SG-PKI Class E

Class E certificates are issued by a Microsoft Active Directory integrated CA. The class E certificate clients are internal computer systems that are integrated into the Active Directory of the Federal Administration (INTRA, ADR forests).

Computer systems outside these UNIX forests or workgroup computers can also obtain a certificate from this CA by means of manual enrolment, as long as these machines do not have a public trust. The templates provided for this purpose are listed under system certificates. The signature algorithm used is sha256/RSA. The SFAO and the FDFA each operate their own issuing CA in their forests. 

Class E certificates are mainly part of the systems that use them. They cannot be individually requested as standard, and this option is only available with Atlantica (see "Virtual Windows servers" factsheet). 

• System certificates
  For certificates with (EKU): client authentication, server authentication and client/server authentication, 3 certificate templates are provided for each authentication:
  auto:                auto-enrolment of certificates
  ManAPP:        manual enrolment of certificates with manager approval
  noManAPP:   manual enrolment of certificates without manager approval
  Instructions for manual enrolment of class E system certificates are available via the link at the bottom of the page.
  There is also an overview of the possible class E system certificates.
• Kerberos authentication (domain controller)
  These certificates allow a domain controller to authenticate itself to other computers and users. They are primarily used for smart card logon in the Active Directory domain.
• SSL web server (not publicly trusted)
  You can find this information under Class C certificates – Standard.
  
• Workstation authentification
  You can find this information under Class C certificates – Standard.
  
• ConfigMgr OS deployment 
  You can find this information under Class C certificates – Standard.
• NPS network policy server
  You can find this information under Class C certificates – Standard.
• Remote desktop computer 
  The keys and the certificates issued under this certificate policy allow a TLS 1.0 security level, which thus permits the verification of the identity of the server with the remote desktop session host and the encryption of the communication between the remote desktop session host and the client.
• ArmasuisseTBA
  The keys and certificates issued under this certificate policy enable Windows and Office products to be activated in specific environments using token-based activation [TBA].
• DC IPSec
  The keys and certificates issued under this certificate policy allow the backup data of domain controllers to be transmitted over encrypted network connections.

• Code signing
  The keys and certificates issued under this certificate policy allow binaries to be signed. This ensures that unauthorised software is prevented from being installed.
• DC basic EFS
  The keys and certificates issued under this certificate policy are used to encrypt backups of selected domain controllers.
• DC EFS recovery agent
  The keys and certificates issued under this certificate policy are used to decrypt backups of selected domain controllers in case of emergency.

Medium (administrative procedure)

Machines/users

Soft certificate (in machine or user profile)

None

The certificate request is implicitly included in the order to create or change an account or to add a computer system to a Windows Active Directory domain of the Federal Administration (Forests INTRA and DFA).

The functionality of the Microsoft Enterprise PKI, which provides the option of automatic registration and issuing (auto-enrolment), is used as the basis for the issuing process. Authorisations on the defined certificate templates as well as group memberships and GPOs (Group Policy Object) are used to determine in detail which users and computer systems should receive a corresponding certificate.

Only the web server SSL certificates and ConfigMgr OS Depolyment must be requested individually by the server administrator by means of an electronic request for naming reasons.

A procedure with manual enrolment is provided for obtaining system certificates for machines outside the forest, UNIX server or workgroup server listed below. However, these machines must not have a Public Trust. These certificates are only issued by the CA Admin-CCE-Intra01.

The issuance and management of class E PKI certificates are based on a two-tier hierarchical infrastructure:

The task of the first-level RootCA Admin-CC-Root01 is to validate the certificates of the second-level certification authorities.

The issuing CAs:

• Admin-CCE-Intra01 for the INTRA forest
• Admin-CCE-EDA01 for the FDFA forest 
• Admin-CCE-EFK01 for the SFAO forest
• Admin-CCE-ADR01 for the ADR forest

at the second level generate, validate, publish and manage the certificates of the certificate owners.