WindowsPKI 操作指南.docx
- 文档编号:29947978
- 上传时间:2023-08-03
- 格式:DOCX
- 页数:80
- 大小:338.35KB
WindowsPKI 操作指南.docx
《WindowsPKI 操作指南.docx》由会员分享,可在线阅读,更多相关《WindowsPKI 操作指南.docx(80页珍藏版)》请在冰豆网上搜索。
WindowsPKI操作指南
WindowsServer2003PKIOperationsGuide
MicrosoftCorporation
Author:
DavidB.CrossandAymanAlRashed
Abstract
HowtoconfigureandoperateaWindowscertificateauthority,withoperationalscenarios,customconfigurationinformation,samplecommands,andbestpractices.
Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice. Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred. Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser. Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument. ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2005MicrosoftCorporation. Allrightsreserved.
Microsoft,ActiveDirectory,Windows,WindowsNT,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Allothertrademarksarepropertyoftheirrespectiveowners.
Contents
WindowsServer2003PKIOperationsGuide
ByDavidB.CrossandAymanAlRashed
MicrosoftCorporation
ThisdocumentprovidesaguideforadministratorsonhowtoconfigureandoperateaWindowscertificationauthority.Variousoperationalscenarios,customconfigurationinformation,samplecommands,andbestpracticesareprovided.
WindowsServer 2003providesaflexibleandlowTCOsolutionfordeployingapublickeyinfrastructure.Duetothecomplexityofcustomerenvironmentsandvariousorganizationrequirements,aWindowsServer 2003certificationauthority(CA)mayrequireconfigurationchanges.Thiswhitepaperprovidesoperationalbestpracticesandconfigurationwalkthroughsforsomeofthemorecommonscenarios.ItisnotintendedtocovertheentirescopeofalloperationalscenariosandconfigurationparameterspossiblewiththeWindowsServer 2003CA.
BasicAdministrativeTasks
Fordaytodaytasks,itisusuallypreferabletocreateastandardprocedure.Aprocedureisusuallyorganization-dependentastheprocessesandpeopledifferfromorganizationtoorganization.Thereareusuallycommonpracticesemployedbymostorganizationswhendoingthecommondaytodayadministrativetasks.
AddingCertificateTemplatestoaCA
Acertificatetemplateprofilescertificatesbasedontheirintendeduse.WhenrequestingacertificatefromaMicrosoftcertificationauthority(CA),dependingontheiraccessrights,thecertificaterequesterwillbeabletoselectfromavarietyofcertificatetypesthatarebasedoncertificatetemplates,suchasUserandBasicEFS.Thecertificatetemplatesavesusersfromlow-level,technicaldecisionsaboutthetypeofcertificatethattheyneed.Instead,theycanrelyonthejudgmentoftheiradministratorsandusethetemplatenamethatindicatesthepurposeofthecertificate.Ifnoneofthepresetcertificatetemplatesmeetsyourneeds,youcancreatenewcertificatetemplatesandcustomizethemforavarietyofdifferentuses.
Note
InadditiontoassigningthecorrectpermissionsforenrollmentonacertificatetemplateinActiveDirectory;youalsoneedtoaddthetemplatetothelistofcertificatetemplatesaCAcanissueifyouwantyouruserstostartenrollingforthistemplate.
Note
OnlyWindowsServer 2003andWindows 2000EnterpriseCAscanissuecertificatesbasedoncertificatetemplates;stand-aloneCAscannotusecertificatetemplates.
Note
YouneedtobepartoftheEnterpriseAdminsortheDomainAdmins,oryouneedtohaveenoughpermissionstowritetotheCertificateTemplatescontainerinActiveDirectory.
Tochangethepermissionsonacertificatetemplateforuserenrollment
1.Right-clicktheCertificateTemplatesnodeintheCertificationAuthoritysnap-inandselectManage.
2.Double-clickacertificatetemplate.
3.OntheSecuritytab,checktheAllowboxesfortheReadandEnrollpermissions.
ToaddacertificatetemplatetoaCA
1.Right-clicktheCertificateTemplatesnodeintheCertificationAuthoritysnap-in,andontheNewsubmenu,selectCertificateTemplatetoIssue.
2.SelecttheappropriatetemplateandclickOK.
Note
YouneedtobeaCAAdministratortoaddtemplatestotheCA.
DelegatingAdministrationofCertificateTemplates
AlthoughmostoftheCA-relatedtasksareachievedthroughtheadministrationoftheCAitself,certaintasksarecontrolledthroughActiveDirectory,suchasadministrationofCertificateTemplates.
TodelegatetheadministrationofCertificateTemplates
1.Right-clicktheCertificateTemplatesnodeintheCertificationAuthoritysnap-inandselectManage.
2.Double-clickacertificatetemplate.
3.OntheSecuritytab,checktheAllowboxesfortheReadandWritepermissions.
IssuingCertificates
Therearesomequestionsyouneedtoansweranddocumentbeforeissuingacertaincertificate.Thesequestionsaremorerelevanttohowthecertificateisissuedfromanoperationalsideratherthanatechnicalside.
1.DoesmyorganizationcurrentlyemployaCertificatePracticeStatement(CPS)forthisCA?
Ifitdoes,didtherequestermeetalltherequirementsforenrollment?
2.Aretherespecialrequirementsthatthepersonissuingthecertificate(suchasbeinganOfficer)thatImustfulfillasanadministrator?
3.ArethereanydocumentedoperationalproceduresformyorganizationthatImustfollowwhenissuingcertificates(suchasbackup)?
4.Arethereanyspecialattributesthatmustbeincludedinthecertificatethatarenotincludedintherequest(suchasCertificatePolicy)?
Whenthesequestionsareanswered,andalltherequirementsarefulfilled,issuethecertificatebyloggingonasauserwithCertificateManager(CAOfficer)permissions:
1.Left-clickthePendingRequestsnodeintheCertificationAuthoritysnap-in.
2.Right-clicktherequest,thenselectIssueontheAllTaskssubmenu.
Ifoneoftherequirementsisnotmet,youcaneitherensurethatrequirementsaremet(suchasmakingtheusersupplymoreauthenticationinformation)thenissuingthecertificate,oryoucandenytherequest.
Todenytherequest
1.Left-clickthePendingRequestsnodeintheCertificationAuthoritysnap-in.
2.Right-clicktherequest,thenselectDenyontheAllTaskssubmenu.
Ineithercase,makesureyoudocumentyouractionsandtheanswerstoallfourquestions.
Important
Thepolicymodulewillalwaysre-processrequeststhatarependedandiftemplate,configuration,orusergroupinformationhaschangedaftertherequestwasoriginallysubmitted,thepolicymodulewillre-evaluatetherequestonthenewinformationonly.
Note
Tore-submitafailedrequestandissuethefailedrequest,ausermusthaveboththeCAOfficerandCAAdminpermissionsontheCA.Obviously,thiscapabilitywillnotbepossiblewhenroleseparationisenabledontheCA.
RevokingCertificates
Althoughcertificatesareusuallyusedtoenhancethetrustinanorganization,removingthetrustfromacertaincertificateissometimesrequired.Beforeyourevokeacertificate,makesureyouansweranddocumentthefollowingquestions:
1.Whatisthereasonforrevokingthiscertificate?
2.Whorequestedtherevocationofthiscertificate?
3.WillIeverneedthiscertificateagain(suchasverificationofsignaturesordecryptionofmessages)?
Ifyes,whatistheneed(thatis,verificationofsignatures,decryptionofmessages,normalusage)?
4.Aretherespecialrequirementsforthepersonrevokingthecertificate(suchasbeinganOfficer)thatImustfulfillasanadministrator?
5.ArethereanydocumentedoperationalproceduresformyorganizationthatImustfollowwhenrevokingcertificates(suchasbackup)?
Whenallofthesequestionsareanswered,andalltherequirementsarefulfilled,revokethecertificate.
Torevokethecertificate
1.Left-clicktheIssuedCertificatesnodeintheCertificationAuthoritysnap-in.
2.Right-clickthecertificateandselectRevokeCertificateontheAllTaskssubmenu.
3.ChoosethecorrectreasonforrevocationandclickYes.
Makesureyoudocumentyouractionsandtheanswerstoallfivequestions.
Note
Ifyouansweredyestoquestion3,andtheneedwillbefullornormalusage,makesureyouchooseCertificateHoldasthereason.Thisistheonlyreasonthatcouldallowarevokedcertificatetobeunrevoked.
IfyourevokeacertificateandthereasonisCertificateHold,andyoudecidelaterthatyouwanttounrevokethecertificate,youneedtoansweranddocumentthefollowingquestions:
1.WhyamIrevokingthiscertificate?
2.Whorequestedthistask?
3.Aretherespecialrequirementsfromthepersonunrevokingthecertificate(suchasbeinganOfficer)thatImustfulfillasanadministrator?
4.ArethereanydocumentedoperationalproceduresformyorganizationthatImustfollowwhenrevokingcertificates(suchasbackup)?
5.DoesmyorganizationcurrentlyemployaCertificatePracticeStatement(CPS)forthisCA,andifitdoes,didtherequestermeeta
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- WindowsPKI 操作指南 操作 指南