Windows 2000’s Public Key Infrastructure (PKI) manages public-key encryption. This type of encryption uses two keys: a public key and a private key. Messages encrypted with the private key can be decrypted with the public key, and vice versa.
Windows 2000 Certificate Services manages the issuing of certificates. These are documents that verify identity and can include a public/private key pair. Certificates are issued by a certificate authority (CA). There are several types of CA:
Standalone CAs are used when the organization will be issuing certificates to third parties. The root CA is the most trusted CA and can authorize subordinate CAs. Standalone CAs do not require Active Directory.
Standalone subordinate CAs are authorized by and subordinate to the root CA.
Enterprise CAs are used when the organization will be issuing certificates internally, i.e., to employees or students. The enterprise root CA is the highest authority and can authorize subordinate CAs. Windows 2000 allows one enterprise root CA per certificate hierarchy and any number of root CAs per network. Enterprise CAs require Active Directory.
Enterprise subordinate CAs are authorized by and subordinate to the root CA.
You can configure a certificate authority on any Windows 2000 Server computer. Follow these steps to install a CA:
In the Control Panel, select Add/Remove Programs, then select Add/Remove Windows Components.
Check the Certificate Services option.
You are warned that the computer cannot be renamed or removed from the domain; click OK.
Select the CA type from the four types listed in the previous section.
Enter the name, organization, city, and other details for the CA and click Next.
Specify a directory for the CA database. The default is C:WINNTSystem32CertLog. Click Next.
The CA is now installed; this may take several minutes, and the Windows 2000 CD-ROM may be required.
The Windows 2000 Certificate Authority can be managed using the Certificate Authority Manager MMC snap-in, available from the Administrative Tools menu after installation. There is also a web-based interface for enrolling certificates. Various certificate management tasks are described in the following sections.
The process of requesting and being granted a certificate is called enrollment. Follow these steps to request and grant a certificate:
With a web browser, connect to http://servername/certsrv/default.asp.
Select the Request a Certificate option and click Next.
In the Certificate Authority Manager, select Pending Requests in the left pane.
Right-click the pending request and select Issue.
In the browser, access the same URL. Select the Check on a pending certificate option and click Next.
You can now view and use the certificate.