Chapter 18. Managing a Public Key Infrastructure
REMEMBER THE OLD NEIGHBORHOOD? THE SHADE TREES where you played tag with your friends. The secret path to school where you could ditch your siblings. The grandmotherly lady who would give you fresh caramel apples on Halloween. Have you ever gone back? Are there bars on the windows and pit bulls in the backyards and LoJack stickers in the car windows?
That's the situation on the Internet nowadays. The once-friendly confines of virtual academia have deteriorated into a scary place where it's always midnight and somebody shot out the streetlights. You need a way to shield your data from bad guys and to ensure the integrity of your communications.
A set of technologies has evolved over the last decade that addresses the need for privacy and protection. Collectively, these technologies are called Public Key Infrastructure, or PKI. Windows Server 2003 includes support for the most popular of the current crop of PKI protocols. These services underlie a variety of features such as the Encrypting File System (EFS), IP Security (IPSec), Transport Layer Security (TLS), code signing, and smart cards.
Deploying PKI services can be dauntingly complex. Part of this is due to the nature of cryptography, but much of the complexity has come about because major elements of the technology were designed by disparate vendors and committees with independent and often conflicting agendas.
Take heart, though. If you can hack through the jargon and map out the concepts, the actual implementation of a Windows Server 2003 PKI takes very little effort. The real work lies in the planning. If you work for a small or medium-sized organization where you and a select group of your colleagues are the sole IT decision makers, this chapter will give you the necessary information to plan and implement a Windows Server 2003 PKI.
On the other hand, if you want to deploy a PKI in a large organization with a Byzantine decision structure, prepare yourself for an arduous couple of years filled with studies, product comparisons, requests for proposals, vendor presentations, white papers, and dozens of meetings with skeptical colleagues and confused managers. This chapter will at least give you a basis for starting the process and for evaluating Microsoft's contribution to the technology.
You'll need a working familiarity with these major PKI elements:
This includes the encryption and hashing technologies used to protect data and validate a sender's identity.
Public key elements.
There are a variety of technologies for generating and using public/private key pairs. Windows Server 2003 supports the most widely accepted methods. You need to know how they work to a sufficient extent to make sure you implement them correctly.
The core of a PKI is the secure exchange and storage of certificates. You'll need to understand the mechanisms used by Windows clients to request, validate, and store certificates.
Any PKI entity is capable of generating public/private key pairs. The secret to making those keys a trustworthy medium for data exchange is to validate them with a Certification Authority, or CA. This chapter shows you how to establish a Windows Server 2003 CA hierarchy.
Certificate enrollment and revocation.
After you have your CA servers in place, you need to know how clients obtain certificates from them. Windows Server 2003 makes this as transparent as possible, but there are still places where administrative intervention is necessary.
Finally, you can streamline your operations by using command-line utilities in the Support Tools and Resource Kit for managing and troubleshooting your PKI.