Interoperability in Certificate Services

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Interoperability in Certificate Services

By using industry-standard X.509v3 certificate formats and open interfaces, Certificate Services operates with many products and technologies that support the use of public key cryptography and public key infrastructure (PKI).

Internet standards

PKI standards for the Internet are still evolving as this is being written. However, Certificate Services has been designed to adhere to existing PKI interoperability standards established by the Internet Engineering Task Force (IETF). The IETF working group charged with defining the basis for an interoperable PKI is PKIX. For more information on PKIX, see the PKIX Web page. The Web page also has a link to RFC 2459, "Internet Public Key Infrastructure X.509 Certificate and CRL Profile, Part 1," which is the specification for the basic architecture of PKI.

Public Key Cryptography Standards

There is a set of de facto cryptographic message standards called Public Key Cryptography Standards (PKCS) which are developed and maintained by RSA Laboratories. (For more information, see the Web page at RSA Laboratories.)

PKCS provides a basic, but well-understood framework for interoperability. The standards that are most relevant to PKI and ones that are used by Certificate Services are PKCS #7, Cryptographic Message Syntax Standard, PKCS #10, Certification Request Syntax Standard, and PKCS #12, Personal Information Exchange Syntax Standard.

Web servers

On a corporate intranet or on the Internet, Web servers, such as those using Microsoft Internet Information Services (IIS), can perform client authentication for secure communications using certificates generated by Certificate Services. Certificate Services can also generate server certificates used by IIS and other Web servers to provide server authentication to assure clients that they are communicating with the intended entity.

Web browsers

Certificate Services can issue certificates that are used by Web browsers that support client authentication, such as Microsoft Internet Explorer 5.01 or later. Certificate Services also supports Web enrollment, where a Web browser uses Web pages to request and retrieve a certificate.

Windows

Windows enables you to map certificates to users and groups. This mapping is automatic if the certificate is issued from an enterprise certification authority (CA). You can then use standard Windows administrative tools, such as security permission sets, to implement Internet and intranet security requirements taking advantage of the relationship established between domain users and the certificates issued to them.

For more information about mapping certificates in Windows see Mapping certificates to user accounts.

Note