Windows 2000 Certificate Services


Certificate Services uses templates that are stored in Active Directory to
define and enforce policies.

When certificate services is installed on an Enterprise Certificate Authority
(CA), certificate information is automatically published in different objects
in Active Directory. Certificates from a stand-alone CA can also be published
in Active Directory, this must be done by an administrator.

For web-based certificate requests:
	http://domain/certsrv/

Revoked certificates can be re-signed and re-issued by a Domain
Administrator.

Certificate Server uses standard x.509 certificates.

An Enterprise CA in a Windows 2000 domain running Active Directory is
necessary for clients to request certificates using the MMC snap-in.

You cannot export a certificate's private key unless you use the PKCS #12
format wehn exporting.

A cryptographic Service Provider is software or hardware which perform
cryptographic functions.

You can revoke a certificate in two ways:
	1. CA console, right-click the certificate, all tasks, revoke cert..
	2. c:\>certutil -revoke 

The certificate database records all transactions handled by the
Certificate Authority (CA), and because the database is a transaction
database, it includes certificate log files. The database and log files
are stored in \WINNT\system32\cerlog\ by default.

Automatic enrollment with Group Policy requires at least 1 enterprise CA
online to function.

When upgrading an NT4 CA to Windows 2000 CA, to use the current policy module
from the NT4 CA, use the regsrv32.exe utility to register the policy module
DLL file. With the CA console, select the current policy module.

Stand-alone CAs publish certificate revokation lists (CRLs) to
\WINNT\system32\certsrv\certenroll\. An Enterprise CA publishes to Active
Directory.

If a CA is compromise, the CA certificate must be removed. When you revoke
a CAs certificate, the CA and its subordinate CAs are invalid, along with
the certificates and suboridinate certificates.

To repair a CA after security breach:
	1. Revoke the certificate of the CA.
	2. Publish a new CRL with the revoked CA certificate.
	3. Remove the compromised CA from Trusted Root CA stores and CTLs.
	4. Inform the affected users of the compromise.
	5. Repair the cause of the compromise, and bring CA back online.

In order to renew a CAs certificate, the Certificate Services must not be
running. Stop the service and from CA console, select the Renew CA
Certificate option.

To publish certificates in Active Directory, the CA server must be a member
of the "Cert Publishers" group.

A computer cannot be renamed, or joined to or removed from a domain after
Certificate Services is installed. You must remove Cert Services to perform
any of these actions.

A client using Netscape 4.0 for revokation checking tasks is not working...
Enable ASP on CA: c:\>certutil Policy\RevocationType +AspEnable

Certificate File Formats:

Personal Information Exchange (PKCS #12): Private key is only exportable if for EFS, EFS recovery, or an advanced request was made with the "Make Keys as Exportable".
Cryptographic Message Syntax Standard (PKCS #7): xfer of certificates and all certificates in its certification path from one computer to another or backup media.
DER Encoded Binary (x.509): Multi-platform (*.CER)
BASE64 Encoded (x.509): Multi-platform (*.CER)