subject: Designing The Certificate Enrollment Process [print this page] Creating CA hierarchies is only the first step in the design of certificate services for an enterprise. You must also design the process of certificate enrollment and certificate distribution. Certificate enrollment is the process used to obtain a certificate. You can design enrollment to happen via user request or to be automatic. There are two parts to the enrollment process that you must consider during design: first, who and how a request can be made, and second, "whether the request will be approved. Certificate distribution is the process of getting the certificate to the device from which it will be used. Windows Server 2003 can distribute many certificates across the network to the computers on which they will be used. You can also export a certificate to a file, transport it where it needs to go, and manually install it on the device. MCTS Exam
After this lesson, you will be able to
Explain the certificate enrollment process.
Explain the considerations for designing certificate enrollment.
Design the certificate enrollment and distribution policy.
Configure enrollment and certificate distribution for the offline root CA.
Estimated lesson time: 90 minutes :
How the Certificate Enrollment Process Works
Before you begin your design, you must understand how the certificate enrollment process works. The enrollment process consists of two main steps: request and approval or denial. The process varies depending on the type of certificate, the type of CA and its configuration, and whether it is automatic or manual. Typical certificate enrollment processes include:
The CA enrollment process
The manual end-user enrollment process
The automatic end-user enrollment process
The following sections describe these processes in detail.
Windows Server 2003 authenticates users and applications using either the Kerberos version 5 or NTLM protocol. The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003. If any computer involved in a transaction does not support Kerberos version 5, the NTLM protocol is used. MCTS Certification
When using the Kerberos version 5 protocol, the client requests a ticket from a domain controller in its account domain for presentation to the server in the trusting domain. This ticket is issued by an intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication.
When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a domain controller in the client's account domain to verify the account credentials. A trust relationship can also be created with any MIT version 5 Kerberos realm.
