Microsoft Exchange 2000 Server Adminstrator's Companion
Now that you understand the Windows 2000 public-key infrastructure and are familiar with how Certificate Services works, you need to learn how to install and manage the Certificate Authority snap-in. You can use this Microsoft Management Console snap-in to manage one or more CAs. For more information on how to create a customized snap-in, see Chapter 8.
MORE INFO
To learn how to install and manage root and subordinate certificate authorities see Microsoft Windows 2000 Server Administrator's Companion by Charlie Russel and Sharon Crawford (Microsoft Press, 2000).
Installing and Configuring Certificate Services
If you do not include Certificate Services as an optional component during the installation of Windows 2000, you can install it at any time by selecting the Certificate Services component in Add/Remove Programs (Figure 21-2). Immediately upon selecting Certificate Services, you're presented with a message box indicating that once Certificate Services is installed, you can't rename this server or move it from the domain.
Figure 21-2. Selecting Certificate Services in Add/Remove Programs.
On the Certification Authority Type selection screen (Figure 21-3), you're given the chance to choose the type of CA server you want to install. The default is an enterprise root CA. Select the appropriate type for your installation.
Figure 21-3. Certification Authority Type selection screen.
If you want to configure advanced options for the public and private keys, select the Advanced Options check box and then click Next. The screen shown in Figure 21-4 appears. Table 21-5 covers the choices you're given in this screen.
Figure 21-4. Setting advanced options for public and private key pairs.
NOTE
Installing an enterprise CA requires Active Directory services, so the CA computer must already be joined to the Windows 2000 domain.
Enter the CA identifying information, as illustrated in Figure 21-5, and then click Next. Table 21-6 describes the fields on this screen. The wizard then generates the cryptographic key.
Table 21-5. Advanced options for public and private key pairs
Option | Description |
---|---|
CSP | Select the cryptographic service provider to be used to generate the public key and private key set for the CA certificate. The default CSP is the Microsoft Enhanced Cryptographic Provider. |
Hash Algorithms | The default is SHA-1, which provides the strongest cryptographic security. |
Key Length | The default key length is 512 bits for the Base Cryptographic Provider and 1024 bits for the Enhanced Cryptographic Provider. The minimum key length is 384 bits, and the maximum is 16,384 bits. Generally, the longer the key, the longer the safe lifetime of the private key. |
Use Existing Keys | Allows you to choose an existing private key from the list. The existing private key is used for the CA. You might need to use this option to restore a failed CA. |
Use The Associated Certificate | Enables the selection of the certificate that is associated with the existing private key that is used for the CA. You might need to use this option to restore a failed CA. |
Import | Gives you the ability to import a private key that is not in the Use Existing Keys list. For example, you might import a private key from an archive for a failed CA. |
View Certificate | Displays the certificate associated with the private key in the Use Existing Keys list. |
Figure 21-5. Entering CA identifying information.
Table 21-6. Fields on the CA Identifying Information screen
Field | Value |
---|---|
CA Name, Organization, Organizational Unit, City, State Or Province, Country/Region, and E-Mail | This information is used to uniquely identify the CA. It is included in the Subject field of the CA certificate. Windows 2000 uses the CA name to identify the CA, so each CA name must be unique. All other information can be the same if needed across CAs within your organization. Others can view the Subject field to identify the CA or to find out how to contact the CA. |
CA Description | This is an optional field. |
Valid For | Enter the duration of the certificate's lifetime for the root CA certificate, and then select either Years, Months, or Weeks. The default is 2 years. This option is not available for subordinate CAs, since their lifetime is determined by the root CA. |
Expires | Lists the expiration date for the root CA certificate, which corresponds to the certificate lifetime in Validity Duration. |
After the key is generated, Setup needs to know where to put the database. Enter the appropriate path. As Figure 21-6 shows, you can also select the Store Configuration Information In A Shared Folder check box. This option creates a folder that makes information about CAs available to users. It is useful only if you are installing a stand-alone CA and do not have Active Directory.
Figure 21-6. Specifying data storage locations.
When you click Next, you see a message box indicating that IIS services must be stopped. Just click OK, and the wizard will configure the components. When it is finished, you are done installing Certificate Services. A shortcut to the Certification Authority snap-in appears in the Administrative Tools menu. Figure 21-7 illustrates the basic Certification Authority snap-in.
Figure 21-7. Certification Authority snap-in.
Installing Web Enrollment Support
By default, when Windows 2000 Certificate Services is installed, the same server will also have installed Web enrollment support (Figure 21-8). You can also choose to install the Web enrollment form on another Windows 2000-based computer. You might do so if the traffic volume for Certificate Services is high and you need to spread the enrollment traffic load over more than one server.
Figure 21-8. Web enrollment home page.
The default location for the Web enrollment pages is <drive:>\%windir%\System32\Certsrv, where <drive:> is the letter of the disk drive on which the pages are installed. To install the Web enrollment pages on a server other than the one housing Certificate Services, start the Add/Remove Programs tool in Control Panel and select Certificate Services, as though you were installing it. Then, however, click Details and clear the Certificate Services check box (Figure 21-9). Verify that the Certificate Services Web Enrollment Support check box is selected, and then click OK. Follow the wizard to completion.
Figure 21-9. Installing Web enrollment support on a separate server.
Using the Web Enrollment Pages
Users can access the Web enrollment pages via the URL http://servername/certsrv. On the welcome screen, the user has several options. The Retrieve The CA Certificate Or Certificate Revocation List option retrieves the CA's certificate or the most current CRL. When the user selects this option and then clicks Next, a screen appears allowing the user to establish a trust for all the certificates of the CA on the local computer. This task involves installing the certification path for the CA's certificate in the certificate store of the local computer (Figure 21-10). Selecting this option will be most useful when you need to trust a subordinate CA but do not have the certificate of the root CA in you local certificate store.
More often, users will be coming to this Web site to obtain a new user certificate. To begin the process, a user will select the Request A Certificate radio button and click Next. At the next page that appears (Figure 21-11), the user can either request a basic certificate or specify Advanced Request to obtain more than a basic certificate. For information on the advanced options, see the next section, "Making an Advanced Request."
Figure 21-10. Retrieving the CA's certificate.
Figure 21-11. Requesting a new certificate.
To request a new basic user certificate, the user selects the User Certificate Request radio button and then clicks Next. The User Certificate-Identifying Information page appears. Here the user is asked to enter any additional identifying information that the CA might need to generate the certificate. If no more information is needed, a message indicates this fact (Figure 21-12). In either case, the user can submit the request from this page.
Figure 21-12. Message indicating system is ready to submit a certificate request.
Once the user clicks Submit, the certificate is generated. The next support page gives the user the opportunity to install the certificate (Figure 21-13).
Figure 21-13. Message indicating system is ready to install the certificate.
Clicking the Install This Certificate link installs the certificate on the local computer. The certificate is available only to the user for whom the certificate was generated. If other users log on to the computer, they will not be able to use this certificate. The final enrollment page then appears, indicating that the certificate has been installed properly. To verify that the certificate has been created, open the Certification Authority snap-in and select the Issued Certificates folder. The user's certificate will appear in the details pane (Figure 21-14).
Figure 21-14. Verifying that a user certificate has been created.
To verify that the user certificate has been installed, open the Microsoft Outlook 2000 client, choose Options from the Tools menu, and then click on the Security tab (Figure 21-15). In the Certificates And Algorithms area, you will see that the certificate is installed, both for signing and encryption. The hash algorithm and encryption algorithm can be changed, but not the certificate itself.
Figure 21-15. Verifying that a user certificate has been installed.
A user can specify a different certificate by clicking the Choose button and making a selection from the choices presented (Figure 21-16). While the list may look like multiple copies of the same certificate, it is not. Each listing is a different, unique certificate, even if it is visually identical to the other certificates listed.
Figure 21-16. Choosing a certificate for personal use.
Making an Advanced Request
The Advanced Request option allows the user to specify additional options while making a certificate request. Figure 21-17 shows the three types of requests available. The first choice, Submit A Certificate Request To This CA Using A Form, walks the user through an advanced form. Table 21-7 outlines the options available on this form. You can use this advanced form to request any certificate types supported by the enterprise CA. The second choice, Submit A Certificate Request Using A Base64 Encoded PKCS #10 File Or A Renewal Request Using A Base64 Encoded PKCS #7 File, allows the user to submit a certificate request using a file rather than a form. The file must already exist in base 64, using either the #10 or #7 PKCS encoding format. The last choice, Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station, allows an administrator to create a certificate for a smart card user that can then be installed onto the physical card.
Figure 21-17. Types of advanced certificate requests.
Table 21-7. Options on the advanced certificate request form
Option | How to Use |
---|---|
Identifying Information (stand-alone CAs only) | Enter the identifying information that is to appear in the certificate, including name, company, department, city, state, and country/region. Enterprise CAs obtain this information from Active Directory. This information is placed in the Subject field of the certificate when it is issued. |
Intended Purpose (stand-alone CAs only) | Choose the intended purpose of the certificate. |
Certificate Template (enterprise CAs only) | Select the template to be used when the certificate is generated. |
CSP | Choose a CSP. The default is the Microsoft Base Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, depending on whether the certificate is exportable. |
Key Usage | Select the basic purpose of the certificate: Exchange, Signature, or Both. Exchange means that the key can be used only for symmetric key exchange. Signature means the key is used only for digital signing. The default is Both. |
Key Size | Enter a key length from 384 bits to 1024 bits. Minimum recommended key length is 512 bits. When used just for a signature, the maximum length is 16,384 bits. Note that key generation for large signing keys can take a very long time. |
Create New Key Set | Leave this option selected (the default) to create a new public and private key for the issued certificate. To enter the container name, click Select The Container Name. |
Use Existing Key Set | Select this option to generate a certificate that uses an existing key set instead of generating a new one. |
Enable Strong Private Key Protection | Select this option to have the system prompt the user for permission before it performs cryptographic operations with the user's private key. |
Mark Keys As Exportable | Select this option to enable the private key to be exported. Private keys that are used for digital signing cannot be enabled for export. |
Use Local Machine Store | You must be an administrator to use this option because it stores a certificate to be issued in the HKEY_LOCAL_MACHINE subtree of the local machine. The default location for storing certificates is the user's personal certificate store. |
Hash Algorithm | Choose the algorithm to use for this certificate. The default is SHA-1. |
Save Request To A PKCS #10 File | Select this option to save the request to a file rather than submitting it to the CA. You'll need to enter a filename as well. This option is handy when you want to submit the request file to the CA at a future date. |
Attributes | Enter additional attributes for the requested certificate. Consult the Microsoft Platform Software Development Kit for more information about these attributes. |
Viewing Information About Certificates
You can view specific information about certificates by navigating to the Issued Certificates folder in the Certificate Authority and then opening an individual certificate. To open a certificate, right-click it and then choose Open. Figure 21-18 shows the General tab of the property sheet for a user certificate. This tab lists the purpose of the certificate, the issuer, the issuee, and the dates the certificate is valid. If you compare the information for a user certificate with the information for a domain controller certificate (Figure 21-19), you'll notice that the purposes are very different. Remember that the purpose of a certificate is derived from its template.
The Issuer Statement button is dimmed in Figures 21-18 and 21-19 because in this case the issuing CA does not provide a statement. If the issuing CA for a given certificate does provide a statement, you can click this button to read additional information about the certificate from the issuing CA's Web site.
Figure 21-18. General tab of the property sheet for a user certificate.
Figure 21-19. General tab of the property sheet for a domain controller certificate.
The Details tab shows the information that the certificate contains. When you select an item in the Field column, the contents of that field are revealed in the Value column. Figure 21-20 shows the Public Key field selected, The Value column indicates that it is a 1024-bit key.
Figure 21-20. Details tab of a certificate's property sheet.
The Certification Path tab (Figure 21-21) shows the trust status of the certificate. If there is a problem with either the certificate or the path, a warning will appear in this tab, with information that explains the problem.
Figure 21-21. Certification Path tab of a certificate's property sheet.
On the client side, you can use Outlook 2000 to edit certain certificate properties. With the certificate open, click the Edit Properties button at the bottom of the Certificate's properties to see the sheet shown in Figure 21-22. Here you can change the friendly name and description for the certificate. You can also restrict the purposes for which the certificate can be used. By default, all of the purposes are enabled, but you can manually disable certain purposes or disable all purposes, which would make the certificate invalid.
Figure 21-22. Editing certificate properties in Outlook 2000.
MORE INFO
To learn how to export certificates and private keys, or to learn more about how to back up and restore CAs, consult the Windows 2000 Server Distributed System Guide, part of the Microsoft Windows 2000 Server Resource Kit (Microsoft Press, 2000).