Public Key Infrastructure at Microsoft – 2008 R2 Edition
Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP
The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.
Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs
Some of the highlighted features in the document are:
Windows Server 2008:
- Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
- Enhanced performance monitoring with the addition of new performance counters
- Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
- Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
- Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
- More detailed server administration with restricted certificate managers
- Failover cluster support
Windows Server 2008 R2:
- Cross-forest enrollment capability that allows for consolidation of existing hardware
- Databaseless CA feature to avoid storing unnecessary certificate records
- Best Practice Analyzer for improved configuration practices
- Web-based certificate enrollment protocol to allow enrollment over the Internet
