A lot of my customer site visits are for upgrading a customer’s PKI from Windows Server 2003 to Windows Server 2008 R2. I am going to cover the steps for upgrading a PKI in future postings in this series. However, before getting into the upgrade process, it is important to know why you may in fact want to upgrade.
A very general argument I make for upgrades of any sort are the following:
More specifically you will be interested in what new features and functionality are provided in Windows Server 2008 Certificate Services. So, let’s spend some time discovering the changes in features and functionality of Certificate Services.
Prior to Windows Server 2008 R2, you need an enterprise SKU of the server OS to support Version 2 certificate templates. Version 2 certificate templates are required for features such as AutoEnrollment. Also, Version 2 templates are required for Key Archival. Additionally, Version 2 certificate templates allow you to make a number of changes to the configuration of the certificate template, versus Version 1 templates which only allow you to modify the security of the certificate template.
Prior to Windows Server 2008 R2 a Certification Authority could only be used by clients (users, machines) in the same forest. This means if you had several forest and wanted to use functionality like autoenrollment in each forest, you needed to have an Issuing Certification Authority in each forest. This new feature allows you to have a certification authority that can provide certificates for clients in all of your forests. This not only has the possibility to decrease administrative costs, but hardware costs as well.
The UI for managing certificate templates now gives the administrator the ability to specify the validity period of a certificate in hours, as seen below:
Also, for high volume CAs such as those used to support NAP or 802.1x, a certificate template can be configured so that the resulting certificate is not stored in the CA database. Also, for those same certificates templates they can be configured not to include revocation information in the certificate. See screenshot below:
Some applications require specific permissions to be configured on the private key of a certificate stored in, say for example, the computer store. The UI now allows you to configure the private key permissions on the private key in the certificate template. The resulting certificate stored on the machine will have the permissions configured on the template.
The key new feature in Windows Server 2008 R2 is Web Services. There are now two additional roles added to Certificate Services: Certificate Enrollment Web Service and Certificate Enrollment Proxy Web Service.
Rob has an excellent post on the ASKDS blog that covers Certificate Enrollment Web Services.
So there were a number of features added to Windows Server 2008, Release 1, if you will. At a high level this included the following:
As well as a number of other features that can be found here.
I briefly covered many of the new features in Certificate Services for Windows Server 2008 R2. I also covered reasons for potentially upgrading your PKI to Windows Server 2008 R2. In future postings in this series I will cover the steps for upgrading a Windows Server 2003 PKI to Windows Server 2008 R2.
Man, this is very timely. We're just getting ready to move our Win 2003 PKI to Win 2008 R2. Looking forward eagerly to your follow-up posts.