An important step in designing and implementing a public key infrastructure (PKI) is determining the groups or users who will manage it. To facilitate secure administration of Certificate Services, both the Windows Server 2003 Certificate Services and Windows Server 2008 Active Directory Certificate Services (AD CS) support Common Criteria role separation. Common Criteria role separation requires that PKI management be configured so that no single person has full control, thereby protecting an organization against a “malicious PKI administrator.”

There are other roles that must be considered when designing and implementing your organization’s PKI in addition to the roles defined in the Common Criteria protection profile. ...