3.2 Certificate Services Functionality
Section of this document provides examples that illustrate the interaction of some of the protocols in two sample configurations.
Familiarity with public key infrastructure (PKI) concepts such as asymmetric and symmetric cryptography, digital certificate concepts, and cryptographic key exchange are required for a complete understanding of this specification. In addition, a comprehensive understanding of the x.509 standard, as specified in [X509], is required for a complete understanding of the protocol and its usage. Certificate concepts are as specified in [X509].
A certificate authority (CA) is an entity (individual, department, company, or organization) that issues digital certificates to verify the identity of users, applications, or organizations.
Before issuing a digital certificate to someone, the certificate authority (CA) must verify the user's identity according to a strictly established policy. This verification can involve face-to-face communication, examination of a driver's license with a photograph, or another method of establishing a user's identity. When the user's identity has been verified, the certificate is issued to the user. This certificate can then be presented by the user to digitally identify himself or herself during network transactions.
CAs can be trusted third parties such as the private companies VeriSign, CyberTrust, and Nortel Networks; or any organization can establish its own CAs using the certificate services functionality in Microsoft Windows® Server operating system. CAs can be stand-alone authorities with their own self-signed certificates (that is, they validate their own identity as a root CA), or they can be part of a hierarchy in which each CA is certified by the trusted CA above it (up to a root CA, which must always be self-certified).
To ensure that digital certificates work as an identification scheme, both client and server programs must trust the CA. When a client program presents a certificate to a server program, the server program must be able to validate that the certificate was issued by a valid and trusted CA. Certificate authorities also maintain a certificate revocation list (CRL) for revoked certificates. Certificates issued by CAs expire after a specified period of time.
CAs are necessary for the functioning of public key infrastructure (PKI), which is essential to the widespread acceptance and success of any public key cryptography system. Windows Server® 2008 operating system,Windows Server® 2003 operating system and Microsoft Windows® 2000 Server operating system can use standard X.509 digital certificates to authenticate connections across unsecured networks such as the Internet and to provide single sign-on by using smart card authentication systems.