Stand-alone certification authority in Windows Server

Each administrator will sooner or later faces the need to provide the secure exchange of information over the Internet, external and internal networks, as well as authentication of each party involved in the exchange of information. Public key infrastructure (PKI) and Windows Certificate Services allows realizing it.

PKI allows using digital certificates to verify the authenticity of the owner and helps reliably and effectively protect traffic transmitted over open communication networks, as well as to use certificates to authenticate users. The basis of PKI is the certificate authority, which is responsible for issuing and revoking certificates, and provides verification of their authenticity.

For what it may be necessary to put into practice? Digital certificates allow the use of encryption on the application layer (SSL / TLS) to protect web pages, e-mail, terminal services, etc., registration on the domain by using smart card, authentication of virtual private network users (VPN), data encryption on hard disk (EFS), and in some cases to avoid the use of passwords.

To create a certification authority, we need a server running Windows Server, which can be either a dedicated or combine the role of the CA with other roles. However, it should be remembered that after the deployment of the CA, you cannot change the computer name and its membership in the domain (workgroup).

Certification Authority (CA) can be of two types: enterprise CAs and isolated (standalone) CA, consider their distinctive features:

Enterprise CA

• Requires ActiveDirectory
• Automatic confirmation of certificate
• Automatic deployment of certificates
• The ability to request certificates through the Web-based interface, the query wizard and automated deployment

Isolated (stand-alone) CA

• Does not require ActiveDirectory
• Manual confirmation of certificate
• Lack of automated deployment capabilities
• Request certificates only through the Web-based interface