![]() ![]() I am a devoted fan of auto-enrollment for certificates. I lean toward more automation, myself, but will help you to find your own suitable solutions. Less automation requires greater user and administrative effort but might increase security. More automation means more convenience, but also greater chances for abuse. In your own environment, you can utilize varying levels of automation. Regardless of the degree, every authority defines and follows a process that determines whether or not it will issue. At the most extreme, one commercial issuer used to require face-to-face contact before issuing a certificate. At the other end, “Extended Validation” certificates require a higher level of interaction. Let’s Encrypt provides a high degree of automation. You may have encountered one while signing up for a commercial web certificate. ![]() Sometimes, an issuer might automate that process. However, you do need to understand that certificate issuance follows a process. You do not need to know in-depth details unless you intend to become a security expert. I want you to focus on the issuance portion. Implementations also vary on that, but they all create essentially the same final product. All the real magic happens during the signing process, though. You might also have some experience using web or MMC interfaces. You might have some experience generating CSRs to send to third-party signers. The particulars of these steps vary among implementations. The certification authority uses information from the CSR, its own public key, authorization information, and a “signature” generated by its private key to issue a certificate.A “Certificate Signing Request” (CSR) is generated using the public key and some information about the identity.A public and private key is generated to represent the identity.The PKI Certificate Request and Issuance Processįundamentally, the process of requesting and issuing PKI certificates does not depend on any particular vendor technology. For the rest of the article, I will use the more apt “PKI” label. I used “SSL” in the title because most people associate that label with certificates. I will use this article to show you how to perform the most common day-to-day operations: requesting certificates from a Windows Certification Authority. In a second article, I showed you how to set up certificate templates. ![]() At the end of that piece, I left you with the most basic deployment. ![]() In an earlier article, I showed you how to build a fully-functional two-tier PKI environment. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |