Installing a Certification Authority

Infineon Security Platform

Infineon Security Platform Solution

Installing a Certification Authority

A Certification Authority (CA) is a service that issues the certificates needed to run a public key infrastructure (PKI). These certificates are usually issued to requesters based on a set of established criteria. A CA vouches for the validity of the binding between the subject’s public key and the subject’s identity information that is stored in the certificates it issues. A CA could be an external commercial CA, or it could be a CA run by your company. (Since a CA is an important point of trust in an organization, most organizations would choose to have their own CA).

The Windows 2000 public key infrastructure assumes a hierarchical CA model that is characterized by its scalability, ease of administration, and support for certificates issued by third party commercial CAs.

Windows 2000 supports two types of CA services: enterprise or stand-alone. The primary difference between the two CA services lies in the manner in which they issue certificates. A stand-alone CA issues certificates without authenticating the requester and usually requires a CA administrator to approve requests based on some additional information.

An enterprise CA requires the existence of a Windows 2000 domain and authenticates the requester based on his or her domain logon information. Further, an enterprise CA uses certificate templates to distinguish between different types of certificates that are based on intended use. Users may obtain different types of certificates based on their access rights within a domain and the purpose for which they want to use the certificates.

You should install an enterprise CA if you intend issuing certificates only to users or computers inside an organization that is part of a Windows 2000 domain. You should install a stand-alone CA if you will be issuing certificates to users or computers that are outside of a Windows 2000 domain.

Note: An Enterprise CA has a special policy module that enforces how certificates are processed and issued. The policy information used by these policy modules is stored in a CA object in Active Directory. Therefore you must have a fully functional Active Directory and DNS Server before you set up an enterprise CA.

Refer to the Microsoft TechNet for instructions on how to install a CA for your domain.

The next step in setting up a PKI is to change the User Certificate Template to enable the use of the Cryptographic Service Providers delivered with the Security Platform Solution. 

©Infineon Technologies AG