Centralized User PKI Trust Management
Windows 2003 provides three ways to centrally control a PKI user's trust anchors. You can manage trust anchors by using GPO settings, the NTAuth AD store, or the Windows Update service.
The two GPOs that let you control a user's trust anchors are the Trusted Root Certification Authorities GPO and the Enterprise Trust GPO. Both GPOs are located in the Computer Configuration, Windows Settings, Security Settings, Public Key Policies GPO container. The GPO settings are automatically downloaded to PKI clients as part of the Group Policy application process on the Windows client.
The Trusted Root Certification Authorities container is used to distribute trustworthy Enterprise CA certificates to PKI users. The CA entries in this container have unlimited trust (as long as the certificates haven't expired).
The Enterprise Trust container contains a set of certificate trust lists (CTLs), which are signed lists of CA certificates. The certificates are considered trust anchors only if the CTL is signed by using a private key whose public key certificate has been issued by another trust anchor. Administrators can limit how long the CTL entries are valid and for which applications they are valid. To do so, open the Group Policy Object snap-in, navigate to the User Configuration\ Security Settings\ Public Key Policies\ Enterprise Trust container, right-click it, and select New, Certificate Trust List to open the Certificate Trust List Wizard, which Figure 4 shows.
The NTAuth AD store is a special trust anchor store. It holds the CA certificates of all Windows 2003 Enterprise CAs and CAs that are trusted to issue Windows smart card logon certificates or certificates that contain a client authentication EKU or application policy (e.g., for use with Secure Sockets Layer—SSL—client authentication or RAS and VPN authentication). The NTAuth trust anchor certificates are downloaded to every PKI client as part of the Windows autoenrollment event. An autoenrollment event occurs when a user logs on, when an administrator uses the Gpupdate utility to manually refresh the local GPOs, or during an automatic Group Policy refresh (which occurs every 90 minutes by default). The NTAuth certificates are stored in the cACertificate attribute of the NTAuth Certificates object that's in CN=Public Key Services ,CN=Services, CN=Configuration,DC=<domain>.
The third centralized user PKI trust management solution is the Root Certificate Update Service, which is a Windows Update extension. This service provides a dynamic CA certificate distribution mechanism that can replace the preloaded CA certificates. You install the required client-side software through the Windows 2003 and XP Update Root Certificate component in the Control Panel Add/Remove Programs applet's Add/Remove Windows Components option.
The Root Certificate Update Service uses a special CTL, called the Windows Update CTL, to automatically download CA certificates when the Windows 2003 or XP client-side certificate-validation software checks the appropriate Windows Update download location. The service downloads new root CA certificates to the Third-Party Certification Authorities container in the machine and user certificate stores. Organizations that want to use this feature to distribute their CA certificate must subscribe to the Microsoft Root Certificate Program. More information about this program is available from the Microsoft TechNet site at http://www.micro soft.com/technet/security/news/rootcert.mspx.
Flexible PKI Trust Definition
Trust is a fundamental concept of PKI. The enhanced trust features of Windows 2003 PKI simplify PKI user-side trust management and enable PKI users to make some trust decisions on their own. Every PKI user should have some understanding of how he or she can make basic PKI trust decisions.
End of Article
Prev. page
1
[2]
next page -->
