Certificates features in more and more Server 2003 locations; smart card login, EFS, and IPSec, to name
but three. In fact certificates are just part of a larger PKI (Public Key Infrastructure)
topic.
When you receive data you want to be sure that the sender is who they say
they are. You also want to be reassured that the packets have not been read or tampered with on route.
Certificate Services are designed for this scenario where you need secure authentication and encryption.
The principle of encryption is to change plain text into cipher text during
transport and then decode back to readable text at the other end.
Unlike Kerberos, where only one key is involved, Certificate Services encrypt and
decrypt using a public and private key pair.
The private key is kept with your user profile, but you can easily check the
certificate corresponding to your public key by:
1) Viewing your Active Directory certificates by adding a snap-in to your
MMC. Start, Run MMC, File (Menu) Add Snap-in, Add, Certificates.
2) Alternatively you can check your Internet Explorer, Tools, Internet Options,
Content, Certificates.
Also, once you have installed certificate services on the Windows Server
2003, clients can apply for
certificates through their browsers, for example http://dealer/certsrv ;
substitute
your server name for dealer, but type certsrv as shown. Troubleshooting:
check IIS has started. I once found the port had been set to port 90
instead of 80.
Network security is complex. As an MCT trainer, I can thoroughly recommend
TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example
Network Security or go for
a combination of modules.
See more about Network Security training here
Think of certificate authorities like you would regard driving licences authorities. You
can get a government driving licence with a picture and issue number, or you go
to the fairground and get a 'Mickey mouse' licence.
To decide which model is best for you, consider these two questions,
Will you authorize your own root server, or will you be a subordinate of a
respected certificate authority like Verisign?
Will you use Active Directory, or is your certificate server so important
that it should be secured offline in a locked office?
Certificates
Service is installed through the Add or Remove Programs \ Windows Components; and just like
other services such as DHCP or IAS you configure Certificate Service through the
Administrative Tools.
Personally, I prefer the to add a Snap-In to the MMC, using this technique
you can also add a snap-in to examine the User and Computer Certificates.
Check out the Templates to gauge the breadth of purposes that you can deploy
certificates.
