|
Last Updated: June 10, 2005 Windows Public Key Infrastructure and CertificatesOverviewThe following Windows Certificate Authority (CA) servers provide support for Public Key services in the UMROOT Windows forest. The first server is a "root CA" server, and the second server is a subordinate, "issuing CA" server. The single role of the root CA is to authorize other CA's in the forest. The role of subordinate CA servers is to issue certificates to authorized requesters within the U-M Windows forest. In Windows, the Public Key Infrastructure (PKI) is integrated with the Active Directory, so most Windows services requiring certificates will use Active Directory to locate the available CA's. Sometimes a list pops up listing all available CA's. Be sure to choose the "UM Windows UMROOT Issuing CA" for certificate requests, rather than the "UM Windows root CA".
Windows Certificates vs third-party CertificatesPlease note that certificates issued by these CA's are not designed for
applications external to the U-M Windows forest, since the UM Windows root
CA is not recognized as being authoritative by commercial
Certificate Authorities. A web server that provides SSL based service is a
common example of a service that would require an certificate issued by a
trusted commercial CA, since most modern web browsers will verify certificates
issued by the major commercial CA's, but will not recognize a certificate issued
by the Windows UMROOT forest CA unless the computer running the browser is a
member of the forest. In general, if the audience for a certificate
includes principals outside of the Windows UMROOT forest, a third-party
commercial certificate is more appropriate than one generated by the Windows
UMROOT forest Certificate Authority. Public CA Certificate and CRL InformationThe following public web site provides access to CRL (Certificate Revocation List) and AIA (Authority Information Access) data for the UMROOT forest CA's. This CRL and AIA information is also published in Active Directory. Some PKI clients do not have access to Active Directory, but can use this secondary distrubution point. http://certinfo.adsroot.itcs.umich.edu:33066/certinfo Specific files of interest follow:
Requesting a CertificateWindows "authenticated users" may use the following web page to:
https://pki02.adsroot.itcs.umich.edu/certsrv/ If the type of certificate you are requesting is not available via the listed
web page, please contact your Windows domain administrators, or
w2k-support@umich.edu. Certificate Types and AvailabilityThe following table provides a list of potential certificate types supported by the Windows CA servers. The "Availability" column lists groups allowed to enroll for a particular certificate type. To extend the availability of certificates across the forest, we have adapted a security group naming convention to facilitate customized certificate enrollment scenarios. Enrollment for selected certificate types is controlled by membership in a universal security group with the following naming convention:
For example: forest-cert-user-enroll; forest-cert-workstation-autoenroll Domain administrators may create security groups that can be added to these top-level universal groups, permitting authorized principals across the forest to request designated certificate types. The suggested format for domain-level security groups is similar to the one listed above, with the word "forest" replaced by the applicable domain. By following this strategy, domain administrators only have to create a single security group per certificate type, and can control the availability of certificate types within their domain without further requests to the Windows PKI administrators.
For example: lsa-cert-user-enroll; bus-cert-workstation-autoenroll Domain administrators should
submit requests for extended certificate enrollment capabilities to
w2k-support@umich.edu.
|
