Obtaining, Installing, and Managing Digital Certificates


Before you can take advantage of e-mail security features, you need to obtain and install a personal e-mail certificate. In this section you'll learn more about the registration process associated with requesting a certificate, how certificates are installed, and how certificate-related management tasks are accomplished with the Windows Vista Certificates MMC snap-in.

Obtaining and Installing a Personal Digital Certificate

The first step in obtaining your own personal e-mail certificate is to register for one with a CA. Although some CAs charge a yearly fee for this service, it is possible to obtain a certificate for free from a number of different sources.

Thawte is an example of a CA that offers free personal e-mail certificates. These free certificates identify you as a Thawte Freemail Member (rather than by your real name), and include your e-mail address as identification. In other worlds, no real process is undertaken to verify your true identity. Thawte simply verifies that your e-mail address is valid, and then lists this address in the certificate's Subject field.

Although a free personal certificate will not include your actual name, it does provide the same digital signing and encryption capabilities as paid certificates. In other words, you won't find functionality lacking as a result of going the free route.

The following CAs offer free digital IDs for the purpose of securing e-mail communications:

  • Thawte (http://www.thawte.com/secure-e-mail/personal-e-mail-certificates/index.html)

  • Comodo (http://www.comodogroup.com/products/certificate_services/e-mail_certificate.html)

  • ipsCA (http://www.certs.ipsca.com/Products/SMIME.asp)

  • TC TrustCenter (http://www.trustcenter.de/en/produkte/my_certificate_express.htm)

  • CAcert (http://www.cacert.org)

After you've completed the certificate registration process it can take anywhere from a few minutes to a few days before your certificate is issued and ready to install. This time period depends upon how busy the CA is (obviously issuing free certificates is a somewhat lower priority for a commercial organization), but also relates the CA's processes for verifying your identity. In the case of free personal certificates, the validation process is usually completed quite quickly. In the case of paid certificates being issued to military or bank personnel, for example, the validation process might take considerably longer.

The steps associated with obtaining and installing your personal digital certificate will vary from CA to CA. Simply follow the steps outlined on the CA's web site or in the e-mail messages it sends you to complete the process. When installed, use the details provided in the following sections to manage your certificate and send encrypted/digitally signed e-mail messages.

Managing a Personal Digital Certificate

On a Windows Vista system, certificates are managed using the Certificates MMC. This snap-in enables you to import, export, view, and delete certificates as necessary.

Follow these steps to review your new personal e-mail certificate in the Certificates MMC:

  1. Click Start. Type certmgr.msc in the Search box and press Enter.

  2. When the User Account Control dialog box appears, click Continue.

  3. In the MMC window, expand Certificates Personal Certificates, as shown in Figure 12-1.

    image from book
    Figure 12-1: Viewing the contents of your personal certificate store.

  4. Double-click your certificate to view it, as shown in Figure 12-2.

    image from book
    Figure 12-2: Viewing your personal e-mail certificate.

  5. Click the Details tab to view the settings associated with the certificate (Figure 12-3).

    image from book
    Figure 12-3: The Details tab for a personal e-mail certificate.

  6. Click OK to close the certificate.

Most users will have very limited interaction with the Certificates MMC. However, this tool is the primary interface via which existing certificates can be imported and exported. If you plan on sending and receiving secured e-mail messages from multiple computers, or if you're planning to upgrade to a new PC, your personal e-mail certificate should come for the ride. If this certificate (and especially its private key) is not moved to your new system, you will not be able to open existing encrypted files, nor digitally sign new messages.

Even in cases where you do not need to move your personal certificate to a different computer, you should still take the time to export it (along with your private key) for backup purposes.

Follow these steps to export your personal certificate, including your private key:

  1. If necessary, open the Certificates MMC snap-in as outlined previously.

  2. Expand Certificates Personal Certificates.

  3. Right-click your certificate, and select All Tasks Export.

  4. When the Certificate Export Wizard welcome screen appears, click Next.

  5. At the Export Private Key screen, click Yes, export the private key, and click Next.

  6. At the Export File Format screen, ensure that the Export All Extended Properties option is selected as shown in Figure 12-4. Click Next.

    image from book
    Figure 12-4: Exporting your certificate, including your private key.

  7. At the Password screen, enter and confirm a strong password that will be used to protect your private key. Click Next.

  8. At the File To Export screen, enter an appropriate and recognizable name and folder location to store your certificate, as shown in Figure 12-5. Click Next.

    image from book
    Figure 12-5: Select a storage location and file name for your exported certificate.

  9. Click Finish. When the Exporting Your Private Exchange Key window appears, click OK.

  10. At the Certificate Export Wizard dialog box, click OK.

  11. As a final step, burn your exported certificate to a CD or removable disk, and store it in a safe place.

Note 

To import your certificate on another computer, open the Certificates MMC on that system, expand Certificates Personal, right-click the Certificates folder, and select All Tasks Import. The Certificate Import Wizard walks you through the process of adding your existing personal certificate to the new computer.

image from book
Revoking Certificates

Because it is possible for certificates and their private keys to be compromised, lost, or stolen, public key systems include a process to revoke certificates. When an e-mail certificate is revoked, it is no longer considered to be valid for the purpose of digitally signing or encrypting messages.

To revoke a certificate, you typically need to contact the issuing CA to have it added to what is known as a certificate revocation list (CRL). All CAs maintain a list of revoked certificates that can be checked by client e-mail programs to determine a certificate's validity.

To revoke your certificate, log on to the CA's web site using the account you created during the original certificate request process. Find the option that enables you to revoke your certificate, and then follow the instruction to complete the process.

It's important to note that after a certificate is revoked, it is no longer valid and cannot be revived. As such, you would need to request and install a replacement certificate, and then send a copy of this new certificate to all users with whom you engage in secure e-mail correspondence.

image from book



PC Magazine Windows Vista Security Solutions
PC Magazine Windows Vista Security Solutions
ISBN: 0470046562
EAN: 2147483647
Year: 2004
Pages: 135
Authors: Dan DiNicolo

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net