6.2.1use only one CA for all PKI functions. However, for larger groups, Microsoft outlines athree-tier hierarchical structure starting at the top with a root CA, moving downward to amid-level CA, and finally an issuing-level CA. Both the mid-level CA and issuing-level CAare known as subordinate CAs.
E
XAM W
ARNINGAlthough there are certain advantages to using both external and internal CAswhen planning an organization’s PKI, you should know that it is possible for aWindows Server 2003 root CA to trust an external root CA, but it is nearly impos-sible to get the external root CA to trust yours.The reason is that external CAs are established and highly visible, andtherefore easily verifiable to the outside world. Your internal CA is most defi-nitely not. To prove your identity to the external authority, you must jumpthrough a most rigorous set of hoops, and you must also justify the businessneed for such a relationship. If you go to Microsoft’s home Web site atwww.microsoft.com and search for the words CA cross trust, you will find awhite paper entitled Public Key Interoperability. This is a good place to startlearning more about this complex topic.Root CAs
When you first set up an internal PKI, no CA exists.The first CA created is known as theroot CA, and it can be used to issue certificates to users or to other CAs. As mentioned earlier, in a large organization there usually is a hierarchy where the root CA is not the onlycertification authority. In this case, the sole purpose of the root CA is to issue certificates toother CAs to establish their authority.The question then becomes: who issues the root CA a certificate? The answer is that aroot CA issues its own certificate (this is called a self-signed certificate). Security is not com-promised for two reasons. First, you will only implement one root CA in your organizationand second, configuring a root CA requires administrative rights on the server.The rootCA should be kept highly secured because it has so much authority.Subordinate CAs
Any certification authority that is established after the root CA is a subordinate CA.Subordinate CAs gain their authority by requesting a certificate from either the root CA ora higher-level subordinate CA. After the subordinate CA receives the certificate, it can con-trol CA policies and/or issue certificates itself, depending on your PKI structure and poli-cies.T
EST D
AY T
IPRemember that if a root or subordinate CA becomes compromised (e.g., theserver’s hard drive is damaged), all CAs subordinate to it will lose their trust rela-tionship and therefore their authority. Always keep current backups of your CAs.Worse still is the scenario in which a CA’s private key is obtained by anattacker. If the CA in question is your root CA, your entire PKI will be compro-mised. How Microsoft Certificate Services Works
The Windows Server 2003 PKI does many things behind the scenes.Thanks in part to autoenrollment (discussed later in this chapter) and certificate stores (places where certificatesare kept after their creation), some PKI-enabled features such as EFS work with no userintervention at all. Others, such as IPSec, require significantly less work than would berequired without an advanced operating system.Even though a majority of the PKI is handled by Windows Server 2003, it is stillinstructive to have an overview of how certificate services work.
Bạn đang xem 6. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
