Once you start issuing certificates, or clients request that you issue them, management of certificates becomes an important issue. In this lesson, you learn how to manage certificates, revoke a certificate, and implement an Encrypting File System (EFS) recovery policy.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
When a certificate is marked as revoked, it is moved to the Revoked Certificates folder. The revoked certificate appears on the CRL the next time it is published. Certificates revoked with the reason code Certificate Hold can be unrevoked, left on Certificate Hold until they expire, or have their revocation reason code changed. This is the only reason code that allows you to change the status of a revoked certificate. It is useful if the status of the certificate is questionable, and is meant to provide some flexibility to the CA administrator.
In the details pane, examine the certificate request by noting the values for requester name, requester e-mail address, and any other fields that you consider critical information for issuing the certificate.
In the details pane, examine the certificate request by noting the values for requester name, requester e-mail address, and any other fields that you consider critical information for issuing the certificate.
Failed certificate requests should only occur when a member of the Cert Publishers or Administrators groups denies a certificate request.
When a certificate is presented to an entity as a means of identifying the certificate holder (the subject of the certificate), it is useful only if the entity receiving the certificate trusts the issuing CA. Certificates are issued under the following processes:
Certificate authorities publish CRLs containing certificates that have been revoked by the CA. The certificate holder's private key may become compromised, or false information may be used to apply for the certificate. CRLs provide a way of withdrawing a certificate after it has been issued. CRLs are made available for downloading or online viewing by client applications.
To verify a certificate, all that is necessary is the public key of the CA and a check against the revocation list published by that CA. Certificates and CAs reduce the public-key distribution problem of verifying and trusting one (or more) public keys per individual. Instead, only the CA's public key must be trusted and verified, and then that can be relied on to allow verification of other certificates.
In this practice, you will revoke the certificate you obtained when completing the Practice in Lesson 2.
Notice your request has been revoked, as illustrated in Figure 15.5.
Figure 15.5 Certificate Authority revoked certificates
Data recovery is available for the EFS as a part of the overall security policy for the system. For example, if you should ever lose your file encryption certificate and associated private key (through disk failure or any other reason), data recovery is available through the person who is the designated recovery agent. Or, in a business environment, an organization can recover data encrypted by an employee after the employee leaves.
EFS recovery policy specifies the data recovery agent accounts that are used within the scope of the policy. EFS requires an encrypted data recovery agent policy before it can be used, and it uses a default recovery agent account (the Administrator) if none has been chosen. In a domain, only members of the Domain Admins group can designate another account as the recovery agent account. In a small business or home environment where there are no domains, the computer's local Administrator account is the default recovery agent account. Only the Administrator account can change local recovery policy for a computer.
A recovery agent account is used to restore data for all computers covered by the policy. If a user's private key is lost, a file protected by that key can be backed up, and the backup sent by means of secure e-mail to a recovery agent administrator. The administrator restores the backup copy, opens it to read the file, copies the file in plaintext, and returns the plaintext file to the user using secure e-mail again.
As an alternative, the administrator can go to the computer that has the encrypted file, import his or her recovery agent certificate and private key, and perform the recovery there. However, this might not be safe and is not recommended because of the sensitivity of the recovery key—the administrator cannot afford to leave the recovery key on another computer.
In this practice, you change the recovery policy for the local computer. Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk. In a domain, a default recovery policy is implemented for the domain when the first domain controller is set up. The domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator.
NOTE
To complete this practice, you must have the appropriate permissions to request the certificate and the CA must be configured to issue this type of certificate.
Figure 15.6 Group Policy for EFS recovery
You can manage certificates using the Certificate Authority snap-in for the Microsoft Management Console (MMC). Certificates revoked with the reason code Certificate Hold can be unrevoked. They can also be left on Certificate Hold until they expire or have their revocation reason code changed. Data recovery is available for the EFS as a part of the overall security policy for the system.