Windows Server 2003 : Creating and Managing Digital Certificates - Introducing Certificates

9/11/2012 1:57:22 AM
As an increasing number of important business transactions are performed digitally, the issue of security for network communications has become vitally important. Digital transactions both within an organization and between organizations require protection from a variety of threats, including message interception, identity spoofing, and message repudiation. To provide this protection, Windows Server 2003 includes the components needed to create a PKI.

Introducing the Public Key Infrastructure

A public key infrastructure is a collection of software components and operational policies that govern the distribution and use of public and private keys through the use of digital certificates. To protect data transmitted over a network, computers use various types of encryption to encode messages and create digital signatures that verify their authenticity. For one computer to encrypt a message and another computer to decrypt it, both must possess a key.

Understanding Secret Key Encryption

Encryption is essentially a system in which one character is substituted for another. If you create a key specifying that the letter A should be replaced by Q, the letter B by O, the letter C by T, and so forth, any message you encode using that key can be decoded by anyone else who has that key. This is called secret key encryption because you must protect the key from compromise. For computer transactions, this simple type of encryption is all but useless because there is usually no practical way to distribute the secret key to all recipients. After all, if the object is to send an encrypted message to a recipient over the network, it would hardly be appropriate to first send the secret encryption key in an unsecured message.

For encryption on a data network to be both possible and practical, computers typically use a form of public key encryption. In public key encryption, every user has two keys, a public key and a private key. As the names imply, the public key is freely available to anyone, while the private key is carefully secured and never transmitted over the network. The way the system works is that data encrypted with the public key can be decrypted only with the private key, and conversely, data encrypted with the private key can be decrypted only by using the public key. The protection of the private key is what guarantees the security of messages encrypted using this system.

Encrypting Data

If someone wants to send you a message and make sure no one but you can read it, that person must obtain your public key and use it to encrypt the message. The person can then transmit the message to you over the network, secure in the knowledge that only you possess the private key needed to decrypt it. Even if an intruder were to intercept the message during transmission, it would still be in its encrypted form and therefore impenetrable. Once you receive the message and decrypt it using your private key, you could reply to it by using the other party’s own public key to encrypt your response, which only that person can decrypt using the private key.

Digitally Signing Data

If you want to send someone a message and have them be absolutely sure it came from you, you can digitally sign it by using your private key to encrypt all or part of the data. Anyone receiving the message can then decrypt the encoded data using your public key. The fact that your public key successfully decrypted the message proves that you sent it, because only your private key could have encrypted it. This process not only prevents other users from impersonating you by sending messages in your name, it also provides the recipient with proof that you sent the message so that you cannot repudiate it later.


It is usually not practical to encrypt an entire message for the purpose of digitally signing it. Instead, most PKI systems create a hash from the message and then encrypt the hash using the private key. A hash is a digital summary of the message created by removing redundant bits according to a specialized hashing algorithm.

Verifying Data

When you want to be certain the message you are sending to a recipient is not modified en route, you can use a hashing algorithm to create a hash from the message, and then encrypt both the message and the hash using your private key. When the message arrives at its destination, the recipient’s computer decrypts the message using your public key, and then uses the same hashing algorithm to create a hash from the incoming message. If the hash included with the message matches the hash calculated by the receiving system, the message is verified as being unchanged since its transmission.

Using Certificates

For public key encryption to be a reliable form of communication, there has to be a verifiable mechanism for the distribution of public keys. Otherwise, an imposter could distribute a public key using another person’s name and receive encrypted messages intended for that person, which the imposter could decrypt using the corresponding private key. To distribute public keys, Windows Server 2003 and most other systems supporting a PKI use digital certificates. A digital certificate is a document that verifiably associates a public key with a particular person or organization.

Understanding Certificate Contents

A digital certificate contains the public key for a particular entity, such as a user or an organization, plus information about the entity and about the certification authority (CA) that issued the certificate. The Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T) has published a standard called X.509 (03/00), “The Directory: Public-key and Attribute Certificate Frameworks,” which defines the format of the certificates used by most PKI systems, including Windows Server 2003. In addition to the public key, every digital certificate contains these attributes:

  • Version Identifies the version of the X.509 standard used to format the certificate

  • Serial number A value assigned by the CA that uniquely identifies the certificate

  • Signature algorithm identifier Specifies the algorithm the CA used to calculate the certificate’s digital signature

  • Issuer name Specifies the name of the entity that issued the certificate

  • Validity period Specifies the period during which the certificate is valid

  • Subject name Specifies the name of the entity for which the certificate is issued

Most certificates also contain other attributes, which are specific to the intended functions of the certificates.

To use public key encryption, you must obtain a certificate from an administrative entity called a certification authority (CA). A CA can be a third-party company that is trusted to verify the identities of all parties involved in a digital transaction, or it can be a piece of software on a computer running Windows Server 2003 or another operating system. The type of CA you use for your organization depends on who is involved in the secure transactions.

Obtaining a certificate from a CA can be a manual process, with the user explicitly requesting that a CA issue a certificate, or an automatic one, with an application requesting and obtaining a certificate in the background as part of its normal function. No matter how the process occurs, the CA issues a public key and a private key as a matched pair. The private key is stored on the user’s computer in encrypted form, and the public key is issued as part of a certificate. The certificate is essentially a carrier for the public key and related information and, as such, facilitates the distribution of the key to the people who need it.

Using Internal and External CAs

For a certificate to be useful in securing a digital transaction, it must be issued by an authority that both parties to the transaction trust to verify each other’s identity. When you are designing your own PKI for your network, you can deploy your own certification authorities, use a third-party CA, or use both. Your choice typically depends on whether the parties involved in the transaction work for the same company or different ones.

If you want to ensure that internal communications in your organization are secure, you would be best served by installing your own CAs. Windows Server 2003 includes Certificate Services, a service that functions as a CA. All the users in your organization can usually trust a CA run by the company to verify other users’ identities. However, if your organization engages in digital transactions with other companies, an internal CA is typically not useful because the other companies are not going to trust your own CA to verify your identity.

For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority. Companies such as Thawte and VeriSign, Inc., are examples of commercial CAs that are trusted throughout the IT industry.

Real World: Using Certificates

For a Windows operating system user, one of the most common occasions for encountering certificates occurs when you download software from the Internet and Microsoft Internet Explorer displays a dialog box, like the one in the following illustration, that prompts you to confirm that you want to install the software. This dialog box specifies the manufacturer of the software and indicates whether the download includes a certificate that verifies the source of the download.

If a certificate is included, it contains the software manufacturer’s public key, which your computer uses to decrypt the download’s digital signature. If decryption is successful, you know that the software you downloaded was digitally signed using the private key corresponding to the public key in the certificate. As long as you trust the authority that issued the certificate to verify the software manufacturer’s identity, you know that the download came from the manufacturer and was not tampered with en route.

Understanding PKI Functions

With a Windows Server 2003 PKI in place, network administrators can perform the following tasks:

  • Publish certificates Certificate Services can create certificates and publish them on a Web site or in Active Directory, where clients—such as users, computers, and applications—can retrieve them.

  • Enroll clients Enrollment is the term used to describe the process by which a client requests and receives a certificate from a certification authority. When a client requests a certificate, the CA (or the CA administrator) verifies the client’s identity and then issues a certificate in the client’s name.

  • Use certificates Once a client requests and receives a certificate, the client can use it to secure its communications in various ways, depending on the capabilities of the certificate and the functions for which it was issued.

  • Renew certificates Certificates are typically valid for a finite period. At the end of that period, the client must either renew the certificate with the CA or stop using it.

  • Revoke certificates When a CA administrator explicitly revokes a certificate, the CA adds it to a certificate revocation list (CRL). The CA publishes this list at regular intervals to inform the other systems on the network of certificates that they should no longer honor.

Practice: Viewing a Certificate

In this practice, you install the Macromedia Shockwave Player software on a computer running Windows Server 2003. During the installation procedure, you can display the certificate that verifies the identity of the software’s publisher.

Log on to Windows Server 2003 as Administrator.

Click Start, point to All Programs, and then click Internet Explorer. A Microsoft Internet Explorer window appears.

From the Tools menu, select Internet Options and then click the Security tab.

For the Internet zone, move the Security Level For This Zone slider to Medium, and then click OK.

Changing the Security Level prevents the Internet Explorer Enhanced Security Configuration feature from blocking access to the Certificate Services Web page.

In the Address text box, type and then press ENTER. The Macromedia Shockwave Player Download Center page appears.

Click the Install Now button. The Security Warning dialog box appears.

This dialog box specifies that you are about to install the Shockwave Player software and states that the computer has confirmed the authenticity of the publisher.

Click the Macromedia, Inc., hyperlink. The Certificate dialog box appears with the General tab active.

Notice that the software uses a certificate supplied by VeriSign, which provides assurance that the software comes from the specified publisher and has not been modified.

Click the Details tab.

This tab displays a list of all the certificate’s attributes.

Click OK to close the Certificate dialog box, and then click Yes in the Security Warning dialog box. The software installation proceeds.

Close Internet Explorer after the installation completes.
  •  Laptop For All Budgets (Part 2) - Notebooks, Ultrabooks
  •  Laptop For All Budgets (Part 1)
  •  Windows Tips & Tricks (August 2012) – Part 2 - Manage Your Google Docs Offline with gExplore
  •  Windows Tips & Tricks (August 2012) – Part 1 - Wake Your PC with a Smartphone or Tablet
  •  Windows 8's Unexpected Features (Part 3)
  •  Windows 8's Unexpected Features (Part 2)
  •  Windows 8's Unexpected Features (Part 1)
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 3) - Installing and configuring DirectAccess and network location server
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 2) - Creating a certificate revocation list (CRL) distribution point on the DirectAccess server
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 1) - Creating a certificate template for computer autoenrollment
  •  Windows Server 2008 R2 and Windows 7 : Planning to Deploy Directaccess
  •  Iwork Pro : Export Strength
  •  Is It Time To Ditch Windows Search? (Part 4) - Power tools,Search for files over Wi-Fi, Search your PC from your mobile phone
  •  Is It Time To Ditch Windows Search? (Part 3) - Search across the LAN
  •  Is It Time To Ditch Windows Search? (Part 2) - Search within files
  •  Is It Time To Ditch Windows Search? (Part 1) - Simple filename searches
  •  In Search Of The Perfect Mid-Tower (Part 4) - Thermaltake Level 10 GTS
  •  In Search Of The Perfect Mid-Tower (Part 3) - Corsair Obsidian 550D, NZXT Phantom 410 Gunmetal Edition
  •  In Search Of The Perfect Mid-Tower (Part 2) - Corsair Vengeance C70, MSI Ravager
  •  In Search Of The Perfect Mid-Tower (Part 1) - Antec Eleven Hundred, Silverstone Temjin Tj04-E
    Top 10
    Letter Of The Month – November 2012 (Part 2)
    Letter Of The Month – November 2012 (Part 1)
    Mac App Store Sandboxing Nightmare
    iStopMotion 3
    That’s Online Entertainment (Part 3)
    That’s Online Entertainment (Part 2)
    That’s Online Entertainment (Part 1)
    How to Buy…A TV TUNER (Part 2)
    How to Buy…A TV TUNER (Part 1)
    Philips E-Line 273E3LH LED Monitor - Big-Screen-Entertainment
    Most View
    How to beat 2012’s web threats (Part 3)
    Samsung LED Monitor With 170 Degree Viewing Angle
    Windows Vista : Deploying Applications - Injecting in a Disk Image
    Windows Server 2008 : Domain Name System and IPv6 - Secure DNS with DNSSEC
    Hands-On Preview: Pentax K-01- Stylish new compact system camera from Pentax
    Transact-SQL in SQL Server 2008 : Sparse Columns
    WCF Services : Data Contract - Equivalence
    AMD Radeon HD 7970 - The World's Fastest Single-GPU (Part 1)
    Tube amplifier for headphone review
    Server-Side Browser Detection and Content Delivery : Mobile Detection (part 4) - Device Libraries
    Sharepoint 2010 : Business Connectivity Services Deployment Types (part 3) - Configure Indexing & Performing a Search
    System Center Configuration Manager 2007 : Architecture Design Planning - Device Management Planning
    Thunderbolt Arrives!
    Windows Phone 7 Development : Understanding Trial and Full Modes (part 2) - Using the Marketplace APIs
    Publishing ASP.NET Web Applications : MSDeploy Publish
    Using SQL Server 2005 Integration Services : Extensibility (part 4) - Custom Connection Managers
    ASP.NET AJAX : Partial Refreshes (part 2) - Handling Errors
    Exchange Server 2010 server roles (part 1) - Mailbox Server role
    Computer Expert Advice (May 2012) – Part 1
    Windows Server 2008 R2 Active Directory Domain Services Primer : Examining AD DS’s Structure