Windows 2008 PKI Combat 3: Certificate Services

The delegate Enrollment Agent feature allows you to define exactly what a registered agent can do and what not to do. It allows you to delegate a temporary smart card registration to someone, like a receptionist, in case a user throws his or her smart card home.

The next added feature is called the Network Device Registration service, or SCEP, which is integrated into the local installation. This is a simple feature that allows users to register their credentials with a normal Windows installation.

Manageability is an important function and it has been greatly improved. For example, performance counters have been added to Certificate Services, allowing the PKI administrator to more easily monitor the performance of the entire organization's CAs.

Certificate Services Ease of administration Demo

Windows reliability and Performance Monitor are an MMC that provides tools for analyzing system performance. This tool provides a way to monitor and document the performance of many aspects of Windows Server 2008.

The default monitor displays the current processor usage. It's not needed in our demo. To add a performance monitor, we click the Add Counter button in the toolbar. The list of available counters displays all available counters in the operating system. Today we are going to focus on Certificate Services.

By expanding the CA you will see a list of available options. These options will give us a better understanding of those configuration options that are best for a particular environment. We will add request processing time as our CA counter. As shown in Figure 24.

We are able to monitor our OCSP configuration and we will monitor request processing time for this service. As shown in Figure 25.