Chapter
13, Implementing Certificate Services
Chapter
13, Lesson 1
Introducing
Certificates
1. Introduction
A. Many Windows 2000 security mechanisms rely on encryption to
prevent unauthorized users or processes from reading confidential data.
|1| B. Encrypting and decrypting data requires a key, which is a set
of instructions describing how the data is encoded.
1. One system uses a key to encrypt data,
and another system uses a key to decrypt it.
2. When different computers perform the
encryption and decryption processes, an exchange of keys is necessary for
communication to occur.
|2| C. Digital certificates are a method of packaging encryption keys
and other information for transmission over a network.
1. Many Windows 2000 programs and services use
certificates to provide security, including
a. The Kerberos authentication protocol
b. The Internet Protocol security (IPsec)
extensions
c. The encrypting file system (EFS)
d. Internet Information Services (IIS)
2. Understanding
Encryption Keys
A. Encryption is a mechanism for encoding data by substituting one
string of characters for another string of characters.
B. One of the simplest types of encryption is called a letter
transposition code, in which each letter in the alphabet is replaced by another
letter.
1. For example, the letter a might be
replaced by the letter p, the letter b by the letter m, the letter c by the
letter h, and so on.
a. In encrypted form, a simple message such
as “hello world” might appear as “ftggl slngo.”
2. To understand the encrypted message’s
contents, the recipient must have the list of letter transpositions used to
create the code.
a. This list is the key for this particular
form of encryption.
3. A code this simple is actually easy to
break without the key, but the concept is the same in more complex encryption
schemes.
a. The recipient must be furnished with the
key to decrypt the message.
4. The problem with this type of encryption
is that the exchange of keys is a point of vulnerability.
a. If the key is intercepted or stolen by an
unauthorized person, the code is compromised. For this reason, this type of
encryption is called secret key encryption.
C. Secret key encryption can be a highly secure method of
communication, as long as there is an absolutely secure means for distributing
and storing the keys.
1. Government agencies that use this type of
encryption to secure their communications distribute CD-ROMs full of
prearranged encryption keys to their correspondents well in advance of sending
the communication.
a. These keys are stored securely and are
used only to encrypt and decrypt messages.
2. Because the keys are never transmitted
over the medium used to send a message, the communications system remains
secure.
D. Using secret key encryption on a data network requires the keys
to be transmitted over the network at some time, which compromises the whole
system.
|3| 1. Windows 2000, therefore, uses a different
type of encryption, which is based on the public key infrastructure (PKI).
2. For
every code in the PKI there are two separate encryption keys: a public key and
a private key.
a. Public keys are freely available to anyone
and can be transmitted over the network.
b. Private keys are held only by one person
or system and are never transmitted over the network.
E. The basic concept of the PKI is that one key encrypts data and
the other decrypts it.
1. The encryption key cannot decrypt the
data that it has encrypted.
a. For example, if Mike wants to send a
private message to Shelly, he obtains Shelly’s public key, uses it to encrypt
the message, and then transmits it to Shelly over the network.
b. To read the message, Shelly must use her
private key to decrypt it.
c. Because no one else has the private key,
no one else can read the message.
d. Because the public key cannot decrypt the
data that it has encrypted, potential intruders intercepting the public key on
the way to Mike’s computer gain nothing except the means to encrypt their own
messages.
2. The public and private keys can also work
in the opposite direction.
a. Shelly can encrypt a message using her
private key and send it to Mike, who then decrypts it using Shelly’s public
key.
b. This does not prevent other users from
reading the message because anyone can obtain Shelly’s public key.
(1) However, it does prove that Shelly sent the
message because any message that can be decrypted using her public key must
have been encrypted with her private key.
F. By using public and private keys, the PKI provides the
following security services:
|4| 1. Encryption. Encryption is the
protection of data through cryptographic encoding.
a. To send data in encrypted form, a system
uses the intended recipient’s public key to encode the data.
b. Once the data is encoded, only the
recipient’s private key can decrypt the data and render it readable.
(1) As long as the private key remains private,
anyone with access to the recipient’s public key can encrypt data, but only the
recipient can decrypt it.
|5| 2. Signing. Encrypting data using a
private key allows anyone with the corresponding public key to read the data.
a. This does not provide any protection for
the data (because anyone can obtain the public key), but the fact that the
public key can decrypt the data verifies that the private key was used to
encrypt it.
b. Because only the holder of the private key
can encrypt data so that it is readable with the public key, this confirms that
the data originated from the reputed source.
|6| 3. Authentication. It is possible to use
public and private keys to verify the identity of another user or computer.
a. One method is to encrypt a challenge
message using a system’s public key and then transmit it.
b. If the receiving system can read the
message and reply to it, this indicates that it has the private key and is
therefore the intended recipient of the message.
|7| 4. Verification. To ensure that data is
not modified while en route to its destination, the transmitting system runs
the data through a hash algorithm that creates a string (called a hash) that is
unique to the data sample.
a. The system then encrypts the data, along
with the hash, using its private key.
b. The receiving system decrypts the data
using the sender’s public key and then performs the same hash computation.
c. If the hash string included in the
message is the same as the one generated by the recipient, the data is verified
as not having changed.
|8| 5. Nonrepudiation. In addition to verifying
the source of a message, encrypting it with a private key can also serve as
legal proof of a document’s source, much as a signature on a paper document
does.
a. This prevents a person from denying that
he or she sent the message at a later time.
3. Understanding
Certificates
A. Each PKI user or computer is assigned a public key and a
private key.
1. The private key remains on the computer
and is never transmitted over the network.
2. For the PKI to function properly, there
must be a means of distributing public keys in a controlled and verified
manner.
a. The entire system would be compromised if
you could not be certain that the public key you have been given for a
particular user is not genuine.
|9| B. Digital certificates are the mechanisms used to distribute
public keys over the network.
C. A digital certificate is a document that attests to the binding
of a public key to an entity.
1. The main purpose of a certificate is to
generate confidence that the public key contained in the certificate actually
belongs to the entity named in the certificate.
2. A digital certificate consists of the
public key itself, plus a collection of attributes that contains information
about the owner of the public key.
D. Certificates are issued by a certificate authority (CA).
1. A CA is an organization or a program that
is trusted to issue valid certificates for individual users.
2. Some CAs are commercial companies, such
as VeriSign and Thawte, but Windows 2000 Server also includes a CA program of
its own, called Microsoft Certificate Services (MCS).
3. Whether you use a commercial CA or run
your own CA depends on the type of data you are trying to protect.
a. If you want to ensure that the e-mail
traffic for a private company is secure, you can use MCS.
b. A software developer distributing
applications to customers is more likely to use a commercial CA.
E. Certificate contents
1. The format for the certificates used by
Windows 2000 and by most commercial CAs is defined by the X.509 standard.
a. X.509 is published by the
Telecommunication Standardization Sector of the International Telecommunication
Union (ITU-T).
|10| 2. The attributes included in a certificate
vary according to the certificate’s function, but all X.509 certificates
contain at least the following attributes:
a. Version
b. Serial Number
c. Signature Algorithm ID
d. Issuer Name
e. Validity Period
f. Subject (user) Name
g. Subject Public Key Information
h. Issuer Unique Identifier
i. Subject Unique Identifier
j. Extensions
k. Signature on the above fields
|11| F. CA types
1. The PKI supports two types of CAs:
enterprise CAs and stand‑alone CAs.
a. An enterprise CA stores its information in
the Active Directory database and issues certificates to users, computers, or
other CAs within the organization.
(1) All users and computers in the domain where
an enterprise CA is installed automatically trust that CA.
b. A stand-alone CA stores its own
information and is used in organizations that issue certificates to users or
computers outside the company.
2. Although enterprise CAs and stand-alone
CAs function similarly, there are some important differences between the two.
a. When an enterprise CA generates a
certificate, it stores it in the Active Directory service, from which any user
on the network can access it.
b. Stand-alone CAs do not publish the
certificates they generate; you are responsible for distributing them to the
users that need them.
3. In an enterprise, the most trusted CA is
called the enterprise root CA.
a. There can be more than one enterprise root
CA in a Windows 2000 domain, but there can be only one enterprise root CA in
any given hierarchy.
b. All other CAs in the hierarchy are called
enterprise subordinate CAs.
4. An organization should set up an
enterprise root CA if the CA will issue certificates to users and computers
within the organization.
a. In large organizations, the enterprise
root CA is used only to issue certificates to subordinate CAs.
b. The subordinate CAs then issue
certificates to users and computers.
c. Isolating the root CA from the end users
in this manner helps to protect it from attempts to compromise its private key.
(1) In fact, for maximum security, some
organizations keep the root CA offline once it has issued certificates to the
subordinate CAs.
5. Despite their name, stand-alone CAs can
also function in a hierarchy.
a. A stand-alone root CA is the top of a CA
trust hierarchy.
(1) The stand-alone root CA requires
administrative privileges on the local server but does not need access to
Active Directory.
(2) As with the enterprise hierarchy, a
stand-alone root CA typically issues certificates only to subordinate CAs.
b. A stand-alone subordinate CA is one that
either operates as a solitary certificate server or exists in a CA hierarchy by
obtaining its certificate from a superior CA, such as a stand-alone root.
|12| G. Creating
certificates
1. The process of requesting and generating
a certificate consists of the following basic steps:
a. Generating keys. The applicant generates public and private keys or is
assigned a key pair by some authority in the applicant’s organization.
b. Collecting required information. The applicant collects
whatever information the CA requires to issue a certificate.
c. Requesting the certificate. The applicant sends a
certificate request, consisting of the public key and the additional required
information, to the CA.
d. Verifying the information. The CA uses a policy
module to process the applicant’s certificate request.
(1) A policy module is a set of rules that the
CA uses to determine whether it should approve the request, deny it, or mark it
as pending for later review by a network administrator.
(2) The policy module adds an attribute to the
certificate containing the source of the CA’s own certificate.
(a) This enables users to verify the newly
issued certificate by checking the credentials of the CA that issued it.
e. Creating the certificate. The CA creates a digital
document containing the applicant’s public key and other appropriate
information and signs it using its own private key.
(1) The signed document is the certificate.
(2) The signature of the CA authenticates the
binding of the subject’s name to the subject’s public key and enables anyone
receiving the certificate to verify its source by obtaining the CA’s public
key.
f. Sending or posting the certificate. The CA uses an exit
module to determine how it should make the new certificate available to the
applicant.
2. CAs must themselves be trustworthy if
their certificates are to be trusted.
a. Because anyone can become a CA,
certificates are only as trustworthy as the authority that issues the
underlying keys.
b. For this reason, CAs have their own
certificates, which can be issued by another CA that is higher up in a CA
hierarchy.
c. There can be any number of levels in a CA
hierarchy, but there must eventually be an ultimate authority.
d. The CA at the top of the hierarchy is
called the root certificate authority, and it is the only CA in the hierarchy
that can sign its own certificate.
(1) When you use a single MCS as the CA for a
relatively small organization, there is no hierarchy, and the sole CA is
obviously the root certificate authority.
(2) However, for a large enterprise, you can
create multiple CAs and build a hierarchy of your own, with the first CA
functioning as the root and issuing certificates for the other CAs.
H. Certificate templates
1. When a CA generates a certificate, it
uses a certificate template to determine what attributes it should include and
what values it should provide for the essential attributes.
a. The template used to create the
certificate depends on the certificate’s function.
2. Windows 2000 provides many certificate
templates with MCS.
Chapter
13, Lesson 2
Installing
and Configuring Microsoft Certificate Services
1. Preparing
to Install MCS
A. Before you install MCS, you must decide what type of CA you
want to install, enterprise or stand-alone, because you cannot change the type
after the installation is completed.
1. You must also decide whether to install a
root CA or a subordinate CA.
2. The first CA you install must be a root,
but after that you can decide whether to create additional root CAs or
subordinate CAs.
B. Before you can install an enterprise root CA or enterprise
subordinate CA, you must have Active Directory installed on your network and a
Domain Name System (DNS) server available that supports SRV resource records.
1. An enterprise CA can run on either a
domain controller or a member server.
C. You should also decide what cryptographic service providers
(CSPs) you want to use with MCS.
1. A CSP is a library of cryptographic
information that provides a programming interface called the CryptoAPI.
2. Applications can make calls to the
CryptoAPI to request encryption services.
3. The CSPs you elect to use with the
CryptoAPI determine how data is encrypted on the system.
4. When installing MCS, you can choose a CSP
from a set of CSPs included in Windows 2000, or you can install additional CSPs
from third parties.
|13| 2. Protecting
a CA
A. CAs are high-value resources, and you should take steps to
protect them. You should consider
1. Physical protection. Because CAs represent
highly trusted entities within an enterprise, they should be protected from
tampering.
2. Key management. The CA’s private key
provides the basis for trust in the certification process and should be secured
from tampering.
a. Cryptographic hardware modules (accessible
to MCS through a CryptoAPI CSP) can provide tamper-resistant key storage and
isolate the cryptographic operations from other software running on the server.
3. Restoration. Loss of a CA—because of
hardware failure, for example— can create a number of administrative and
operational problems and prevent revocation of existing certificates.
a. MCS supports backup of a CA instance so it
can be restored later.
3. Installing
Certificate Services
A. To install MCS:
1. Click Start, point to Settings, and then
select Control Panel.
2. Double-click the Add/Remove Programs icon
to display the Add/Remove Programs dialog box.
3. Click Add/Remove Windows Components to
start the Windows Components Wizard.
4. In the Components list on the Windows
Components page, select the Certificate Services check box, and then click
Next.
a. The wizard displays a Microsoft
Certificate Services message box stating that you cannot rename the computer
and you cannot join it to or remove it from a domain after you have installed
MCS.
5. Click Yes to proceed to the Certification
Authority Type page.
6. Select the type of CA you want to install
(enterprise or stand-alone, root or subordinate).
a. Select the Advanced Options check box if
you want to view or modify the CSPs used by the CA.
(1) Click Next to proceed to the Public And
Private Key Pair page, and then proceed to step 7.
b. If you did not select the Advanced Options
check box, click Next to proceed to the CA Identifying Information page. Skip
to step 8.
7. On the Public And Private Key Pair page,
select the CSP that MCS will use to encrypt data and the hash algorithm used to
create digital signatures.
a. The default settings provide sufficient
protection and interoperability for most environments.
b. Click Next to proceed to the CA
Identifying Information page.
8. On the CA Identifying Information page,
type the name you want to assign to the CA in the CA Name field.
a. You should also supply additional information
about the CA and the organization running it, particularly an e-mail address
where applicants can send certificate requests.
(1) When you create a root CA, the MCS
installation process creates a self-signed certificate for the CA itself.
(2) When you create a subordinate CA, you can
generate a certificate request and submit it to a root CA or another
subordinate CA.
(3) A certificate must be obtained from another
CA before a subordinate CA can become operational.
b. In the Valid For selector, specify the
length of time that the CA’s own certificate remains operational.
(1) The default value is two years.
c. Click Next to proceed to the Data Storage
Location page.
9. Click Next to use the default locations
for the certificate database and the certificate database log.
a. Click Next to continue to the Configuring
Components page.
(1) If IIS is running on the computer, a
Microsoft Certificate Services message box appears, informing you that the
wizard must stop IIS before proceeding with the installation.
(2) Click OK to stop the services and continue.
10. When the Completing The Windows Components
Wizard page appears, click Finish to complete the installation.
11. Click Close to close the Add/Remove
Programs dialog box.
4. Configuring
a CA
|14| A. When
you launch the Certification Authority console, you see an interface like that
on Slide 14, with an icon representing your CA and the following five folders
beneath it.
1. Revoked Certificates. Contains all the
certificates that the CA has revoked. Certificates added to this folder remain
there permanently.
2. Issued Certificates. Contains a list of all
the certificates the CA has issued. Use this list to view the certificates or
revoke them.
3. Pending Requests. On a stand-alone CA,
this folder contains a list of the certificate requests that have been assigned
a pending status while they wait for an administrator to approve or deny them.
a. Enterprise CAs always process requests
automatically, so this folder on an enterprise CA is always empty.
4. Failed Requests. Contains a list of the
certificate requests that have been denied, either automatically by the CA
itself or manually by an administrator
5. Policy Settings. Contains a list of the
certificate templates that the CA can use to create different types of certificates
B. As with most Microsoft Management Console (MMC) consoles, the
primary interface you use to configure the CA service is its Properties dialog
box, which contains the following tabs:
1. General tab
a. The General tab displays information about
the CA.
b. Clicking View Certificate displays the
Certificate dialog box.
(1) This dialog box represents the CA’s own
certificate, issued by the CA itself in the case of a root CA and issued by
another CA in the case of a subordinate.
|15| 2. Policy Module tab
a. In the Policy Module tab, you can select
the policy module that the CA uses to decide whether to issue a certificate to
an applicant.
b. In most cases, Windows 2000 CAs use the
Enterprise And Stand‑Alone Policy Module included with the operating
system.
c. If you have written your own policy
module or purchased one from a third party, you can click Select to open the
Set Active Policy Module dialog box, where you can select the module you want
to use.
d. Clicking the Configure button opens a
Properties dialog box that you can use to configure the selected policy module.
|16| (1) In the Default Action tab, you specify how
the CA should react when it receives a valid request for a certificate.
(a) In an enterprise CA, the Always Issue The
Certificate option is the default and the only available option.
(b) In a stand-alone CA, you can configure the
policy module to always issue the certificate or to set the request’s status to
“pending” until an administrator reviews the application and manually issues
the certificate.
|17| (2) In the X.509 Extensions tab, you can
specify additional paths to the locations where certificate revocation lists
(CRLs) are stored and where users can access the CA’s own certificate, which is
called the Authority Information Access (AIA) location.
(a) By default, MCS uses URLs with Hypertext
Transfer Protocol (HTTP) and Lightweight Directory Access Protocol (LDAP)
references, but you can also add file system URLs to the lists.
|18| 3. Exit Module tab
a. In the Exit Module tab, you can perform
the same basic functions as in the Policy Module tab.
b. The Add and Remove buttons enable you to
select the exit modules used by the CA.
c. Clicking Configure opens a Properties
dialog box, in which you can specify where the CA should publish the
certificates that it creates: in the Active Directory database or in the
computer’s file system.
|19| 4. Storage tab
a. The Storage tab is primarily
informational, displaying the folders where you elected to store the
certificate database and the request log.
b. When you create a stand-alone CA on a
computer with access to Active Directory, the Active Directory check box is
activated, enabling you to store the CA data in the Active Directory database
instead of the specified paths.
|20| 5. Security tab
a. The Security tab lets you control who has
access to the CA.
b. The standard permissions enable you to
specify who can manage the CA, who can enroll with (request certificates from)
the CA, and who can read the certificates issued by the CA.
c. By clicking Advanced, you can set more
granular permissions.
5. Backing
Up and Restoring a CA
A. When a network relies on locally issued
certificates for its security, the CA data becomes a critically important resource
that must be protected against loss or damage.
|21| 1. Because the MCS database is perpetually
in an open state when the service is running, it is not possible to back it up
using a standard application, such as the Windows 2000 Backup program, without
help.
2. The Certification Authority console
includes a backup mechanism that you can use to work around this limitation.
a. The Backup CA function of the
Certification Authority console does not actually create an offline backup of
the CA’s data; it only copies the data to another folder.
b. Making this copy requires the CA service
to be shut down momentarily and then restarted.
c. After the copy of the CA data is made,
you can back it up to tape or another medium in the normal manner.
B. To back up a CA:
1. Click Start, and then select
Certification Authority from the Administrative Tools program group to open the
Certification Authority console.
2. Select the icon for the CA and then, from
the Action menu, point to All Tasks and select Backup CA to start the
Certification Authority Backup Wizard.
3. Click Next to bypass the Welcome page and
proceed to the Items To Back Up page.
4. Select the check boxes next to the items
you want to back up.
a. Selecting the Perform Incremental Backup
check box causes the wizard to back up everything that has changed since the
last backup.
5. In the Back Up To This Location box, type
the path to the destination folder where you want to store the backup copy of
the CA database, or click Browse to select a folder. Click Next to proceed to
the next page.
a. If you selected the Private Key And CA
Certificate check box on the Items To Back Up page, clicking Next takes you to
the Select A Password page. Proceed to step 6.
b. If you did not select this check box, the
wizard proceeds to the Completing The Certification Authority Backup Wizard
page. Skip to step 7.
6. Type the password you want to use to
secure the CA’s private key and certificate in the Password box, and then type
the password again in the Confirm Password box.
a. Click Next to proceed to the Completing
The Certification Authority Backup Wizard page.
7. Click Finish to close the wizard and
perform the backup.
a. When the wizard performs the backup, it
creates a folder called DataBase in the destination folder you specified in the
wizard.
(1) This folder contains the CA database and
all the other information being backed up, except for the CA’s private key and
certificate (if selected), which are saved to a file in the destination
directory that has the CA’s name, with a .p12 extension.
8. Use a standard backup program, such as
Windows 2000 Backup, to copy the destination folder you specified to an offline
medium, such as a magnetic tape drive.
C. To restore the CA database:
1. Use your backup program to restore the
destination folder to your hard disk from the tape or other medium you used to
back it up.
2. Click Start, and then select
Certification Authority from the Administrative Tools program group to open the
Certification Authority console.
3. Select the icon for the CA and then, from
the Action menu, point to All Tasks and select Restore CA to start the
Certification Authority Restore Wizard.
4. Click Next to bypass the Welcome page and
proceed to the Items To Restore page.
5. In the Items To Restore page, do the
following:
a. Select the check boxes next to the items
you want to restore.
b. In the Restore From This Location text
box, type the path to the destination folder you just restored from tape, or
click Browse to select a folder. Click Next to proceed to the next page.
(1) If you selected the Private Key And CA
Certificate check box on the Items To Restore page, clicking Next takes you to
the Provide Password page. Proceed to step 6.
(2) If you did not select this check box, the
wizard proceeds to the Completing The Certification Authority Restore Wizard
page. Skip to step 7.
6. In the Provide Password page, type the
password you used to secure the CA’s private key and certificate during the
backup.
a. Click Next to proceed to the Completing
The Certification Authority Restore Wizard page.
7. Click Finish to close the wizard and
perform the restore.
Chapter
13, Lesson 3
Managing
Certificates
1. Certificate
Enrollment
A. The process by which a user obtains a
digital certificate is called certificate enrollment.
1. The PKI supports certificate enrollment
to MCS enterprise CAs, stand-alone CAs, or third-party commercial CAs.
2. The support for certificate enrollment is
implemented in a transport-independent manner.
a. Support is based on use of
industry-standard messages, such as public key cryptography standards (PKCS)
#10 certificate request messages and PKCS #7 responses, which contain the
resulting certificate or certificate chain.
3. The PKI supports multiple enrollment
methods, including Web-based enrollment, an enrollment wizard, and
policy-driven autoenrollment that occurs as part of a user’s logon processing.
B. Certificates snap-in enrollment
1. MCS supports client certificate enrollment
using an MMC snap-in called Certificates
that is included with all versions of Windows 2000.
2. With the Certificates snap-in, you can
view and manage all the information in your certificates store, as well as
request new certificates from a CA by using the Certificate Request Wizard.
C. Web-based enrollment
1. The Web-based enrollment process begins
with a client submitting a certificate request and ends with the installation
of the certificate in the client application.
2. When you install MCS, you are actually
installing two separate software modules—the Certificate Services CA and the
Certificate Services Web Enrollment Support module.
|22| a. The Web Enrollment module is a Web site
that is added to the computer’s IIS installation, which provides forms-based
access to the CA.
b. The Certificate Services enrollment
interface is accessible at the following URL: http://servername/certsrv/default.asp.
D. Automated enrollment
1. You can use the Automatic Certificate
Request Setup Wizard to configure autoenrollment for computer certificates.
2. Autoenrollment is not available for user
certificates and does not function unless an enterprise CA is online to process
certificate requests.
3. You can configure autoenrollment for
Computer, Domain Controller, and IPsec certificates.
4. When you configure autoenrollment, the
specified certificate types are issued automatically to
a. All computers that are within the scope of
the group policy
b. All computers that have the Enroll permission
for that certificate type
5. Autoenrollment certificates are issued
the next time the computer logs on to the network.
a. This mechanism is not a replacement for
the enterprise CA issuing policy but is integrated with it.
6. The CA service receives a set of
certificate types as part of its policy object.
a. The Enterprise
Policy Module uses these certificate types to define the types of certificates
the CA is allowed to issue.
b. The CA rejects requests for certificates
that do not match these criteria.
2. Creating
the Certificates Console
A. Windows 2000 does not have a shortcut to a Certificates console
by default, so you must create one by using the following procedure:
1. Click Start, and then select Run to open
the Run dialog box.
2. Type mmc
in the Open text box, and then click OK to open a blank MMC console.
3. Select Add/Remove Snap-In from the
Console menu to display the Add/Remove Snap-In dialog box.
4. Click Add to open the Add Standalone
Snap-In dialog box.
5. Select Certificates from the Available
Standalone Snap-Ins list, and then click Add to open a Certificates Snap-In
dialog box.
6. Click one of the option buttons to
specify whether you want the console to manage certificates for your user
account, the service account, or the computer account. Click Finish.
7. Click Close to close the Add Standalone
Snap-In dialog box.
8. Click OK to close the Add/Remove Snap-In
dialog box.
3. Using
the Certificates Console
A. You use the Certificates console to manage the database of
certificates, called the certificate store, that Windows 2000 creates for every
user and computer account.
|23| 1. After you have added the certificate
snap-in to an MMC console, you see the interface shown on Slide 23.
2. Under the Certificates—Current User node,
the following folders appear:
a. Personal. Contains a Certificates
folder holding all the certificates that have been issued to your user account
or that you have imported
b. Trusted Root Certification Authorities. Contains a Certificates
folder holding a list of the commercial root CAs that your user account is
configured to trust
c. Enterprise
Trust. This is a container for certificate trust lists (CTLs). A CTL is a list of
self-signed certificates issued by other root CAs that the PKI administrator
has decided are trustworthy.
d. Intermediate Certification Authorities. Contains a Certificates
folder and a Certificate Revocation List folder, which hold certificates and
CRLs issued by other CAs
e. Active Directory User Object. Contains certificates
associated with your user object that are published in the Active Directory
database
f. REQUEST. Contains pending or
rejected certificate requests
B. Viewing certificates
|24| 1. To view any of the certificates in your
store, you double-click it or select it in the Certificates console, and then
select Open from the Action menu to display a Certificate dialog box.
2. The General tab in the Certificate dialog
box displays basic information about the certificate, such as its uses, the
name of the CA that issued it, and the dates during which it is valid.
|25| 3. Selecting the Details tab displays a
complete list of the certificate’s attributes, including the CSP and hash
algorithm used to create the certificate and the locations of the issuing CA’s
CRL distribution point and AIA path.
4. Selecting the Certification Path tab
displays the hierarchical path of the certificate’s authorities up to its
ultimate root CA.
|26| 5. Every certificate also has a Properties dialog box, which you
can open by selecting the certificate and selecting Properties from the Action
menu.
a. In this dialog box you can supply a
friendly name and descriptive information for the certificate.
b. More important, you can modify the
purposes for which the certificate can be used.
(1) You can enable or disable all the
certificate’s functions, or you can enable or disable the certificate’s
individual functions by clicking Enable Only The Following Purposes.
C. To request a certificate:
1. Open the Certificates snap-in.
2. Select the Personal folder, point to All
Tasks in the Action menu, and then select Request New Certificate to open the
Certificate Request Wizard.
3. Click Next to bypass the Welcome page and
display the Certificate Template page.
4. In the Certificate Templates list, select
the template that you want the CA to use to create the certificate, and then
select the Advanced Options check box.
a. Click Next to proceed to the Cryptographic
Service Provider page.
5. In the Cryptographic Service Providers
list, select the CSP you want the CA to use to create the certificate, and then
click Next to proceed to the Certification Authority page.
6. If you want a CA other than the one
specified in the CA box to receive the certificate request, click Browse to
open a Select Certification Authority dialog box, where you can select one of
the other CAs on your network.
a. Click Next to proceed to the Certificate
Friendly Name And Description page.
7. Type the name you want to assign to the
certificate in the Friendly Name text box, and then enter any descriptive text
you want in the Description text box.
a. Click Next to proceed to the Completing
The Certificate Request Wizard page.
8. Click Finish to close the wizard and
submit a certificate request to the CA.
a. A Certificate Request Wizard message box
appears.
(1) If you sent the request to an enterprise
CA, the message box typically states that the request was successful, and it
provides buttons enabling you to view the certificate or install it on your
computer.
(2) If you sent the request to a subordinate
CA, the request is typically flagged as pending, and no response is forthcoming
until an administrator approves or denies it.
4. Revoking
Certificates
A. You can revoke certificates for many reasons, including the
following two most common reasons:
1. The user to whom the certificate was
issued has left the organization.
2. The user’s private key was compromised.
B. Once a certificate is revoked, you cannot restore it.
C. To revoke a certificate:
1. Click Start, and then select
Certification Authority from the Administrative Tools program group to open the
Certification Authority console.
2. In the scope pane, select the Issued
Certificates folder under the CA that issued the certificate you want to
revoke.
3. In the detail pane, select the
certificate you want to revoke.
4. Point to All Tasks in the Action menu,
and then select Revoke Certificate to open the Certificate Revocation dialog
box.
5. Select a reason for revoking the
certificate in the Reason Code drop-down list (if desired), and then click Yes
to revoke the certificate.
D. When you revoke a certificate, its serial number is automatically
added to the CRL maintained by the CA.
1. Regular publication of the CRL ensures
that certificates that have been revoked cannot be used to access confidential
resources.
|27| a. The CA
publishes its CRL according to a schedule that you can define by selecting the
Revoked Certificates folder in the Certification Authority console and
selecting Properties from the Action menu to display the Revoked Certificates
Properties dialog box.
b. The Revoked Certificates Properties dialog
box lets you
(1) View the time that the next publication of
the CRL is to occur
(2) Modify the publication interval from its
default value of one week
2. The locations where the CA publishes the
CRL (called the CRL distribution points, or CDPs), are specified in the X.509
Extensions tab of the CA policy module’s Properties dialog box.
3. In addition to scheduling the publication
of the CRL, you can also publish it immediately by selecting the Revoked
Certificates folder, pointing to All Tasks in the Action menu, and then
selecting Publish.
5. Removing
EFS Recovery Keys
A. The Windows 2000 encrypting file system (EFS) protects files
stored on NTFS file system drives by encrypting them using a key belonging to
their owners.
1. The owners can read the contents of their
files, but other users cannot.
B. EFS actually encrypts the key more than once.
1. In addition to the owner, the
Administrator user (on the local machine) or the Domain Administrator user (in
a domain) is designated as an EFS recovery agent.
a. The recovery agent helps the user to
access EFS-encrypted files belonging to other users in case their owners are
unable or unavailable to decrypt them.
2. Administrators can also designate other
users as EFS recovery agents by adding them to a group policy object (GPO).
3. For EFS to function, there must be at
least one recovery agent, in addition to the owner, with access to the
encrypted files.
4. Deleting the EFS recovery keys in a GPO
disables EFS within the scope of that GPO.
C.
To remove the EFS recovery keys:
1. Open a GPO for a local computer, domain,
site, or organizational unit.
2. Expand your way down the scope pane to
the Computer Configuration/Windows Settings/Security Settings/Public Key
Policies node.
3. Select the Encrypted Data Recovery Agents
folder, and then select Delete Policy from the Action menu.