Windows Server 2003’s implementation of PKI offers several options and configuration features that enhance both the security of the data and communication, but also user functionality and ease-of-use.

As in real life, Certificates aren’t just granted for anything and everything. Instead, they are usually requested or granted with a specific purpose in mind: File Recovery, EFS, Client/Server Authentication, Secure Email, etc. These ‘purposeful’ certificates are generated as Certificate Templates. They allow a single user account to possess multiple certificates that certify/authorize various and sundry activities. A user account may have one certificate that allows for local file encryption, and another that allows access to a web server. Just like multiple identification cards, the appropriate certificates are used when the circumstances dictate its use. Certificates are stored within a user’s profile, which allows for computer and system roaming to occur, which is an added level of flexibility that would otherwise be unavailable.

From a server perspective, certificate authorities come in two basic flavors: Standalone, and Enterprise. When the Certificate Authority (CA)is being installed and enabled on a server, the administrator has the option to choose between these two types. Instead of being two different flavors of Certificates, as you might consider Standalone and Domain flavors of DFS, it’s best to consider Standalone and Enterprise CA as different animals altogether, because while the infrastructure may be similar, the results are quite different.