Windows 2008 PKI Combat 1: Management

Microsoft PKI has made many improvements in Windows Server 2008 and has added many features, the first of which is certificate lifecycle management, especially with regard to automatic registration of computers and user certificates. In Windows Server 2008, Certificate Lifecycle Management is enhanced by the use of certificate roaming new features. We will describe this feature later.

A more general practice for developers is to link the PKI infrastructure with the business applications of the company. A good example is the company's search for a smart card or strong identity to integrate into its own software. The new Certificate Enrollment application interface allows this functionality to be more smoothly integrated.

On the server side, enhancements to usability are reflected in the management and deployment of Certificate Services. There has also been a significant increase in certificate revocation, especially with regard to revocation checking.

Instance Environment

Here are some examples to illustrate:

We use a server named Sea-dc-01, which is a domain controller, a DNS server, and then we will demonstrate how to install the Active Directory Certificate Services role. As shown in Figure 1:

Demonstrate a PKI in Windows Server 2008

Windows Server 2008 contains the Add Roles Wizard. The Add Role Wizard can be used not only to install roles, it also contains the configuration of roles. The key configuration tasks that must be performed to make the role work correctly are part of the wizard. All configurations that show up in the Add Roles Wizard are safe by default and have the default smart optimizations for IT professionals. Our first step is to open the Server Manager. Server Manager displays all the different roles from the details. Currently, the Active Directory Domain service and the DNS server role are configured. What we are going to add today is Certificate Services. First we need to add IIS roles.

As a best practice, we should always assign a strong password to the administrator, set up a static IP, and ensure that the operating system has the latest security update applied.

We will select the Active Directory Certificate service, as shown in Figure 2. Our wizards will show personalized steps based on the roles we want to add.