Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Certificate Services overview

Certificate Services provides customizable services for issuing and managing certificates used in software security systems employing public key technologies. For background information about public key cryptography and the benefits of having a public key infrastructure (PKI), see Public key infrastructure.

You can use Certificate Services in Windows 2000 to create a certification authority (CA) which will receive certificate requests, verify the information in the request and the identity of the requester, issue certificates, revoke certificates, and publish a certificate revocation list (CRL).

For more information about CAs, see Certification authorities

Certificate Services can also be used to:

  • Enroll users for certificates from the CA using the Web or the Certificates snap-in, depending upon the policy used by the CA.
  • Use certificate templates to help simplify the choices a certificate requester has to make when requesting a certificate, depending upon the policy used by the CA.
  • Take advantage of Active Directory for publishing trusted root certificates, publishing issued certificates, and publishing CRLs.
  • Implement the ability to log on to a Windows domain using a smart card.

Policy modules

A policy module in Certificate Services is like a set of instructions or rules that a CA uses when processing certificate requests, issuing certificates, revoking certificates, and publishing CRLs.

When you install Certificate Services, you have the choice of using one of two different CA policies, each of which causes the CA to have different characteristics and behavior. You choose the policy you want to use, based on how you need the CA to behave, given its role in your public key infrastructure. (Note that these policies have nothing to do with Windows 2000 Group Policy.) The two Certificate Services policies included with Windows 2000 are referred to as enterprise policy and stand-alone policy.

In this documentation, a CA using the enterprise policy will be referred to as an enterprise CA. A CA using the stand-alone policy will be referred to as a stand-alone CA. You select the policy a CA will use when you install Certificate Services.

Additionally, you can set up up a stand-alone CA and then replace the stand-alone policy with your own custom policy module. For more information about policy modules see Policy and exit modules. For information about creating custom policy modules for Certificate Services, see the Microsoft Platform Software Development Kit.

Processing certificate requests

A user can request certificates from an enterprise or stand-alone CA using Internet Explorer 3.0 or later or a browser such as Netscape Navigator 3.0 or later. In addition, a user can use the Certificates snap-in to request a certificate from an enterprise CA. (At a base program level, all requests for certificates are submitted to a CA via a remote procedure call (RPC) or through DCOM.)

Typically, when a user initiates a certificate request, a cryptographic service provider (CSP) on their computer generates a public key and private key pair for the user. The user's public key is sent with their necessary identifying information to the CA. If the user's identifying information meets the CA criteria for granting a request, the CA generates the certificate, which is retrieved by the client application and stored locally. For more information about certificates, see Understanding Certificates.

Security considerations for CAs

CAs are valuable resources, and you should provide them with a high degree of protection. Specific actions that should be considered include:

  • Physical protection. Since CAs represent highly-trusted entities within an enterprise, you should protect them from tampering, depending on the inherent value of the certification made by the CA. Physical isolation of the CA server, in a facility accessible only to security administrators, can dramatically reduce the possibility of such attacks.
  • Restoration. A CA might be lost if there is a hardware failure. This can create a number of administrative and operational problems, and can prevent revocation of existing certificates. Certificate Services supports the backup of a CA so that it can be restored at a later time. This is an important part of the overall CA management process.
  • Key management. The CA's keys are its most valuable asset, because the private key provides the basis for trust in the certification process. Other cryptographic hardware modules can provide tamper-resistant key storage and isolate the cryptographic operations from other software running on the server. This reduces the likelihood of a CA key being compromised. Certificate Services supports cryptographic service providers (CSPs) from other sources, but the documentation included with Windows 2000 is specific to the software CSPs that are included with Windows 2000. If you use a CSP from another source, you should confirm with the vendor that the CSP can work with Certificate Services. You will also need supplementary documentation from the vendor to explain how to operate Certificate Services with their CSP.

Customizing Certificate Services

Certificate Services includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Refer to the Microsoft Platform Software Development Kit for information about customizing Certificate Services.

For more information about Certificate Services, see Understanding Certificate Services

Share this article: