PKI Enhancements in Windows XP Professional and Windows .NET Server Page 1 (6 pages): Introduction
August 24, 2001
Microsoft Windows XP Professional and Microsoft Windows .NET Server is combined to provide a variety of PKI enhancements that allow you to secure your network to employees, partners, and customers, and improve the management of Windows 2000 security architectures. And performance. For organizations that require secure business processes and IT structures, Windows XP Professional and Windows .NET Server can provide a lot of PKI-specific business advantages. Function Polygonity By integrated virtual private network (VPN) service, standard authentication and encryption technology, Windows .NET Server allows you to secure to employees, partners, and customers. Flexible authentication options include:
Smart Card X.509 Certificate Kerberos Based on token Ring Authentication Technology Other authentication mechanism powerful encryption services include:
Internet Protocol Security (IPSEC) Point Tunnel Protocol (PPTP) Layer 2 Tunnel Protocol (L2TP / IPSec) Security Sockets (SSL) Transport Layer Security (TLS) Encrypted File System (EFS) Easy to Manage Microsoft Windows XP Professional introduces user certificate automatic registration capabilities, allowing administrators to easily access certificates throughout the enterprise without user interaction. Windows XP Professional also fully supports the following features:
Comprehensive PKI Cross Verification Name Limit, Policy Limit and Policy Mappings Delta Certificate Reviced List (CRL) Link Certificate Distribution Agency (CA) Configuration Delegation Policy Management implements unified user management through Microsoft Active DirectoryTM. Reliability Windows XP Professional and Windows .NET Server extension and improves the management and performance characteristics of the Windows 2000 security architecture. These improvements include:
Higher Kerberos Performance PKI Certificate Automatic User Registration Efficient Access Control List (ACL) Evaluation Simplified Authentication Framework and ACL Editor For Security Multi-Identity New Voucher Manager Manager's Smart Card Support for Standard 802.11 Scalable Authentication Protocol (EAP) Integrated PKI Key Archive and Recovery Tools (Customer Cache) Business Advantages for Safe Business Processes and IT Structures, Windows XP Professional WINDOWS XP PROFESSIONAL And Windows .NET Server can provide a lot of PKI unique business advantages. Windows .NET Server Windows .NET Server includes full-featured PKI to provide public key encryption. These include:
Safe companies internal networks and Extranet confidential and secure email controlled trust solutions Laptop and other storage devices Lost or stealing file protection across multiple web and application servers access control and single authentication Digital signature: Ensure transactions from interference, bundled legal remote users, on-demand network resource remote office trusted, permanent network connection telescale, support millions of users and large-scale transactions Windows XP Professional PKI is Windows XP The organic component of the Professional operating system. PKI:
Single registration features that have been integrated into regular network management tasks are required to support network and applications to support network and applications to provide controlled trust functions to support all applications through CRYPTOAPI. All applications must be considering third-party PKIs must be purchased separately, and the license fee is required to pay according to the certificate. And management tasks will also increase, so this is definitely a business advantage. Page 2 (6 pages): Windows XP Professional PKI components
August 24, 2001
Windows XP Professional PKI is based on Microsoft, which is constructed with powerful features with PKI components. This article outlines the improvement of Microsoft's new features and features of these components within the framework of Windows .NET Server. The main PKI components in Windows XP Professional include: Certificate Service Certificate Service is an integral part of the core operating system. It allows companies to act as their certificate issuance organization (CA) to issue and manage digital certificates. Windows XP Professional The Trust Network supports multiple levels and cross-validation of the CA level. This includes offline and online certificate issuance agencies. Active Directory Active Directory is a core operating system service that provides a single location to find network resources and act as a PKI certificate repository and management directory. Windows .NET Server and Windows XP Professional have business CA. It is combined with Active Directory to provide cost-to-cost PKI deployment scenario and management convenient policies. An example of the operation of enterprise CA controls:
SSL Customer Mapping Smart Card Login Certificate Auto Register X.509 Create Support PKI Application Support PKI Application Examples include: EFS, Microsoft Internet Explorer, Microsoft Money, Internet Information Server, Remote Access Service, Microsoft Outlook® and Microsoft Outlook EXPRESS. In addition, there are a variety of third-party applications that use Windows 2000 PKI and Windows XP Professional PKI. Exchange Key Management Services Exchange Key Management Services (KMS) is one of the components of Microsoft Exchange, allowing to archive and retrieve the keys used by encrypted emails. A tool will also be provided in Windows .NET Advanced Server to migrate private keys (in KMS databases in the KMS database) to Windows .NET Advanced Server CA. RESULTS: Get the key management system of the entire enterprise, including a single repository for registration and key archives.
Page 3 (6 pages in total): Windows XP Professional Customer Enhancements
August 24, 2001
User Automatic Registration The certificate service and PKI in Windows 2000 Windows 2000 first introduced the certificate automatic registration function. With Windows 2000, your computer or domain controller can automatically register your computer's certificates in the Active Directory environment. The automatic registration function of the computer or domain controller certificate is enabled by "Group Policy" and Active Directory. Automatic registration of computer certificates is primarily used to facilitate Windows 2000 Route and Remote Access Service (RRAS) server and other IPSec or L2TP / IPSec VPN connections for other similar devices. Using Windows XP Professional Using the Group Policy settings with version 2 Certificate templates, Windows XP Professional allows users to automatically register user certificates when they log in. The automatic registration of the user certificate is very fast and supports PKI applications in the Active Directory environment (smart card login, EFS, SSL, S / MIME, etc.). User automatic registration reduces the cost of regular PKI deployment to the lowest. Configuring Windows XP Professional clients To use Active Directory, it can reduce the total cost of ownership of PKI implementations. Figure 1 shows the options available when setting the certificate is automatically registered. Figure 1 Auto Register Setting Properties Suspend Certificate Request and Renew User Automatic Registration Support in Windows XP Professional Support Spending Certificate Request and Renewal. You can manually or automatically request a certificate from Windows .NET Server CA. The request will be suspended before receiving the management approval or completing the verification process. After approved or publish a certificate, the automatic registration process will automatically end and install the certificate. The process of renewing expired user certificates also utilizes an automatic registration mechanism. Depending on the specification in the certificate template, the system will automatically renew the certificate on behalf of the user. Delta CRL supports Windows XP Professional Customer Support Delta CRL for revoking status check. In fact, it will use any modules that have been installed and available for CryptoAPI to revoke state checks. By default, Windows XP Professional customers will first try Delta CRL, followed by regular CRLs. Other modules (such as other online certificate status protocol (OCSP) customers may be installed in their preferred order. For more information, see Platform Software Development Kit (SDK) in the MSDN® (Microsoft User Developer Network). Smart Card Windows 2000 introduces features that use smart card to log in to workstations and servers. In addition to supporting automatic registration, Windows XP Professional also expands smart card feature by adding the following important features: Important tools and utility smart cards support administrators need to allow themselves to use alternate credentials, which can be completed. Business (in normal user rights), while also performing special administrator functions. Utility such as Net.exe and Runas.exe can meet this request. In Windows XP Professional, these tools support smart card. Smart cards for Terminal Servers Windows XP Professional allows smart cards and smart card readers to be connected to the Terminal Server client and perform smart card operations on the terminal server computer. To implement this feature, you must run Windows .NET Server and Windows XP Professional on the Windows .NET Terminal Server, Run Windows XP Professional on the Windows .NET Terminal Server client.
Windows .NET Terminal Server client software can also run on a Windows 2000 computer. Encrypted file system enhanced EFS significantly improves the functionality of Windows XP Professional customers. WINDOWS XP Professional provides greater flexibility for our company users in terms of encrypted data files and folders. These new features include:
The revocation of the certificate used by the fully supported system The alternate color support (green) support (green) supports the encrypted folder (Client Cache) Housing User Interface (UI) Multi-user supports the folder in the casing UI. All new EFS features are only available on Windows XP Professional customers. Multi-user supporting encrypted files Windows XP Professional now supports a single encrypted file to share file sharing between multiple users. Although group sharing is not supported, the EFS file sharing feature provides another opportunity for data recovery and business collaboration by adding users to encrypted files. The encrypted file sharing is a convenient and useful method for the case where the user cooperates with the encrypted file without having to share the private key. The enablement of file sharing is implemented by a new detailed information button on the advanced file attribute UI. This button is available in the case of file encryption. Other users can only add other users only to encrypt and save files first. To add a user, select "Advanced Properties" of the encrypted file, then click the Detail button. A single user can add other users from the local computer or Active Directory, but the premise is that the user has a valid EFS certificate. See Figure 2 for the illustration of the encrypted property. Figure 2 Encrypted Properties WebDAV's WEB-based distributed creation and version (WebDAV) is a file access protocol described with "Extensible Markup Language" (XML). It runs with Hypertext Transfer Protocol (HTTP) and runs on an existing Internet architecture (such as firewall and router). The EFS is combined with the WebDAV folder to provide simple and safe way to share sensitive data across networks. The EFS under WebDav is eliminating the need to purchase specialized software to ensure safe sharing encrypted files. EFS powerful encryption features combine with file sharing features in Windows XP Professional to simplify the process of sharing sensitive data. You can store files on a generic file server (or in an Internet community, such as Microsoft Network) to facilitate access, while maintaining power through EFS. For organizations that wish to use simple security solutions without deploying complex structures or expensive technologies, the combination of EFS and WebDAV folders can provide a variety of collaboration environments. Encrypted offline files (Customer Cache) Windows 2000 introduces the functionality of the client cache, also known as "offline file". This is a Microsoft IntelliMirrorTM management technology that allows network users to access files on network sharing (even in the case where the client is disconnected). When the mobile user views sharing while disconnecting the network connection, since the file has cached on the client, the user will still be browsed, read, and edit these files. When the user is later connected to the server, the system will use the old version of the document on the server to restore changes. Windows XP Professional customers are now allowed to encrypt offline files and folders using EFS. This feature is particularly attractive for those who need to work offline and maintain data security. For icons for the options for adding a dedicated landline database, see Figure 3. Figure 3 Encrypted Offline Database Other Algorithms Support Windows XP Professional Customer now supports more powerful optional EFS encryption algorithms than the default data encryption standard (DESX) algorithm. Customers can now use algorithms compatible with Federal Information Processing Standards (FIPS) 140-1, such as 3DES algorithms (already with Windows XP Professional).
3DES algorithm can be selected by changing the DEFAULT Algorithm Policy for Fips Compliant Applications in the "Group Policy" option. To do this, perform along the following path: Security Settings> Local Policy> Security Options. Disabling Data Recovery The functionality of Windows XP Professional customers is combined with Windows .NET Server's Active Directory enhancements, providing a more flexible data recovery policy for companies. In Windows XP Professional, Data Recovery Agents (DRA) is no longer an essential item for EFS. For institutions that have deployed key archives and recovery policies without DRA, data recovery in Windows XP Professional Customer Group Policy is now disabled. Capicom Capicom is a "Component Object Mode" (COM) customer that supports automatic functions. It performs encryption with Microsoft ActiveX® and COM objects. In applications created in a variety of different programming languages, such as Microsoft Visual Basic®, Microsoft Visual Basic Scripting Edition, Microsoft Visual C ®, CAPICOM can be used to perform basic encryption tasks. For example, the Visual Basic application can digitally sign the data using the CAPICOM object, verify the data data sign, encapsat data for confidentiality, and encrypt and decrypt any data. Based on CAPICOM-based applications use the most general parameters as the default attribute settings, but you can also set up advanced signatures or encrypted properties. Capicom and CryptoAPI CAPICOM use PKI and based on CryptoAPI (an application programming interface). The service it provides allows applications developers to enhance the security of the application using encryption. The functionality included in the CryptoAPI can encrypt and decrypt data for simple and complex message processing, which is used to create and verify digital signatures, or encrypt and decrypt data for authentication through digital certificates. Since CAPICOM uses CryptoAPI, digital signature applications can take advantage of the smart cards that support CryptoAPI through the CSP interface. Root CA Auto Updates Before CA uses new root certificates (roots), it must wait for its customer library to install it. In the past, the roots were provided with the main product release. For example, Microsoft Internet Explorer and Windows 2000 include root certificates when publishing. CA must wait for the new root certificate to these users because it is not possible to automatically release the new root certificate. After the upgrade, they can provide certificate services based on the new root certificate. Windows Update Windows XP Professional provides the latest CA root certificate information in a timely manner. You can download them on the Windows Update Web site. When users access secure Web sites (using hypertext Transfer Protocol [https]), read secure emails using "Security / Multi-Use Internet Mail" (S / MIME) or download a ActiveX control using the new root certificate. When Windows XP Professional Certificate Chain Verification software checks Windows Update and downloads the required root certificate. This process is seamless. The download process will be automatically carried out in the background.
Windows XP Professional with the Stroven Certificate, Windows XP Professional, provides greater control capabilities to the root certificate trusted by its customers. All third-party root certificates are moved to an independent logical certificate library and regularly updated by the automatic update feature of the root certificate. Administrators in the Windows .NET Server domain can disable the library through Group Policy. For other root certificates that wish to make your root CA certificate can be obtained by automatic update, the request should be submitted to: caasubmit@microsoft.com. Software Limit Policy The software restriction policy in Windows XP Professional provides a policy-driven method for identifying software and controlling its operating capabilities. Administrators will define rules to control the time that allows software to run. These rules are included in the group policy so that these rules can be set on the site, domain, or organizational unit (OU). The software restriction policy contains exceptions for determining whether the software should be allowed to run and the default rules. It allows administrators to define a policy for specifying all software runs. For example, a default option is to run all software except for the specified program group. Another default option is not running all software except for the specified program group. For icons for software restriction policy settings, see Figure 4. Figure 4 Software Limit Policy - Local Security Settings Software Identification Rule Administrator can identify software by one of the following rules: The Microsoft Management Console (MMC) unit of the Hatt Rules Software Limit Policy allows administrators to browse the file and by calculating its hash Value to identify the program. The hash value is the only identifier program or a digital fingerprint. The file can be renamed, which can be moved to another folder or computer, but it still has the same hash value. Path rule path rules can identify software: complete path names (such as C: / Program files / Microsoft Office / Office / Excel.exe), or boot to the path name containing folders (for example, C: / Windows / system32). (This will reference this directory and all files in its subdirectory.) Path rules can also use environment variables, such as% UserProfile% / Local Settings / Temp. The certificate rule certificate rules recognizes the software through the issuer certificate for digital signature of the software. For example, an administrator can configure such a certificate rule: software that allows you to get the Microsoft signature or the installed IT mechanism is allowed. Regional rules of regional rules identifies software from Internet, local internal networks, trusted sites, or restricted sites. Control Digital Signature Software Limit Policy In the following way, the capabilities of the administrator control digital signature software are enhanced: Limit the Active X control to use the software restriction strategy of the trusted software issuer certificate, and the administrator can specify the specific domain on Internet Explorer. Run ActiveX® control. If the issuer of the ActiveX control is in the trusted issuer list, its software can run automatically after downloading. Software restrictions can also list unauthorized issuers. This automatically prevents the ActiveX control run from these issuers. Using the software restriction strategy is sometimes controlled by any of the trust of unknown issuers (unclearly trust or untrusted issuers). The software restriction policy can be set to only allow local administrators or domain administrators to determine the trusted issuers and prohibit users from making the above decisions. Using Windows Installer Using the Windows Installer installed programs can be digitally signed. Using software restrictions, administrators can request software that can only get specific issuer digital signatures. The Windows Installer will verify that the Windows Installer checks if there is a recognized signature before installing the software on a computer. The Visual Basic script's digital signature Visual Basic script file can be digitally signed.
The administrator can configure the software restriction policy so that the Visual Basic script file (.vbs) must have a recognized software issuer's digital signature to run. Page 4 (6 pages in total): New features in Windows .NET Server
August 24, 2001
Version 2 Certificate Templates Windows 2000 and Windows XP Professional PKI use the certificate template stored in Active Directory. These templates provide the default content of the enterprise CA (relative to using the independent CA) certificate request. Policy management in the Active Directory environment is done by using a certificate template. Enterprise CA uses certificate templates to determine authentication, certificate format, encryption service provider (CSP), key size, and X.509 extension requirements. Considering the registration organization, CA officials and other licenses, the Windows XP Professional Templates have been expanded to merge the signature and authentication requirements required for the issuance certificate. Version 1 and Version 2 Certificate Template Version 1 Template Windows 2000 Server and Windows 2000 Professional Customer Supports a set of default certificates templates in Active Directory. These templates cannot be customized or added. They are version 1 templates. Version 1 Template can only be used by settings when defined and replicated. Version 2 Template Windows .NET Server extension the range of properties that can be configured in the version 1 template. These extensions include:
Creating a new certificate template Copy existing template Replace the used template to use Windows .NET Server to edit version 2 templates to meet the needs of applications or businesses. When copying version 1 template, it will automatically update and become a version 2 template. The following functions have been added in the registration and certificate issued version 2 in version 2. They will provide additional features during registration and certificates, such as:
Custom Registration Policy Certificate Domain Authentication Certificate Administrator Register Agent Signing Key Create Key Type and CSP Type Certificate Content Verification, Prosperity - and Key Using Key Archive Create and Custom Certificate Templates You can create And custom certificate templates to meet the requirements of special business and use. Since another template can be replaced with a template, the creation or customization of the template is more convenient. The user or computer can be automatically renewed by providing an updated certificate. All you have to do is automatically registering and replacing a template to another template. If you just replace an existing template, you can modify the certificate deployment quickly and easily. This feature is exempted to worry about modifying or updating due to worrying on the certificate during deployment. Key Archiving and Recovery Compare Windows 2000 Server and Windows .NET Server Windows 2000 Server For Data Recovery, Windows 2000 Server uses the Data Recovering Agent to decrypt EFS encryption files. The Exchange Server key management server uses a key recovery method for S / MIME encrypted email (security / multi-purpose Internet mail extension). Windows .NET Server For Windows .NET Server, you may use CA to archive and restore private keys related to a single certificate request. Private key recovery features do not resume any data or messages. It simply allows the user to retrieve lost or damaged keys or allow administrators to assume user data access or data recovery. Usually, data recovery cannot be performed if the key recovery is not first performed. The steps of the key archive and recovery procedure key archive and recovery processes include:
Enterprise CA Use the certificate template definition to determine if the customer certificate request should also contain private key memory. The customer generates a public key-private key pair, and sends the certificate request to CA. Customers use the certificate management protocol and encryption message syntax (CMS) for certificate request. (This protocol is also called CMC). The payload contains the user's encrypted private key in the payload of the certificate management protocol (using the CMS) request. The user's private key will be encrypted using the public key of the CA. CA first decrypts the public key in the request, and then verifies whether the user's private key corresponds to the public key of the certificate request. Enterprise CA will also verify the certificate template in Active Directory to ensure that the private key is suitable for archiving. CA will generate a random 3DES (data encryption standard) symmetric key to encrypt the user's private key. The key recovery agent is based on the policy setting, and the symmetrical key of the user's private key will be encrypted with one or more public keys of the key recovery agent (KRA). The result of this process will be stored in a recovery block in the certificate request, located in the CA database. The key archive process allows the CA administrator to configure the minimum KRA number that can decrypt the user's private key. KRA must accommodate a special certificate type that can be issued (or may not issue) using its CA. The CA administrator can sometimes decide whether to allow sequential loops to select KRA. An important aspect of the CA archive and recovery attribute is that there is no private key information for decryption of the private key to restore the protected agent protected by the key. Only public key certificates are used to encrypt the user's private key, and recovery may be performed on the management console. This ensures that anyone cannot endanger the security of the archive key. Multiple Key Recovery Agents can be used simultaneously. Using multiple key recovery agents ensures that a single KRA will not be able to restore all private keys using a certificate issued by a specific CA. Use third-party CSP to disturb the key pair. Delta Certificate Reminder List in Windows 2000, the certificate issuance will be responsible for providing certificate status information by issuing a complete CRL (see RFC 2459). CRL can be manually or automatically released in advance. In Windows .NET Server (see RFC 2459), CA may also release Delta CRL. The Delta CRL and the full CRL comparison Delta CRL list only contains a certificate that has changed in a complete (basic) CRL in the list. Relative to the standard CRL release, Delta CRL has a few main advantages: Object size is far less than the complete CRL can be released, and there is a small impact on the client or network architecture or has no very small revocation state delay. The effect of structural or network has a minimum passage that the parent CA can limit its function after creating a dependent CA in the certificate issuance system level. Qualified subordinates also allows powerful cross-validation features that Windows .NET Server CAs are used. In Windows 2000, based on the default policies, the subordinates are qualified. In this delegate mode, all the features of the subordinate CA are not limited. Windows XP CA has functions that provide qualified subordinates. Qualified subordinates allows administrators to add restrictions to CA certificates. These restrictions will be converted to certificate extensions in the issued certificate and add it when creating the original certificate. With the CMS data structure, the certificate management protocol will then bundle them into the original request. Thereafter, the new certificate management protocol that is issued by the administrator is issued. Signing certificates can also take similar limits. These restrictions constitute the basis of the delegate mode. The eligibility extension The following table lists the extension of the dependent passage, and also includes a reference that can be found in RFC 2459.
Qualified expansion table extended name RFC 2459 Quality Name Limit 4.2.1.11 DNS name (for example: DNS, email, UPN) Policy 4.2.1.5 Specifying the issuance policy policy limit for the specified CA can be used 4.2.12 Only suppressing policy mapping strategies Mapping 4.2.1.6 Basic Limitations for Mapping Publishers' Promoting Policy to Objects Basic Limits 4.2.1.10 Limiting Limit Path Length Application Policy There is currently no specified application policy name restriction "Name Limit" to the application policy name limit "Name Limit" limit CA and its dependent The valid range of the name allowed or not allowed. Windows .NET PKI provides a number of limited names. These include: Domain Name System (DNS); DNS Name, Internet Protocol (IP) address and email name; General Main Name (UPN). The policy policy defines a list of acceptable issuance policies, identifies by the object identifier (also known as OID). The object identifiers used are related to implementation, which may vary depending on the application or implementation. Policy restriction policy restrictions define if the policy can be mapped in the chain. If it is mapped, it is mappled. They also allow for enforcement issuance strategies in the certificate chain. Policy Mapping Policy Map allows a policy of a domain to map to another domain. This is the basic component of cross-validation. Policy mapping can also be used in the forest between the forest. Basic limiting basic limits can limit the length of the path in the CA level. This prevents a slave CA from signing another slave CA. Application Policy Application Policy defines a certificate that can be used or accepted. It is similar to the extension of the "Extended Key Us". However, the application policy takes into account policy qualifiers that may map other policy restrictions. General Standard Role Separates the Windows .NET Certificate Server Requires CA to support the role separation of general standard requirements. The purpose of role separation is to ensure that no one can endanger CA's service or implementation. Role separation also supports the task debate. Check out the CA role table (open in a new window). Audit in Windows 2000 and Windows .NET Server, the CA database is used to review all CA events. This database provides detailed information and history of major events and operations. Review Enhancements Windows .NET Server CA also provides other audit enhancements in the NT event log. Audit log generation Two events: Access Check System Event System Event Generation System Events There are 7 kinds of categories:
CA Services Backup and Recovery Certificate Request Certificate Remove CA Security Key Archive and Recovery CA Configuration Secure Socket (SSL) SSL and Transport Layer Protocol (TLS) services have made several major improvements, which can improve performance and increase function. SSL / TLS-based authentication version 2 certificate template, name limit, and automatic registration are combined, can provide power based on SSL / TLS, free from management, based on PKI authentication. With any CA, Windows .NET Server Active Directory allows users to map directly to user accounts in Active Directory. Complete this work does not have to be exported or imported, or the username and password are not available. Certificate mapping performed by S-Channel Security System Provider Interface (SSPI) (SSPI) can be used, such as Internet Information Server, Commerce Server, remote access service, and many other applications. Unattended performance, more SSL handshake Windows XP Professional and Windows .NET Server can provide an e-commerce web site that supports SSL / TLS, and performance is unmatched. The improvement of the S channel extends Windows 2000 reliable performance and allows Windows .NET Server to provide unprecedented software encryption. On a single 750 MHz (MHz) CPU, Windows .NET Server supports approximately 75 SSL handshakes per second. For sites with higher performance requirements, Microsoft has worked closely with independent software vendors (ISV) partners to provide optimal performance hardware encryption. With hardware that can be shared, running Internet Information Server Windows .NET Server can handle more than 550 new SSL connections per second, and use affordable dual-processor 800-MHz computers. Sharing SSL Session SSL session now implements inter-process sharing to improve user operation performance and support Microsoft .NET applications. Due to the reduction in load on the web server, your work efficiency will be improved, and the income of the economically intentionally don't think of the big SSL handshake, each customer only needs once (even if the server receives multiple applications) request). Page 5 (6 pages): Reproduction
August 24, 2001
To make full use of new PKI features in Microsoft Windows, you need to upgrade to Windows XP Professional Customer and Windows .NET Server configuration. Some servers-based CA features are only available on Windows .NET Advanced Server. Specific requirements will be described in detail in later chapters. Version 2 Template To use version 2 template, you must first extend the Active Directory architecture to the Windows .NET Server architecture in the forest. Windows .NET Advanced Server To publish version 2 templates, you need to have Windows .NET Advanced Server that runs a certificate service. Windows .NET STANDARD Server Run the WINDOWS .NET STANDARD Server for the Certificate Service Unable to issue a certificate for the version 2 template. Windows XP Professional Customer Windows 2000 Customer cannot use MMC to register with version 2 template. However, Windows 2000, Windows 98, and Windows Millennium Edition (Windows Me) customers can register with version 2 templates using the web registration page. Key Archiving and Recovery Key Archiving and Recovery The Template is available to: This includes Windows .NET Server / Windows XP Professional Architecture and Windows .NET Advanced Server as a business CA. The Windows .NET Advanced Server key archive and recovery procedures are only available on Windows .NET Advanced Server running a certificate service. Windows XP Professional Customer Customers must support certification (using CMS) registration protocols. Windows 2000 and Windows ME customers can use the certificate management (using the CMS) protocol through the registration page on the Windows .NET Server Enterprise CA. Customer requests for private key archives can be made via Web Registration Pages, Windows 2000 and Windows Me customers. User Auto Register User Auto Register is available on Windows XP Professional customers and requires a Windows .NET Server architectural domain controller to verify customers. This feature also requires Windows .NET Advanced Server to support version 2 templates. Delta CRL Delta CRL requires Windows XP Professional Customer and Windows .NET Server CA. A qualified subordinate subordinate (name limit) requires a Windows XP Professional Customer and Windows .NET Server architecture. Windows .NET Server Internet Information Services (IIS) and application servers supporting PKI are the most extent of qualified subordinates. General Standard General Standard is a unique feature of Windows .NET Server (CA), only available on Windows .NET Advanced Server. If you want to use the features described in this article, you need to have Windows XP Professional customers. The exception of this requirement is the web registration of the version 2 template. Any Microsoft Web Customer can download the latest version of the Xenroll.dll ActiveX control and register version 2 template. Page 4 (6 pages of 6): Summary and related links
August 24, 2001
Summary Windows XP Professional Customers and Windows .NET Server provides some enhancements that meet all users who wish to deploy a PKI structure (or supporting PKI applications). Flexible User Certificate Auto Register, Version 2 Certificate Template and Key Archive Features, allows you to easily deploy PKI and have a lot of costs compared to other industry solutions. Windows XP Professional Customers and Windows .NET Server support new industry standards, allowing you to use PKI to incorporate in a hybrid environment on a Windows platform. This includes deploying public key technology components as part of the company's solution to the user and businesses. For more information on how PKI works with Windows XP Professional and Windows .Net Server, please visit the following Web page:
Introducing Windows .NET Servers (Windows .NET Servers Introduction) Public Key Infrastructure (Public Key Infrastructure) An Introduction to the Windows 2000 Public Key Infrastructure (Windows 2000 public key structure Introduction) Microsoft Windows 2000 Public Key Infrastructure (Microsoft Windows 2000 Public Key Infrastructure ) Windows 2000 Server and PKI: USING THE NCIPHER HARDWARE Security Module (Windows 2000 Server and PKI: Using NCIPHER Hardware Security Module)
