Class E (Windows PKI)

Class E certificates are issued by a Microsoft Active Directory integrated CA. The class E certificate clients are internal computer systems that are integrated into the Active Directory of the Federal Administration (INTRA).
Computer systems outside these UNIX forests or workgroup computers can also obtain a certificate from this CA by means of manual enrolment, as long as these machines do not have a public trust. The templates provided for this purpose are listed under system certificates. The signature algorithm used is sha256/RSA. The FDFA operates its own issuing CA in its forest.

Class E certificates are mainly part of the systems that use them. They cannot be individually requested as standard, and this option is only available with Atlantica (see Virtual Windows servers factsheet).

• Forms and documents library

  In the forms and documents library, you will find all publicly available forms and documents for class E.

Lifecycle

Purchase

The certificate request is implicitly included in the order to create or change an account or to add a computer system to a Windows Active Directory domain of the Federal Administration (Forests INTRA and DFA).

The functionality of the Microsoft Enterprise PKI, which provides the option of automatic registration and issuing (auto-enrolment), is used as the basis for the issuing process. Authorisations on the defined certificate templates as well as group memberships and GPOs (Group Policy Object) are used to determine in detail which users and computer systems should receive a corresponding certificate.

Only the web server SSL certificates and ConfigMgr OS Deployment must be requested individually by the server administrator by means of an electronic request for naming reasons.

A procedure with manual enrolment is provided for obtaining system certificates for machines outside the forest, UNIX server or workgroup server listed below. However, these machines must not have a Public Trust. These certificates are only issued by the CA SwissGovernment-E-Intra01.

Realisation and implementation

The issuance and management of class E PKI certificates are based on a two-tier hierarchical infrastructure:

The task of the first-level Root CA Swiss Government E-Root01 is to validate the certificates of the second-level certification authorities.

The issuing CAs:

• SwissGovernment-E-Intra01 for the INTRA forest
• SwissGovernment-E-EDA01 for the FDFA forest

at the second level generate, validate, publish and manage the certificates of the certificate owners.

Machine certificates

• System certificates

  For certificates with (EKU): client authentication, server authentication and client/server authentication, 3 certificate templates are provided for each authentication:

  • auto:               auto-enrolment of certificates;
  • ManAPP:        manual enrolment of certificates with manager approval;
  • noManAPP:   manual enrolment of certificates without manager approval

  Instructions for manual enrolment of class E system certificates are available via the link at the bottom of the page.
  There is also an overview of the possible class E system certificates.

• Kerberos authentication (domain controller)

  These certificates allow a domain controller to authenticate itself to other computers and users. They are primarily used for smart card logon in the Active Directory domain.

• SSL web server (not publicly trusted)

  You can find this information under Class C certificates – Standard.

• Workstation authentification

  You can find this information under Class C certificates – Standard.

• ConfigMgr OS deployment

  You can find this information under Class C certificates – Standard.

• NPS network policy server

  You can find this information under Class C certificates – Standard.

• Remote desktop computer

  The keys and the certificates issued under this certificate policy allow a TLS 1.0 security level, which thus permits the verification of the identity of the server with the remote desktop session host and the encryption of the communication between the remote desktop session host and the client.

• ArmasuisseTBA

  The keys and certificates issued under this certificate policy enable Windows and Office products to be activated in specific environments using token-based activation [TBA].

• DC IPSec

  The keys and certificates issued under this certificate policy allow the backup data of domain controllers to be transmitted over encrypted network connections.

User certificates

• Code signing

  The keys and certificates issued under this certificate policy allow binaries to be signed. This ensures that unauthorised software is prevented from being installed.

• DC basic EFS

  The keys and certificates issued under this certificate policy are used to encrypt backups of selected domain controllers.

• DC EFS recovery agent

  The keys and certificates issued under this certificate policy are used to decrypt backups of selected domain controllers in case of emergency.