Microsoft Certificate Server is a general-purpose, highly customizable server application for managing the issuance, revocation, and renewal of digital certificates. Digital certificates are used for public-key cryptography applications such as server and client authentication under the Secure Sockets Layer (SSL) or Private Communication Technology (PCT) protocols. With Certificate Server, organizations can perform authentication in an Internet, intranet, or extranet environment through the use of these certificates.
Certificate Server is primarily for Web applications that require authentication and secure communication by using SSL. However, it is also applicable to other certificate-based applications such as Secure Mulitpurpose Internet Mail Extensions (S/MIME), Secure Electronics Transactions (SET) protocol, and Authenticode. Certificate Server can issue certificates for both clients and servers in the X.509 version 3 format.
Installation of Certificate Server is accomplished by using the Windows NT 4.0 Option Pack. The total disk space requirements for Certificate Server are just 11.8 MB. In fact, 9.9 MB of that space is occupied by the Certificate Server online documentation. The minimum hardware requirements for Certificate Server are the same as those for IIS 4.0. The installation is a wizard-driven process that takes only a couple of minutes to complete. During installation, you'll be prompted to either choose to create a root certificate for the certificate authority being created or to create a certificate request file that you can use to obtain a certificate from another CA. How you respond to this prompt should be based upon whether you want Certificate Server to be the root CA at the top of the CA hierarchy or you want it to be a nonroot CA that participates in an already established CA hierarchy.
After you have completed the installation of Certificate Server, you will need to either reboot your machine or manually start the Certificate Authority service. For a manual start, choose Start|Settings|Control Panel and then choose Services. You should then select the Certificate Authority service from the list in the Services dialog box and select Start, as shown in Figure 23-1.
Figure 23-1. The Certificate Authority service in the Services dialog box in the Windows NT 4.0 Control Panel.
Certificate Server has a server engine and database as well as other modules that communicate with the server engine to perform various tasks. External applications, such as those written in Microsoft Visual Basic, Microsoft Visual C++, Microsoft Visual J++, and Visual InterDev (Active Server Pages), can interact with the server engine via COM interfaces. The other modules in the architecture include administration tools, policy module, extension handlers, intermediary, and exit modules, as shown in Figure 23-2.
Figure 23-2. The Certificate Server architecture, showing the server engine and the server database modules.
Some of the interfaces available in Certificate Server are shown in Table 23-1. This will be of interest later on as we start writing ASP code within Visual InterDev 6.0 to programmatically access Certificate Server functionality.
Table 23-1. Interfaces imported and exported by the server engine of Certificate Server.
Interface | Description |
---|---|
ICertConfig | Used by clients to get information about a server |
ICertRequest | Used to send a request to the server and get the result of the request |
ICertAdmin | Used by administration programs to manage requests, certificates, and revocation |
ICertServerPolicy | Used by the policy module to get and set certificate and request properties |
ICertServerExit | Used by exit modules to get and set certificate and request properties |
ICertExit | Exported by exit modules; used by the server engine to deliver finished certificates and revocation information |
ICertPolicy | Exported by the policy module; used by the server engine to check requests and get properties for certificates |
To work with Certificate Server, you access it via the browser. You can get to the administration tools at http://localhost/certsrv. Figure 23-3 shows the main administration page for Certificate Server.
Figure 23-3. The main administration page for Certificate Server.
Here you can access four different items: the Certificate Administration Log Utility, the Certificate Administration Queue Utility, the Certificate Enrollment Tools, and the Certificate Server Documentation. Interestingly enough, many of these utilities are written in Active Server Pages. The database used to store certificate information is a Microsoft Access database named certsrv.mdb. As you can see in Figure 23-2, the server database is divided into two parts: the server queue and the server log. The server queue maintains a list of all certificate requests, and the server log maintains copies of all issued certificates. The certificate enrollment page has several links for installing CA certificates, processing certificate requests, and requesting client authentication certificates for Microsoft Internet Explorer and Netscape Navigator.
A CA certificate is the digital certificate that authenticates the certificate authority that you are using. It's essentially the ID card for the CA. For your browser to enter into a dialog with a CA, the CA's certificate needs to be installed into your browser.
To install a CA certificate into your browser, you can either install a certificate from a third-party CA such as VeriSign or install the root CA certificate that has been generated for you by Certificate Server.
To install a root CA certificate into the Internet Explorer 4.0 browser from Certificate Server, follow these steps:
Within Internet Explorer 4.0, you can check that the CA certificate has been installed correctly by choosing Internet Options from the View menu and then selecting the Content tab. Next click the Authorities button in the Certificates group box. You'll now be presented with a list of CAs whose certificates have been installed into your browser. From here you have the ability either to view the details of the certificate or to delete the certificate.
Figure 23-4. The Certificate Authority Certificate List page. This page allows you to install a CA certificate into your browser.