Certificate Services provides customizable services for issuing and managing certificates used in software security systems employing public key technologies. For background information about public key cryptography and the benefits of having a public key infrastructure (PKI), see Public key infrastructure.
You can use Certificate Services in Windows 2000 to create a certification authority (CA) which will receive certificate requests, verify the information in the request and the identity of the requester, issue certificates, revoke certificates, and publish a certificate revocation list (CRL).
For more information about CAs, see Certification authorities
Certificate Services can also be used to:
A policy module in Certificate Services is like a set of instructions or rules that a CA uses when processing certificate requests, issuing certificates, revoking certificates, and publishing CRLs.
When you install Certificate Services, you have the choice of using one of two different CA policies, each of which causes the CA to have different characteristics and behavior. You choose the policy you want to use, based on how you need the CA to behave, given its role in your public key infrastructure. (Note that these policies have nothing to do with Windows 2000 Group Policy.) The two Certificate Services policies included with Windows 2000 are referred to as enterprise policy and stand-alone policy.
In this documentation, a CA using the enterprise policy will be referred to as an enterprise CA. A CA using the stand-alone policy will be referred to as a stand-alone CA. You select the policy a CA will use when you install Certificate Services.
Additionally, you can set up up a stand-alone CA and then replace the stand-alone policy with your own custom policy module. For more information about policy modules see Policy and exit modules. For information about creating custom policy modules for Certificate Services, see the Microsoft Platform Software Development Kit.
A user can request certificates from an enterprise or stand-alone CA using Internet Explorer 3.0 or later or a browser such as Netscape Navigator 3.0 or later. In addition, a user can use the Certificates snap-in to request a certificate from an enterprise CA. (At a base program level, all requests for certificates are submitted to a CA via a remote procedure call (RPC) or through DCOM.)
Typically, when a user initiates a certificate request, a cryptographic service provider (CSP) on their computer generates a public key and private key pair for the user. The user's public key is sent with their necessary identifying information to the CA. If the user's identifying information meets the CA criteria for granting a request, the CA generates the certificate, which is retrieved by the client application and stored locally. For more information about certificates, see Understanding Certificates.
CAs are valuable resources, and you should provide them with a high degree of protection. Specific actions that should be considered include:
Certificate Services includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Refer to the Microsoft Platform Software Development Kit for information about customizing Certificate Services.
For more information about Certificate Services, see Understanding Certificate Services