new counters
in the revamped Reliability and
Performance Monitor to monitor their CAs' performance. If
Certificate Services is installed
correctly, Longhorn Server Performance Monitor includes the following PKI-relevant performance
counter groups: Certification
Authority, Certification Authority
Connections, Database, Database
Instances, and Database TableClasses. If the OCSP service is
installed, the OCSP Server and
OCSP Server Connections counters are included.
A solution that provides additional tools to manage Windows Certificate Services
is the Microsoft Operations Manager (MOM) management pack for the CA and OCSP
services. Microsoft plans to release this management pack to coincide with Longhorn
Server's release.
Previous
Register
