A Microsoft PKI Quick Guide – Part 1: Planning

If you would like to read the other articles in this series please go to:

In this four part series we’ll give you a quick overview on how to design, install and troubleshoot a PKI (Public Key Infrastructure) based on Microsoft Certificate Services in Windows Server 2003. We’ll show you some of the common pitfalls and best practices in building and operating a Microsoft based PKI, where we focus on the essentials in building a correct and flexible PKI from the beginning.

Why you need a PKI

Some years back, everybody was talking about the year 2000 as the year of the PKI. Many believed that the mainstream market was finally ready to take advantage of all the goodies a PKI could offer. However as you probably guessed, certificates and PKIs never really took off. It simply wasn’t sexy enough for management to digest and the technical staff (who at the time where the only ones that could see the value in a PKI) was not very good at selling the business case to management. However as time has progressed, PKI has once again become one of the hottest topics in both large and medium size businesses, although this time there is a much less ambitious and more realistic approach to certificate usage and PKIs among IT administrators and business decision makers. The shift in the security landscape, where security and improvements in Internet and mobile communication technologies have become a business enabler for many companies, means that certificates and PKIs are more ready for the mainstream business market now, than it has ever been.

So what’s the big deal with a PKI you may ask and why should you care? Well basically it all comes down to certificate management. You see, certificates are everywhere you look today and often they’re used without you ever worrying about their existence. Some of the most common scenarios where certificates are used are (in no particular order):

  • Disk and file encryption (certificates are used to protect the symmetric crypto key)
  • Multifactor authentication such as smart cards
  • IPSec
  • Digital signature
  • RADIUS and 802.1x authentication
  • Wireless networks
  • NAP (Network Access Control) and NAQ (Network Access Quarantine) for compliance
  • Code and driver signing
  • SSL/TLS for protecting HTTP based traffic

As you can see, certificates are used in many places, and its main purpose is added security to your IT infrastructure/solutions. But if you also look at our list above, then you can probably imagine that this also means that you may have to administer a lot of certificates, depending on what features you want to take advantage of in your infrastructure and how you decide to implement them. This is where a PKI can be of help. A PKI is simply a way to centrally administer the issuing, renewing and revocation of certificates and build your own path of trust. The certificates and the PKI we will cover in this article series are X.509 v3 based, which means that we can do some pretty nifty stuff with the certificate usage, which we’ll take a closer look at in part 2 of this article series.

Before we move on, I would like to make a disclaimer in terms of what we will cover in this article series. The intentions of this article series is to give you a quick overview on the most important areas, so that you, with very little effort, can get a PKI foundation up-and-running in no time, and which is both scalable and manageable. However building a PKI can be a big project and if you’re a very security conscious IT administrator where things such as role delegation and FIPS-140 compliance is important to you, then you may want to take a closer look at the links we have provided at the end of this article. With these things in mind, let’s get straight to the point and get started with the planning phase.

Planning a PKI

OK, I admit that by introducing a planning phase in our first article, we aren’t exactly being technical right away which you may have hoped for. But nonetheless, the planning part is very important and we’ll show you how to get the planning done with the least amount of effort, by showing you what areas you should focus on. The most common mistake companies makes when they install Microsoft Certificate Services (and thereby establish a PKI) is that they ignore the planning part, and thus end up spending a lot more both in terms of resources and money once they realize that they may have overlooked some important issues when they went into the Add/Remove Windows Components menu on their Windows 2000 or Windows 2003 based server and put a checkmark in front of the Certificate Services components.

The areas you should consider during the planning of your future PKI are:

  • Check if your security policy is updated and ready for a PKI
  • Create one or more certificate policies
  • Create a certificate practice statement

Let’s take a closer look into each of the above areas

Check if your security policy is updated and ready for a PKI

Brian Komar who is the author of the excellent book “Microsoft Windows Server 2003 PKI and Certificate Security” (see link at the end of this article) and who has written several Microsoft whitepapers and given sessions on various Microsoft PKI subjects, often states that “A PKI enforces your organization’s security policies” which in my opinion pretty much says it all. Make sure that you have a security policy in your company that addresses your company’s business and IT strategy. Then align this strategy with the applications and security services that will depend on certificates. Since a security policy needs to be approved by management or even the board members (after all, these people are responsible for your company’s business strategy), you’ll basically have a green light to move on with your PKI implementation. Should you be unfortunate enough, in that your company doesn’t have a corporate security policy, then consider looking at the following URL’s for inspiration and samples on various security policies including various corporate security policy samples based on the ISO 17799 standard.

The SANS Security Policy Project
RFC 2196, “Site Security Handbook”
Open Directory Project – Security policy samples

Create one or more Certificate Policies

I admit it. Policies are not the most exciting stuff in the world, but nonetheless, they’re still very important. And if you want to avoid all the legal issues with respect to your PKI, you better consider having a Certificate Policy (CP) in place. The certificate policy describes how and who will issue and distribute certificates to a subject (i.e. subjects being users, computers, devices etc.). This can be a daunting task even though it’s very important, but don’t worry. Just follow the steps below and you’ll be well on your way to creating your certificate policy for your PKI.

  1. Glance through the RFC 3647 which you can find here
  2. Then take a look at how a great certificate policy should look like, although this policy is probably more detailed than what you may need.
    The X.509 Certificate Policy for the United States Department of Defense (DoD)

Create a Certificate Practice Statement

We’re almost done with the planning part, but we still need to create a Certificate Practice Statement (CPS). The CPS is very similar to the Certificate Policy, except that it focuses on the security of a Certificate Authority (CA) during operations and the management of the certificates issued by the CA. A CPS is usually much shorter than the Security Policy and contains information on who’s liable in case the certificate is unable to adequately protect whatever it is supposed to protect. An example could be a secure SSL/TLS connection, when a customer is entering their credit card number. Other areas that (as a minimum) should be included in a CPS are how validation, renewal and revocation are handled by the CA responsible for issuing the certificates. You can look at a CPS as an agreement between the user of the certificate and the company which is responsible for the issuing CA. And as you may have guessed, we also have some great samples for a CPS, which may seem familiar to you.

  1. Just like with the Certificate Policy earlier, you can glance through the RFC 3647 for CPS info as well, which you can find here
  2. And for inspiration, take a look at VeriSign’s CDP here

Unlike the Certificate Policy, a CPS should always be made publically available so that a user of the certificates always has access to the CPS. In every certificate your CA issues, there should be a link that points to the location where the CPS is published. We’ll take a closer look at it in the last two articles.

A final word

We have given you a quick overview on some of the most important issues to take note of during the planning phase of building a Microsoft based PKI, however it is important that you look at the information in this article from a critical point of view if you want to build a PKI in a high security environment. Remember that this article series serves as a quick guide to help you get a great Microsoft based PKI up-and-running in a very short time. If you want all the cool and gory details in terms of planning, design and installation, then you should take a closer look at all the excellent resources below. In the next article we’ll take a closer look at the different design and installation options you have, based on best practices.

External resources

All the excellent Microsoft PKI articles are collected in one place which you can find on the Microsoft PKI Web Portal

Want to see how Microsoft does PKI, then check out the IT Showcase -Deploying PKI Inside Microsoft

And this is a great book – Microsoft Windows Server 2003 PKI and Certificate Security


If you would like to read the other articles in this series please go to:


About The Author

1 thought on “A Microsoft PKI Quick Guide – Part 1: Planning”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top