Windows Server 2003 CA configuration (i)

Ca:certificate Authority, a certificate authority, also known as a certification authority or certification center, is a trusted third-party entity in a PKI. Responsible for several important tasks such as certificate management tasks such as certification issuance, revocation, update, and renewal, and CRL publishing and event logging. First, the principal issues the certificate request, typically, the principal generates the key pair, and sometimes the CA completes the function, and the principal submits the certificate request containing its public key to the CA for approval for the year. After receiving the certificate request from the principal, the CA must verify the identity of the applicant, and once verified, the CA can accept the application, sign the application, generate a valid certificate, and finally, the CA will distribute the certificate so that the applicant can use the certificate. CRL: Is the list of certificates that are revoked by the CA.

4 types of windows-based CA support

Enterprise Root CA: It is the top-level CA in the certificate hierarchy, and the enterprise root CA requires AD. The enterprise root CA issues its own CA certificate. and using Group Policy to publish the certificate to the store of trusted root Certification authorities for all servers and workstations in the domain, the enterprise CA typically does not directly provide resources for user and computer certificates, but it is the basis of the certification hierarchy.

Enterprise subordinate CA: The enterprise subordinate CA must obtain its CA certificate from another CA (parent CA), the enterprise subordinate CA requires AD, and when you want to use AD, certificate templates, and smart cards to log on to computers running Windows XP and WIN2003, you should use the enterprise subordinate CA

Standalone Root CA: A stand-alone root CA is the top-level CA in a certificate hierarchy. A stand-alone root CA can be either a member of a domain or not, therefore, it does not require AD, but if there is an ad for publishing certificates and certificate revocation lists, then ad is used, because the stand-alone root CA does not require AD, so it is easy to disconnect and place the network in a secure area. This is useful when creating a secure offline root CA.

Standalone subordinate CA: a stand-alone subordinate CA must obtain its CA certificate from another CA (parent CA), a stand-alone subordinate CA can be a member of a domain or not, so it does not require AD, but if there is an ad for publishing and certificate revocation lists, then ad is used.

Following to deploy the CA

One is a stand-alone root CA, and one is a stand-alone subordinate CA

Installing a stand-alone root CA

Select the application server and Certificate Services.