Windows Tip Sheet

Digital Certificates for Everyone

Even a simple PKI can be useful and secure.

Everyone knows how useful digital certificates can be. One common use is to issue digital certificates to employees for use in signing and encrypting e-mail, and many organizations are deploying internal certification authorities (CAs) to support that purpose.

But what if your organization isn’t? Not having a full public key infrastructure (PKI) available makes e-mail certificates impractical, because they’re too expensive to buy, but some organizations simply don’t want signed or encrypted e-mail. Not having a CA does, however, mean some other useful Windows features become unavailable. For example, with a code-signing certificate, you can more easily implement Software Restriction Policies and secure scripting, helping to prevent unauthorized software from running on your network.

Deploying an entire PKI just to issue a couple code-signing certificates is overkill, though. Or is it? A PKI doesn’t have to be complicated to be both useful and secure. For example, take a standalone (non-domain member) Win2003 box (even an older desktop-class machine will do; you’re not looking for blazing performance). Install Certificate Services as a standalone root CA. Disconnect the server from the network. When you need a certificate, just boot up the machine and issue one to yourself; turn the machine off when you’re finished and store it in a secure place. Keeping the machine off the network will help ensure that your new CA’s root key isn’t compromised in any way, thus keeping your issued certificates more trustworthy. You’ll get some of the benefits of having a full PKI—such as issuing certificates for enterprise-level tasks like code signing—and you won’t need a full PKI deployment or the resources that those can require.

Cool Gadget
Anthology Solutions' Yellow Machine
The Yellow Machine from Anthology Solutions has a built-in 8-port LAN switch and WAN gateway.
Coolest gadget ever: The Yellow Machine from Anthology Solutions. It’s a shoebox-sized device running embedded Linux on an ASIC (which reduces power requirements) containing up to 1.6TB—yes, TB—of storage. It’s a killer network-attached storage (NAS) device, fast enough to stream movies and big enough to store hundreds of ‘em, or the Accounting department’s files, whichever is more important.

More Resources:

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at

comments powered by Disqus
Most   Popular