Issuing and Revoking Certificates

Certificate authorities are responsible for issuing and revoking certificates for users, computers, devices, and even other CAs. Before a certificate can be issued, a request must be generated. Once a certificate has been issued to a requestor , it can be revoked at any time by an administrator. The following section looks at the certificate enrollment process, the different methods for generating a certificate request, and how certificates can be revoked .

Certificate Enrollment

The first step in obtaining a certificate is to submit a certificate request. The process is referred to as certificate enrollment .

The following steps outline the basic process that occurs during certificate enrollment:

1. Before a request for certificate can be generated, the requestor generates or is assigned a public and private key pair.

2. The requestor must gather the information required by the CA to verify its identity and issue a certificate.

3. The requestor sends the information to the CA along with its public key.

4. The CA verifies the information based on its policy rules to determine whether a certificate should be issued.

5. The CA creates a digital statement containing the requestor's information and signs it using its private key.

6. The certificate is sent to the requestor and loaded onto the requestor's computer.

There are several ways in which a certificate request can be generated. This includes:

• Certificate Request wizard enrollment

• Web-based enrollment

• Automated enrollment

If an enterprise CA is available, the Certificate Request wizard can be used to generate a certificate request. The wizard can be found within the Certificates snap-in. Administrators can use the snap-in to manage their user account, computer account, or local services. Regular users can use the snap-in to manage their own account certificates. When requesting a certificate, you must choose the appropriate certificate template. The ACLs for the templates determine which users and computers can enroll for the different certificates.

Using the Certificate Services Enrollment pages, clients can also enroll for a certificate. The Certificate Enrollment Web Pages are installed on the computer running Certificate Services (although the pages can be added to other systems). As shown in Figure 9.12, the enrollment page is accessible from the following URL: http://server_name/certsrv/default.asp .

If you have to support browsers other than Internet Explorer for Web-based enrollment, you must change the authentication method on the CertSrv virtual directory to Basic Authentication.

Because standalone CAs do not use Active Directory, certificate enrollment must be performed using the Certificate Services Enrollment pages.

The third option is to use automated enrollment, which relies on the Windows 2000 Group Policy. When automated enrollment is configured, the specified certificates are automatically issued to all computers and users within the scope of the policy. Again, this enrollment method is supported only when an Enterprise CA is available. Using automated enrollment is further discussed in the following section.

Using Public Key Group Policy

One of the benefits of configuring the Public Key Group Policy is that you can automate the enrollment of computer certificates. You can use the Group Policy snap-in to configure a Public Key Policy for sites, domains, organizational units, and local computers.

To configure automated certificate enrollment, follow these steps:

1. From the Start menu, click Run. Type mmc and click OK.

2. Click Console and click Add/Remove Snap-in. Click Add and select Group Policy. Click Add.

3. Click Finish. Click Close.

4. Navigate to the Computer Configuration container, expand Security Settings, and click Public Key Policy, as shown in Figure 9.13.

   Figure 9.13. Public Key Group Policy.

   

5. Right-click Automatic Certificate Request, point to New, and click Automatic Certificate Request. This launches the Automatic Certificate Request Setup Wizard. Click Next .

6. Select the Certificate type. Click Next. For a certificate template to be issued, the computer must have the Enroll permission for the template.

7. Select the CAs that can process the requests . Click Next.

8. Click Finish.

Once the automatic certificate request has been created, the certificate templates are issued the next time a computer within the scope of the policy is restarted or logs onto the domain.

Revoking Certificates

One of the tasks associated with managing certificates is revoking them. At some point you may find it necessary to revoke an issued certificate. For example, if an employee leaves an organization, his or her certificate must be revoked.

Once a certificate is marked as revoked, it is moved to the Certificate Revocation List (CRL) . (You learn more about the CRL in a moment.) The revoked certificate appears on the CRL the next time it is published. All revoked certificates appear on the list so others can verify valid certificates. An Administrator can use the Certificate Authority snap-in to revoke a certificate.

To revoke a certificate, follow these steps:

1. Click Start, point to Programs, Administrative Tools, and click Certificate Authority.

2. Expand the Certificate Authority and click the Issued Certificates container.

3. Right-click the appropriate certificate, point to All Tasks, and click Revoke Certificate.

4. As shown in Figure 9.14, the Certificate Revocation box appears. Select the reason for revoking the certificate and click Yes.

   Figure 9.14. Revoking a certificate.

   

5. The certificate should now appear in the Revoked Certificates container.

Before you revoke a certificate, keep in mind that once it is revoked it cannot be made valid again. The user must be issued a new certificate to replace the revoked one.

When a certificate is revoked, you must specify a reason code. If the revocation is questionable, meaning there is a chance that the certificate may need to be reinstated, select the reason code called Certificate Hold . This is the only reason code that allows you to unrevoke the certificate.

Certificate Revocation List

Periodically, Windows 2000 Certificate Services publishes a Certificate Revocation List (CRL) . This list is used to inform other entities which certificates have been revoked and are therefore no longer valid.

The CRL is automatically published once every week, although an administrator can configure the interval for a different time period. For example, if you expect the number of certificate revocations per week to be high, you may want to decrease the Publication interval so it occurs more frequently. This can be done through the Certificate Authority snap-in by right-clicking the Revoked Certificate folder and choosing Properties. In the resulting property box, you can make your adjustments to the time cycle for the CRL's publication (see Figure 9.15).

Although the CRL is published by default once a week, you can manually publish a CRL if you revoke a certificate between publication intervals and need to immediately notify other entities of the change. To do so, right-click the Revoked Certificates folder within the Certificate Authority snap-in, choose All Tasks and choose Publish. The CRL is published in the < systemroot >\system32\CertSrv\CertEnroll folder, as well as in Active Directory if the CRL is published by an Enterprise CA. Manually publishing a CRL does not interfere with the regular publication interval.

To provide a higher level of security to ensure the root CA is not compromised, you can configure it as an offline CA, meaning it will be disconnected from the network. To do so, the server that will become the offline root CA must be running IIS and must be a member server within an Active Directory domain. Once the new root CA is installed, the default location of the Certificate Revocation list must be changed to a location on the network that is accessible to users.