Security experts generally agree that certificate-based authentication and encryption is far superior to password-based security. Windows operating systems have used certificates of various kinds to secure data communications for years. It was with the introduction of Windows XP and Windows Server 2003 that Microsoft began to support many types of smart card certificates. A Windows Server 2003 Certificate Authority could deliver smart card certificates through the use of Enrollment Agents—individuals who have been empowered by an enrollment agent certificate to obtain smartcard certificates for users. A user would meet an enrollment agent in person and submit identification in order to receive a smart card.
Certificate templates on a Certificate Server determine the validity period, encryption strength, and other properties of certificates issued from the template. Windows 2000 used version 1 certificates, Windows XP and Server 2003 used version 2 certificates and Windows Server 2008 and Vista/Windows 7 can use version 3 certificates. Version 3 certificates support stronger encryption by using Suite B algorithms including ECC (elliptic curve cryptography). Server 2008 Certificate Authorities support OCSP (online certificate status protocol), a new way for clients to check to see if a certificate is revoked. Instead of parsing a CRL (certificate revocation list) a client can use OCSP to contact an Online Responder, a webserver-based agent to quickly obtain a certificate’s revocation status. This method is more efficient, and busy environments can be serviced by responder arrays for high capacity and high availability. Online Responders must be authorized by a new Version 3 certificate that attests to the Responders accuracy.
Windows Server 2008 R2 Certification Authority Servers have additional new capabilities such as the ability to do cross-forest enrollments, even cross-forest autoenrollements using Group Policy. Enrollment is the process of requesting and receiving digital certificates from a Certificate Authority. Autoenrollment automates the certificate request using a group policy. Other improvements include a Kerberos certificate that identifies the Domain Controller to the client during Kerberos based authentication. Check out some of the new features at: