By using industry-standard X.509v3 certificate formats and open interfaces, Windows 2000 Certificate Services operates with many products and technologies that support the use of public key cryptography and public key infrastructure (PKI).
PKI standards for the Internet are still evolving as this is being written. However, Certificate Services has been designed to adhere to existing PKI interoperability standards established by the Internet Engineering Task Force (IETF). The IETF working group charged with defining the basis for an interoperable PKI is PKIX. For more information on PKIX, see the PKIX Web page(http://www.ietf.org/html.charters/pkix-charter.html). The Web page also has a link to RFC 2459, "Internet Public Key Infrastructure X.509 Certificate and CRL Profile, Part 1," which is the specification for the basic architecture of PKI. (Web addresses can change, so you may be unable to connect to some of the Web sites mentioned here.)
There is a set of de facto cryptographic message standards called Public Key Cryptography Standards (PKCS) which are developed and maintained by RSA Laboratories. (For more information, see the RSA Laboratories (http://www.rsa.com/rsalabs/html/standards.html) Web page.)
PKCS provides a basic, but well-understood framework for interoperability. The standards that are most relevant to PKI and ones that are used by Certificate Services are PKCS #7, Cryptographic Message Syntax Standard, and PKCS #10, Certification Request Syntax Standard.
On a corporate intranet or on the Internet, Web servers, such as those using Microsoft Internet Information Services (IIS), can perform client authentication for secure communications using certificates generated by Certificate Services. Certificate Services can also generate server certificates used by IIS and other Web servers to provide server authentication to assure clients that they are communicating with the intended entity.
For more information about IIS and certificates, see Certificates and Internet Information Services (http://localhost/iishelp/iis/htm/core/iicerts.htm).
Certificate Services can be used to issue certificates to Web browsers that support client authentication, such as Microsoft Internet Explorer 3.0 or later.
The programmability of Certificate Services makes it possible to issue certificates to any directory that is compliant with Lightweight Directory Access Protocol (LDAP). LDAP is a subset of the X.500 DAP standard for directory services. Compliance with LDAP enables Certificate Services to operate with policy tools and other third-party applications that support LDAP directory services.
Windows 2000 enables you to map certificates to Windows 2000 users and groups. This mapping is automatic if the certificate is issued from an enterprise certification authority (CA). You can then use standard Windows 2000 administrative tools, such as security permission sets, to implement Internet and intranet security requirements taking advantage of the relationship established between Windows 2000 domain users and the certificates issued to them.
For more information about mapping certificates in Windows 2000 see Mapping certificates to user accounts.
Microsoft Exchange 5.5 SP1 Key Management Server (KMS) and Exchange 5.5 SP3 KMS can use Windows 2000 Certificate Services for issuing certificates when you install the Exchange policy module on the Windows 2000 CA. (This replaces the stand-alone policy.) The Exchange 5.5 KMS policy module will be listed a "Legacy" policy module in the Certificate Services console. See the documentation for your version of Microsoft Exchange for detailed information about how to use the KMS with this version of Certificate Services.
For detailed information about interoperability of other products with Windows 2000 Certificate Services, see: