Generate certificates for your extranet users
Perusing Microsoft's Web documentation about its Certificate Services can lead to much confusion about how you should configure this powerful product. When you consider Certificate Services' capability to integrate with other applications and services —such as Active Directory (AD), Microsoft Exchange Server, Web applications, and Windows applications— you can see why people are confused.
Let's look at using Certificate Services to solve one problem: Suppose you want to use Certificate Services on a Windows 2000 machine to create a Certificate Authority (CA) and generate certificates that your extranet users can use to access your Web site. You also want to use client certificates rather than set up a separate account for each user. This scenario takes advantage of only a fraction of Certificate Services' power, but it can demonstrate the core features of generating and managing certificates.
Getting Started
One of the most interesting aspects of Microsoft Internet Information Services (IIS) 5.0related security and Web applications is the use of certificates that map to user accounts. When you're using any type of certificate to identify a user, you must either purchase certificates from a public CA or create a CA and issue your own certificates. The latter method is useful in several situations:
- You need to issue certificates to employees for internal use only.
- Your extranet is accessible by a group of users who aren't employees and don't have accounts in your domain.
- Certificates are necessary for some other use in your applications.
- You need to issue certificates for test purposes.
A CA that you set up can issue certificates, but an external CA doesn't back up those certificates. As a result, certificates that you issue would be of little value for certifying a user to an entity outside your organization. However, you only want to use the certificates internally, so you and your systems can trust the CA (because your organization is the CA).
Before you install Certificate Services, you need to answer a couple of questions. First, do you want Certificate Services to integrate with AD? In our scenario, the answer is no: You need to generate certificates only for external use. External extranet users—not AD users—will be using the certificates, so AD doesn't really matter. Therefore, you can install Certificate Services either on a server that's part of the AD domain or on a server that isn't.
Second, will the server on which you're installing Certificate Services be the root CA? The root CA becomes the basis for all your certificates. As a best practice, a root CA should never issue end-user certificates. Ideally, you should set up a dedicated root CA that only issues root certificates. This approach isolates the root CA from all other certificates and traffic. Because you need to use the certificates to identify users only to your own organization, your Certificate Services server can be the root CA.
You can use Certificate Services to set up a CA in a few minutes. You'll need your Win2K Server CD-ROM or access to the installation files on your hard disk or network. You'll also need the Win2K Service Pack 2 (SP2) or SP1 CD-ROM or the network location. To set up the CA, you must install IIS 5.0 on the server. Finally, plan your CA server's name carefully: You won't be able to rename the CA server after installation.
Prev. page
[1]
2
next page 
