Windows Server 2003 : Creating and Managing Digital Certificates - Managing Certificates

9/11/2012 2:04:00 AM
Once you have completed your PKI design and installed your CAs, the next step in deploying PKI to consider is the ongoing management of your CAs and their certificates. This includes administering certificate enrollment, managing the certificates themselves, and publishing certificate revocation lists.

Understanding Certificate Enrollment and Renewal

The actual process by which CAs issue certificates to clients varies depending on the types of CAs you have installed. If you have installed enterprise CAs, you can use autoenrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request. If you have installed stand-alone CAs, you cannot use autoenrollment, so you must arrange for an administrator to monitor the CA (using the Certification Authority console) for incoming requests and to make decisions about whether to issue or deny the requests.

Using Autoenrollment

Autoenrollment enables clients to automatically request and receive certificates from a CA, with no manual intervention from administrators. To use autoenrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional. You control the autoenrollment process by using a combination of Group Policy settings and certificate templates.

By default, Group Policy Objects (GPOs) contain settings that enable autoenrollment for all user and computer objects in a domain. You configure these settings by opening the Autoenrollment Settings policy, located in the Windows Settings\Security Settings\Public Key Policies folder in both the Computer Configuration and User Configuration nodes in the Group Policy Object Editor. In the Autoenrollment Settings Properties dialog box (shown in Figure 1), you can disable autoenrollment entirely for the objects receiving these GPO settings. You can also enable the objects to renew and update their certificates automatically.

Figure 1. The Autoenrollment Settings Properties dialog box

The other mechanism you can use to control autoenrollment is built into the certificate templates that define the properties of specific certificate types. To manage certificate templates, you use the Certificate Templates snap-in, as shown in Figure 2. Using this tool, you can specify the validity and renewal periods of specific certificate types and choose cryptographic service providers for them. Using the Security tab for a particular template, you can also specify which users and groups are allowed to request certificates using that template.

Figure 2. The Certificate Templates snap-in

When a client requests a particular type of certificate, the CA checks the properties of the client’s Active Directory object to determine whether the client has the permissions needed to receive the certificate. If the client has the appropriate permissions, the CA issues the certificate automatically.

Using Manual Enrollment

Stand-alone CAs cannot use autoenrollment, so when a stand-alone CA receives a certificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate. To monitor and process incoming requests, administrators use the Certification Authority console, as shown in Figure 3.

Figure 3. The Certification Authority console

In the Certification Authority console, incoming certificate enrollment requests appear in the Pending Requests folder. After evaluating the information in each request, an administrator can choose to issue or deny each request. Administrators can also view the properties of issued certificates and revoke certificates as needed.

Manually Requesting Certificates

In some cases, the process of requesting a certificate and receiving it from a CA is invisible to both the client and the administrator. Certain applications might request certificates and receive them in the background, and then proceed to function in the normal manner. In other cases, however, users must explicitly request certificates, using one of the tools that Windows Server 2003 provides.

Using the Certificates Snap-in

The Certificates snap-in (shown in Figure 4) is a tool you can use to view and manage the certificates of a specific user or computer. The snap-in’s main display consists of folders that contain categories for all the certificates accessible to the designated user or computer. If your organization uses enterprise CAs, the Certificates snap-in also enables you to request and renew certificates using the Certificate Request Wizard and Certificate Renewal Wizard

Figure 4. The Certificates snap-in

Off the Record

The Certificates snap-in is limited to use with enterprise CAs because the snap-in reads certificate information for the user or computer from Active Directory, and clients of stand-alone CAs are not expected to have access to Active Directory resources.

Using Web Enrollment

When you install Certificate Services on a computer running Windows Server 2003, you have the option of installing the Certificate Services Web Enrollment Support module as well. To function properly, this module requires you to have IIS installed on the computer first, along with support for ASP. Selecting this module during the Certificate Services installation creates a series of Web pages on the computer running the CA (shown in Figure 5); these pages enable users to submit requests for particular types of certificates.

Figure 5. The Microsoft Certificate Services Web Enrollment Support interface


You can also install the Certificate Services Web Enrollment Support module on a server running Windows Server 2003 that is not a CA, enabling you to integrate this module into existing Web servers.

The Web Enrollment Support interface is intended to give internal or external network users access to stand-alone CAs. Because stand-alone servers do not use certificate templates, the requests submitted by clients must include all the necessary information about the certificates being requested and about the users of the certificates. When clients request certificates using the Web Enrollment Support interface, they can select from a list of predefined certificate types or create an advanced certificate request in which they specify all the required information in a Web-based form. (See Figure 6.)

Figure 6. The Web Enrollment Support interface’s Advanced Certificate Request page

Off the Record

The Web Enrollment Support interface can generate requests for most certificate types, but it cannot generate requests for certificates that are exclusive to enterprise CAs, such as smart card logon certificates.

Revoking Certificates

Several conditions can prompt an administrator to revoke a certificate. If a private key is compromised, an unauthorized user has gained access to the CA, or the administrator wants to issue a certificate using different parameters (such as longer keys), she or he must revoke the certificates that are no longer usable. A CA maintains a CRL, which it publishes to clients on a regular basis. Enterprise CAs publish their CRLs in the Active Directory database, so clients can access them using the standard Active Directory communication protocol, called Lightweight Directory Access Protocol (LDAP). A stand-alone CA stores its CRL as a file on the server’s local drive, so clients must access it using an Internet communications protocol, such as Hypertext Transfer Protocol (HTTP) or File Transfer Protocol File Transfer Protocol (FTP).

Every certificate contains the path to the CA’s distribution point for CRLs. You can modify this path in the Certification Authority console by displaying the Properties dialog box for the CA, and then clicking the Extensions tab. (See Figure 7.) However, if you plan to modify a CA’s CRL distribution point, you must do so before it issues certificates. When an application authenticates a client using a certificate, it checks the CRL distribution point specified in the certificate to make sure the certificate has not been revoked. If the CRL is not at its specified distribution point, the application rejects the certificate.

Figure 7. The Extensions tab in a CA’s Properties dialog box

By selecting the Revoked Certificates folder in the Certification Authority console and then displaying its Properties dialog box (shown in Figure 8), you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs. A delta CRL is a list of all certificates revoked since the last CRL publication. In organizations with large numbers of certificates, using delta CRLs instead of base CRLs can save a great deal of network bandwidth. For example, rather than publishing a base CRL every week, you can choose to publish delta CRLs weekly and publish the base CRLs monthly.

Figure 8. The Revoked Certificates Properties dialog box

Practice: Requesting a Certificate

In this practice, you use the Web Enrollment Support interface to request a certificate from the CA . Then you instruct the CA to issue the certificate and use the Web Enrollment Support interface to retrieve it. Finally, you view the contents of the certificate using the Certificates snap-in.

Exercise 1: Requesting a Certificate

In this exercise, you access the CA by using the Web Enrollment Support interface and request a certificate from the CA.

Log on to Server02 as Administrator.

Click Start, and then click Internet Explorer. A Microsoft Internet Explorer window appears.

In the Address text box, type http://localhost/certsrv and press ENTER. The Microsoft Certificate Services Web page appears.

Click Request A Certificate. The Request A Certificate page appears.

Click Advanced Certificate Request. The Advanced Certificate Request page appears.

Click Create And Submit A Request To This CA. The Advanced Certificate Request form appears.

In the Name text box, type Lorrin Smith-Bates.

In the Type Of Certificate Needed drop-down list, select IPSec Certificate.

In the CSP drop-down list, select Microsoft Strong Cryptographic Provider.

In the Key Size text box, type 2048, and then click Submit at the bottom of the form.

A Potential Scripting Violation message box appears, prompting you to confirm your request. Click Yes.

An Internet Explorer message box might appear to inform you that others might intercept information sent over the Internet. Click Yes to continue.

The Certificate Pending page appears, informing you that your request has been submitted to the CA.

Leave Internet Explorer running.

Exercise 2: Issuing a Certificate

In this exercise, you use the Certification Authority console to issue the certificate you requested in the first exercise.

Click Start, point to Administrative Tools, and then click Certification Authority. The Certification Authority console appears.

Expand the Issuing icon in the scope pane, and then click the Pending Requests folder.

The request you generated in the first exercise appears in the details pane.

Right-click the request and, from the shortcut menu, point to All Tasks, and then select Issue. The request disappears from the folder.

Click the Issued Certificates folder. Notice that the request you just approved now appears in the Issued Certificates list.

Close the Certification Authority console.

Exercise 3: Retrieving a Certificate

In this exercise, you use the Web Enrollment Support interface to retrieve the certificate you just issued.

Return to the Internet Explorer window.

In the Address text box, type http://localhost/certsrv and then press ENTER. The Microsoft Certificate Services Web page appears.

Click View The Status Of A Pending Certificate Request. The View The Status Of A Pending Certificate Request page appears.

Click IPSec Certificate. The Certificate Issued page appears, stating that the certificate you requested was issued to you.

Click Install This Certificate. A Potential Scripting Violation message box appears, prompting you to confirm the installation of the certificate.

Click Yes. The Certificate Installed page appears.

Close Internet Explorer.

Exercise 4: Viewing a Certificate

In this exercise, you use the Certificates snap-in to view the certificate you just installed.

Click Start, and then click Run. The Run dialog box appears.

In the Open text box, type mmc and then click OK. The Console1 window appears.

From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.

Click Add. The Add Standalone Snap-in dialog box appears.

In the Available Standalone Snap-ins list, select Certificates.

Click Add. The Certificates Snap-in dialog box appears.

Click Finish to accept the default My User Account option, and then click Close. The Certificates—Current User snap-in appears in the Add/Remove Snap-in dialog box.

Click OK. A Certificates—Current User entry appears in the Console Root window.

Expand the Certificates—Current User icon, expand the Personal folder, and then click the Certificates subfolder. The certificate issued to Lorrin Smith-Bates appears in the details pane.

Double-click the Lorrin Smith-Bates certificate. A Certificate dialog box appears.

Click the Details tab.

Notice that the Public Key entry detail shows the 2048-bit key length you specified in your request and the Enhanced Key Usage detail indicates that the certificate is to be used for IP Security.

Click OK to close the Certificate dialog box.

Close the Console1 window.

If a Microsoft Management Console message box appears, click No to save the console settings.
  •  Windows Server 2003 : Creating and Managing Digital Certificates - Designing a Public Key Infrastructure
  •  Windows Server 2003 : Creating and Managing Digital Certificates - Introducing Certificates
  •  Laptop For All Budgets (Part 2) - Notebooks, Ultrabooks
  •  Laptop For All Budgets (Part 1)
  •  Windows Tips & Tricks (August 2012) – Part 2 - Manage Your Google Docs Offline with gExplore
  •  Windows Tips & Tricks (August 2012) – Part 1 - Wake Your PC with a Smartphone or Tablet
  •  Windows 8's Unexpected Features (Part 3)
  •  Windows 8's Unexpected Features (Part 2)
  •  Windows 8's Unexpected Features (Part 1)
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 3) - Installing and configuring DirectAccess and network location server
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 2) - Creating a certificate revocation list (CRL) distribution point on the DirectAccess server
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 1) - Creating a certificate template for computer autoenrollment
  •  Windows Server 2008 R2 and Windows 7 : Planning to Deploy Directaccess
  •  Iwork Pro : Export Strength
  •  Is It Time To Ditch Windows Search? (Part 4) - Power tools,Search for files over Wi-Fi, Search your PC from your mobile phone
  •  Is It Time To Ditch Windows Search? (Part 3) - Search across the LAN
  •  Is It Time To Ditch Windows Search? (Part 2) - Search within files
  •  Is It Time To Ditch Windows Search? (Part 1) - Simple filename searches
  •  In Search Of The Perfect Mid-Tower (Part 4) - Thermaltake Level 10 GTS
  •  In Search Of The Perfect Mid-Tower (Part 3) - Corsair Obsidian 550D, NZXT Phantom 410 Gunmetal Edition
    Top 10
    Smartphone HTC Desire C - Yet Shrunken Down
    Audioengine W3 Wireless DAC Review
    KWA 150 SE – The Most Expensive Amplifier Of ModWright
    Olive 06HD Player For Audiophiles
    Pioneer HTIB Surround Sound Systems With Prices Ranging From $360
    Windows Vista : Scripting and Automation - Command Prompt Scripting (part 3)
    Windows Vista : Scripting and Automation - Command Prompt Scripting (part 2)
    Windows Vista : Scripting and Automation - Command Prompt Scripting (part 1) - DOS Commands, Batch Files
    Windows Vista : Scripting and Automation - Wacky Script Ideas
    Windows 7 : Programming Drivers for the User Mode Driver Framework - Required Driver Functionality, UMDF Sample Drivers
    Most View
    Exploiting SQL Injection : Automating SQL Injection Exploitation
    iPhone 3D Programming : Adding Textures to ModelViewer (part 1) - Enhancing IResourceManager
    Windows Server 2008 : DHCP/WINS/Domain Controllers - Enhancing DHCP Reliability
    Windows Phone 7 Development : Understanding Trial and Full Modes (part 3) - Simulating Application Trial and Full Modes
    iPhone Application Development : Getting the User’s Attention - Generating Alerts
    In Search Of The Perfect Mid-Tower (Part 1) - Antec Eleven Hundred, Silverstone Temjin Tj04-E
    Case Modding: simple case modding techniques
    Preparing Your Windows 8 PC : Connecting to Wireless Networks
    Server-Side Browser Detection and Content Delivery : Mobile Detection (part 4) - Device Libraries
    Logitech S715i iPhone - iPod Dock
    Lenovo ThinkCentre Edge 91z - Centre Of Thought
    Windows Server 2003 : Using Backup - Planning for Failure, Handling Backup and Restore Problems, Third-Party Backup Utilities
    Oloneo HDRengine
    iPhone Application Development : Building a Multi-View Tab Bar Application (part 1)
    Becoming an Excel Programmer : Navigate Samples and Help
    Strip HTML of Tags
    Handling Mobile User Input (part 3) - Building the UFO 2 Example
    Windows Server 2008 : Domain Name System and IPv6 - Other DNS Components
    Windows Vista : Make Your Hardware Perform (part 1) - Get Glass
    Moving a Dynamic Disk to a New System