Windows Certificate Support

Windows Certificate Support

Windows has built-in support for certificates in the following ways:

• Every computer running Windows 2000, Windows XP, or Windows Server 2003 has the ability to store computer and user certificates and manage them using the Certificates snap-in, subject to Windows security and permissions.

• Windows 2000 Server and Windows Server 2003 include Certificate Services, which allows a Windows server computer to act as a CA.

Managing Certificates with the Certificates Snap-In

To manage the set of certificates for users, computers, or services installed on a Windows computer, you use the Certificates snap-in. Users and administrators can use the Certificates snap-in to request new certificates from enterprise CAs. In addition, users can find, view, import, and export certificates from within certificate stores. In most cases, users do not have to personally manage their certificates and their certificate stores. Administrators, policy settings, and programs that use certificates typically manage certificates.

Administrators are the primary users of the Certificates snap-in, and as such they are able to perform a wide variety of certificate management tasks in their personal certificate store as well as the certificate stores for any computer or service that they have the right to administer.

There is no prebuilt console file for the Certificates snap-in that is available in the Administrative Tools folder. You must manually build a console that contains the Certificates snap-in and then save the console configuration as a console file for future use.

More Info
For more information about managing consoles and console files in Windows, see Windows help for the Microsoft Management Console (MMC).

To manage certificates for your user account

1. Click Start, click Run, type mmc, and then click OK.

2. On the Console menu, click File, click Add/Remove Snap-In, and then click Add.

3. Under Snap-In in the Add Standalone Snap-In window, double-click Certificates, and then

   • If you are logged on as an administrator, click My User Account, and then click Finish.

   • If you are logged on as a user, Certificates automatically loads.

4. Click Close.

   Certificates Current User appears on the list of selected snap-ins for the new console.

5. If you have no more snap-ins to add to the console, click OK.

6. To save this console, click File on the Console menu and then click Save.

7. In the Save As window, type the filename for the console file and click Save.

Figure 6-6 shows the Certificates snap-in for a user account.

Figure 6-6. The Certificates snap-in for a user account.

To manage certificates for a computer

1. Log on to the computer using an account that has administrator privileges for that computer.

2. Click Start, click Run, type mmc, and then click OK.

3. On the Console menu, click File, click Add/Remove Snap-In, and then click Add.

4. Under Snap-In in the Add Standalone Snap-In window, double-click Certificates, click Computer Account in the Certificates Snap-In window, and then click Next.

5. Do one of the following:

   • To manage certificates for the local computer, click Local Computer and then click Finish.

   • To manage certificates for a remote computer, click Another Computer and type the name of the computer, or click Browse to select the computer name and then click Finish.

6. Click Close.

   Certificates (Local Computer) or Certificate (ComputerName) appears on the list of selected snap-ins for the new console.

7. If you have no more snap-ins to add to the console, click OK.

8. To save this console, on the Console menu, click File and then click Save.

9. In the Save As window, type the filename for the console file and click Save.

Figure 6-7 shows the Certificates snap-in for a computer.

Figure 6-7. The Certificates snap-in for a computer.

Windows stores a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location, which is called the certificate store, often has numerous certificates, possibly issued from a number of different CAs.

Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy.

If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store.

Certificate Store Inheritance

If you place a root CA certificate into the computer s trusted root certification authorities store or enterprise trust store, any user of the computer will see that certificate in their own user trusted root certification authorities store or enterprise trust store, even though the root certificate is actually in the computer s store. Essentially, users will trust any CA that their computer trusts.

Certificate store inheritance does not work the other way around: certificates in the user s trusted root certification authorities store and enterprise trust store are not inherited by the computer.

Certificate Services

Certificate Services provides customizable services for issuing and managing certificates used in software security systems employing public key technologies. You can use Certificate Services in Windows 2000 Server and Windows Server 2003 to create a CA that will receive certificate requests, verify the information in the request and the identity of the requester, issue certificates, revoke certificates, and publish CRLs.

Certificate Services can also be used to do the following:

• Enroll users for certificates from the CA using the Web or the Certificates snap-in, or transparently through autoenrollment.

• Use certificate templates to help simplify the choices a certificate requester has to make when requesting a certificate, depending upon the policy used by the CA.

• Take advantage of Active Directory for publishing trusted root certificates, publishing issued certificates, and publishing CRLs.

• Implement the ability to log on to a Windows operating system domain using a smart card.

If your organization is using Certificate Services, the CA is one of two types:

• Enterprise CA

  An enterprise CA depends upon Active Directory being present. An enterprise CA offers different types of certificates to a requester based on the certificates it is configured to issue as well as the security permissions of the requester. An enterprise CA uses information available in Active Directory to help verify the requester s identity. An enterprise CA publishes its CRL to Active Directory as well as to a shared directory. You can use the Certificate Request wizard within the Certificates snap-in, CA Web pages (Web enrollment), and autoenrollment to request certificates from an enterprise CA.

• Standalone CA

  A standalone CA is less automated for a user than an enterprise CA because it does not require or depend on the use of Active Directory. Standalone certification authorities that do not use Active Directory generally have to request that the certificate requester provide more complete identifying information. A standalone CA makes its CRL available from a shared folder, or from Active Directory if it is available. By default, users can request certificates from a standalone CA only through Web enrollment.