|
Lesson 3
Managing Certificates
11-19
Lesson 3: Managing Certificates
Once you have completed your PKI design and installed your CAs, the next
step in
deploying PKI to consider is the ongoing management of your CAs and their
certifi-
cates. This includes administering certificate enrollment, managing the
certificates
themselves, and publishing certificate revocation lists.
After this lesson, you will be able to
■ Control auto-enrollment in enterprise CAs
■ Submit certificate requests to a CA using the Certificates console or the
pages created
by the Certificate Services Web Enrollment Support interface
■ Publish certificate revocation lists
Estimated lesson time: 30 minutes
Understanding Certificate Enrollment and Renewal
The actual process by which CAs issue certificates to clients varies,
depending on the
types of CAs you have installed. If you have installed enterprise CAs, you
can use auto−
enrollment, in which the CA receives certificate requests from clients,
evaluates them,
and automatically determines whether to issue the certificate or deny the
request. If you
have installed stand-alone CAs, you cannot use auto-enrollment, so you must
arrange for
an administrator to monitor the CA (using the Certification Authority
console) for
incoming requests and to make decisions about whether to issue or deny the
requests.
Exam Tip Be sure to understand the circumstances in which clients use
auto-enrollment
!
and manual enrollment, and to be familiar with the Microsoft Management
Console (MMC)
snap-ins used to manage certificates and certification authorities.
Using Auto-Enrollment
Auto-enrollment enables clients to automatically request and receive
certificates from a
CA with no manual intervention from administrators. To use auto-enrollment,
you must
have domain controllers running Windows Server 2003, an enterprise CA
running on
Windows Server 2003, and clients running Microsoft Windows XP Professional.
You
control the auto-enrollment process using a combination of group policy
settings and
certificate templates.
By default, Group Policy Objects (GPOs) contain settings that enable
auto-enrollment
for all user and computer objects in a domain. You configure these settings
by opening
|
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)