« Tech Ed Europe Announcement | Main | Common Questions about Certificate Templates »
April 30, 2005
Certificate Services and Windows Server 2003 Versions
In one of my most recent postings, I discussed the requirements to issue version 2 certificate templates. The topic clarified the fact that version 2 certificate templates can only be issued by enterprise CAs running on Windows Server 2003, Enterprise Edition. Today, I want to clarify what features differences exist between Certificate Services running on Standard Edition vs. Enterprise Edition vs Data Center Edition.
Standard Edition
An enterprise CA running on Windows Server 2003, Standard Edition is very similar to the functionality of a Windows 2000 enterprise CA. The CA has the following functionality:
- Certificates based on version 1 certificate templates can be issued to users, computers, and network devices
- Version 2 certificate templates can be defined and created from the console.
- Certificates based on version 2 certificate templates cannot be issued to users, computers, and network devices
- Key archival, which requires version 2 certificate templates, cannot be implemented
- Autoenrollment is only supported for computer certificates. Autoenrollment is possible through the Automatic Certificate Request Settings (ACRS) Group Policy setting
- Both base CRLs and delta CRLs can be issued by the CA
- Cross-Certification certificates are recognized, but cannot be issued by the CA
- Auditing can be enabled for specific CA and Certificate management tasks
- Permissions can be assigned for role separation, but role separation cannot be enforced
- Certificate Services cannot be clustered for fault tolerance
Important Small Business Server is the equivalent of a Windows Server 2003, Standard Edition server. This means that the restrictions on Certificate Services for Standard Edition are also relevant to Certificate Services on Small Business Server
Enterprise Edition
An enterprise CA running on Windows Server 2003, Enterprise Edition has the following functionality:
- Certificates based on version 1 certificate templates can be issued to users, computers, and network devices
- Certificates based on version 2 certificate templates can be issued to users, computers, and network devices
- Key archival, which requires version 2 certificate templates, can be implemented for encryption certificates or for certificates that combine signing and encryption
- Autoenrollment is supported for computer certificates.
- Autoenrollment of version 1 certiificate templates is possible for computer accounts through the Automatic Certificate Request Settings (ACRS) Group Policy setting
- Autoenrollment of version 2 certificates templates is possible for computer accounts through a combination of permissions and Group Policy settings
- Autoenrollment of version 2 certificates templates is possible for user accounts through a combination of permissions and Group Policy settings
- Both base CRLs and delta CRLs can be issued by the CA
- Cross-Certification certificates are recognizedby the CA
- Cross-Certification certificates can be defined by using version 2 certificate templates and issued by the CA.
- Auditing can be enabled for specific CA and Certificate management tasks
- Permissions can be assigned for role separation
- Role separation can be enforced. If a user holds two or more of the following roles, they are blocked from all Certificate Services management: CA Administrator, Certificate Manager, Auditor, Backup Operator
- Certificate Services cannot be clustered for fault tolerance
Data Center Edition
An enterprise CA running on Windows Server 2003, Data Center Edition has the same functionality as an enterprise CA running on Enterprise Edition, with the following exception: Certificate Services can be clustered for fault tolerance. Of course, not many of use have the funds available to purchase two Data Center licenses.
So When do I Use Each Server Type
At my customers, I will typically use a combination of Standard Edition and Enterprise Edition.
- Standard Edition is used for all offline CA computers: Root CAs and Policy CAs.
- Enterprise Edition is used for all online CAs. The online CAs can take advantage of the Enterprise Edition feature set for Certificate Services, allowing more options for security and deployment.
- For demonstrations at conferences such as Tech Ed, I will typically use Enterprise Edition for all CAs,in the CA hierarchy as it makes it easier to use differencing disks in Virtual PC
HTH,
Brian
Posted by at April 30, 2005 10:08 AM
Comments
Hello,
I am trying to write a tool that will export automatically all
certificates from an offline Certificate Authority to PKCS#7.
I have...
* setup a certificate authority
* create a template with certtmpl.msc that doesn't publish certificate
in Active Directory (unchecked checkbox in "General")
* autoenrolled a certificate succesfully. When I open Certificate
Authority, I can see it there when I run certsrv.msc , so I know it is
somewhere inside, but...
* although MSDN suggests that the certificates should be in enterprise
store, NTAuth, I can't see them when I browse certificate stores either with regedit or certmgr.msc , where the certificates really are. In fact, I couldn't find them with regedit in any part of the tree.
(Needless to say that) I failed when I was trying to evaluate the
certificate stores as documented in CryptoAPI documentation.
I have also tried filemon and regmon from sysinternals.com, but I still
couldn't identify the source.
I also didn't really find any hint or suitable sample in CAPICOM.
Please please please!!! What do I have to do in order to get the issued
certificates from the CA the programmatic way, not by clicking?
Thank you very much in advance!
Posted by: Daria Morgendorffer at April 29, 2006 02:40 AM