Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

Applies To: Windows Server 2003 with SP1

Note

To download a copy of this document, see https://go.microsoft.com/fwlink/?LinkId=119655.

By David B. Cross and Carsten B. Kinder, Microsoft Corporation

In This White Paper

About This Document (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)

Overview of the PKI Design Process (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)

Integration Into Existing Environments (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)

Windows Server 2003 PKI and Dependencies (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)

Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)

Creating Certificate Policies and Certificate Practice Statements

Example Scenario for Contoso

Stand-alone Offline Intermediate CA (IntermediateCA1)

Stand-alone Offline Intermediate CA (CorporateSub2CA)

Online Enterprise Issuing CAs (CorporateEnt1CA)

Certification Authority Maintenance

Appendix A: Directory Objects

Contents of \\Localhost\CertConfig and \\Localhost\CertEnroll

Relationship of the Configuration Container and Certificate Store

Default CA Certificate and CRL Storage

Mapping Custom Object Identifiers to Friendly Names

CAPolicy.inf Syntax

CRL Distribution Point Replacement Token

CRL Publishing Properties

AIA Publishing Properties

Sample Script to Configure CorporateRootCA

Sample Script to Configure IntermediateCA

Sample Script to Configure the EnterpriseSubCA

Appendix B: Parameters for a Three-Tier CA Topology

Appendix C: Additional Information