Once you have completed your
PKI design and installed your CAs, the next step in deploying PKI to
consider is the ongoing management of your CAs and their certificates.
This includes administering certificate enrollment, managing the
certificates themselves, and publishing certificate revocation lists.
Understanding Certificate Enrollment and Renewal
The actual process by
which CAs issue certificates to clients varies depending on the types of
CAs you have installed. If you have installed enterprise CAs, you can
use autoenrollment,
in which the CA receives certificate requests from clients, evaluates
them, and automatically determines whether to issue the certificate or
deny the request. If you have installed stand-alone CAs, you cannot use
autoenrollment, so you must arrange for an administrator to monitor the
CA (using the Certification Authority console) for incoming requests and
to make decisions about whether to issue or deny the requests.
Using Autoenrollment
Autoenrollment
enables clients to automatically request and receive certificates from a
CA, with no manual intervention from administrators. To use
autoenrollment, you must have domain controllers running Windows Server
2003, an enterprise CA running on Windows Server 2003, and clients
running Microsoft Windows XP Professional. You control the
autoenrollment process by using a combination of Group Policy settings
and certificate templates.
By
default, Group Policy Objects (GPOs) contain settings that enable
autoenrollment for all user and computer objects in a domain. You
configure these settings by opening the Autoenrollment Settings policy,
located in the Windows Settings\Security Settings\Public Key Policies
folder in both the Computer Configuration and User Configuration nodes
in the Group Policy Object Editor. In the Autoenrollment Settings
Properties dialog box (shown in Figure 1),
you can disable autoenrollment entirely for the objects receiving these
GPO settings. You can also enable the objects to renew and update their
certificates automatically.
The other mechanism you
can use to control autoenrollment is built into the certificate
templates that define the properties of specific certificate types. To
manage certificate templates, you use the Certificate Templates snap-in,
as shown in Figure 2.
Using this tool, you can specify the validity and renewal periods of
specific certificate types and choose cryptographic service providers
for them. Using the Security tab for a particular template, you can also
specify which users and groups are allowed to request certificates
using that template.
When
a client requests a particular type of certificate, the CA checks the
properties of the client’s Active Directory object to determine whether
the client has the permissions needed to receive the certificate. If the
client has the appropriate permissions, the CA issues the certificate
automatically.
Using Manual Enrollment
Stand-alone CAs cannot use
autoenrollment, so when a stand-alone CA receives a certificate request
from a client, it stores the request in a queue until an administrator
decides whether to issue the certificate. To monitor and process
incoming requests, administrators use the Certification Authority
console, as shown in Figure 3.
In the Certification
Authority console, incoming certificate enrollment requests appear in
the Pending Requests folder. After evaluating the information in each
request, an administrator can choose to issue or deny each request.
Administrators can also view the properties of issued certificates and
revoke certificates as needed.
Manually Requesting Certificates
In some cases, the
process of requesting a certificate and receiving it from a CA is
invisible to both the client and the administrator. Certain applications
might request certificates and receive them in the background, and then
proceed to function in the normal manner. In other cases, however,
users must explicitly request certificates, using one of the tools that
Windows Server 2003 provides.
Using the Certificates Snap-in
The Certificates snap-in (shown in Figure 4)
is a tool you can use to view and manage the certificates of a specific
user or computer. The snap-in’s main display consists of folders that
contain categories for all the certificates accessible to the designated
user or computer. If your organization uses enterprise CAs, the
Certificates snap-in also enables you to request and renew certificates
using the Certificate Request Wizard and Certificate Renewal Wizard
Off the Record
The
Certificates snap-in is limited to use with enterprise CAs because the
snap-in reads certificate information for the user or computer from
Active Directory, and clients of stand-alone CAs are not expected to
have access to Active Directory resources. |
Using Web Enrollment
When you install
Certificate Services on a computer running Windows Server 2003, you
have the option of installing the Certificate Services Web Enrollment
Support module as well. To function properly, this module requires you
to have IIS installed on the computer first, along with support for ASP.
Selecting this module during the Certificate Services installation
creates a series of Web pages on the computer running the CA (shown in Figure 5); these pages enable users to submit requests for particular types of certificates.
Tip
You
can also install the Certificate Services Web Enrollment Support module
on a server running Windows Server 2003 that is not a CA, enabling you
to integrate this module into existing Web servers. |
The Web Enrollment
Support interface is intended to give internal or external network users
access to stand-alone CAs. Because stand-alone servers do not use
certificate templates, the requests submitted by clients must include
all the necessary information about the certificates being requested and
about the users of the certificates. When clients request certificates
using the Web Enrollment Support interface, they can select from a list
of predefined certificate types or create an advanced certificate
request in which they specify all the required information in a
Web-based form. (See Figure 6.)
Off the Record
The
Web Enrollment Support interface can generate requests for most
certificate types, but it cannot generate requests for certificates that
are exclusive to enterprise CAs, such as smart card logon certificates. |
Revoking Certificates
Several
conditions can prompt an administrator to revoke a certificate. If a
private key is compromised, an unauthorized user has gained access to
the CA, or the administrator wants to issue a certificate using
different parameters (such as longer keys), she or he must revoke the
certificates that are no longer usable. A CA maintains a CRL, which it
publishes to clients on a regular basis. Enterprise CAs publish their
CRLs in the Active Directory database, so clients can access them using
the standard Active Directory communication protocol, called Lightweight
Directory Access Protocol (LDAP). A stand-alone CA stores its CRL as a
file on the server’s local drive, so clients must access it using an
Internet communications protocol, such as Hypertext Transfer Protocol
(HTTP) or File Transfer Protocol File Transfer Protocol (FTP).
Every certificate
contains the path to the CA’s distribution point for CRLs. You can
modify this path in the Certification Authority console by displaying
the Properties dialog box for the CA, and then clicking the Extensions
tab. (See Figure 7.)
However, if you plan to modify a CA’s CRL distribution point, you must
do so before it issues certificates. When an application authenticates a
client using a certificate, it checks the CRL distribution point
specified in the certificate to make sure the certificate has not been
revoked. If the CRL is not at its specified distribution point, the
application rejects the certificate.
By
selecting the Revoked Certificates folder in the Certification
Authority console and then displaying its Properties dialog box (shown
in Figure 8), you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs. A delta CRL
is a list of all certificates revoked since the last CRL publication.
In organizations with large numbers of certificates, using delta CRLs
instead of base CRLs can save a great deal of network bandwidth. For
example, rather than publishing a base CRL every week, you can choose to
publish delta CRLs weekly and publish the base CRLs monthly.
Practice: Requesting a Certificate
In this practice, you use the Web Enrollment Support interface to request a certificate from the CA . Then you instruct the CA to issue the certificate and use the
Web Enrollment Support interface to retrieve it. Finally, you view the
contents of the certificate using the Certificates snap-in.
Exercise 1: Requesting a Certificate
In this exercise, you access the CA by using the Web Enrollment Support interface and request a certificate from the CA.
1. | Log on to Server02 as Administrator.
|
2. | Click Start, and then click Internet Explorer. A Microsoft Internet Explorer window appears.
|
3. | In the Address text box, type http://localhost/certsrv and press ENTER. The Microsoft Certificate Services Web page appears.
|
4. | Click Request A Certificate. The Request A Certificate page appears.
|
5. | Click Advanced Certificate Request. The Advanced Certificate Request page appears.
|
6. | Click Create And Submit A Request To This CA. The Advanced Certificate Request form appears.
|
7. | In the Name text box, type Lorrin Smith-Bates.
|
8. | In the Type Of Certificate Needed drop-down list, select IPSec Certificate.
|
9. | In the CSP drop-down list, select Microsoft Strong Cryptographic Provider.
|
10. | In the Key Size text box, type 2048, and then click Submit at the bottom of the form.
|
11. | A Potential Scripting Violation message box appears, prompting you to confirm your request. Click Yes.
|
12. | An
Internet Explorer message box might appear to inform you that others
might intercept information sent over the Internet. Click Yes to
continue.
|
13. | The Certificate Pending page appears, informing you that your request has been submitted to the CA.
|
14. | Leave Internet Explorer running.
|
Exercise 2: Issuing a Certificate
In this exercise, you use the Certification Authority console to issue the certificate you requested in the first exercise.
1. | Click Start, point to Administrative Tools, and then click Certification Authority. The Certification Authority console appears.
|
2. | Expand the Issuing icon in the scope pane, and then click the Pending Requests folder.
|
3. | The request you generated in the first exercise appears in the details pane.
|
4. | Right-click
the request and, from the shortcut menu, point to All Tasks, and then
select Issue. The request disappears from the folder.
|
5. | Click the Issued Certificates folder. Notice that the request you just approved now appears in the Issued Certificates list.
|
6. | Close the Certification Authority console.
|
Exercise 3: Retrieving a Certificate
In this exercise, you use the Web Enrollment Support interface to retrieve the certificate you just issued.
1. | Return to the Internet Explorer window.
|
2. | In the Address text box, type http://localhost/certsrv and then press ENTER. The Microsoft Certificate Services Web page appears.
|
3. | Click View The Status Of A Pending Certificate Request. The View The Status Of A Pending Certificate Request page appears.
|
4. | Click IPSec Certificate. The Certificate Issued page appears, stating that the certificate you requested was issued to you.
|
5. | Click
Install This Certificate. A Potential Scripting Violation message box
appears, prompting you to confirm the installation of the certificate.
|
6. | Click Yes. The Certificate Installed page appears.
|
7. | Close Internet Explorer.
|
Exercise 4: Viewing a Certificate
In this exercise, you use the Certificates snap-in to view the certificate you just installed.
1. | Click Start, and then click Run. The Run dialog box appears.
|
2. | In the Open text box, type mmc and then click OK. The Console1 window appears.
|
3. | From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
|
4. | Click Add. The Add Standalone Snap-in dialog box appears.
|
5. | In the Available Standalone Snap-ins list, select Certificates.
|
6. | Click Add. The Certificates Snap-in dialog box appears.
|
7. | Click
Finish to accept the default My User Account option, and then click
Close. The Certificates—Current User snap-in appears in the Add/Remove
Snap-in dialog box.
|
8. | Click OK. A Certificates—Current User entry appears in the Console Root window.
|
9. | Expand
the Certificates—Current User icon, expand the Personal folder, and
then click the Certificates subfolder. The certificate issued to Lorrin
Smith-Bates appears in the details pane.
|
10. | Double-click the Lorrin Smith-Bates certificate. A Certificate dialog box appears.
|
11. | Click the Details tab.
Notice that the Public Key entry detail shows the 2048-bit key
length you specified in your request and the Enhanced Key Usage detail
indicates that the certificate is to be used for IP Security.
|
12. | Click OK to close the Certificate dialog box.
|
13. | Close the Console1 window.
|
14. | If a Microsoft Management Console message box appears, click No to save the console settings. |
