Certificate Server

Previous page
Table of content
Next page

Microsoft Certificate Server is a general-purpose, highly customizable server application for managing the issuance, revocation, and renewal of digital certificates. Digital certificates are used for public-key cryptography applications such as server and client authentication under the Secure Sockets Layer (SSL) or Private Communication Technology (PCT) protocols. With Certificate Server, organizations can perform authentication in an Internet, intranet, or extranet environment through the use of these certificates.

Certificate Server is primarily for Web applications that require authentication and secure communication by using SSL. However, it is also applicable to other certificate-based applications such as Secure Mulitpurpose Internet Mail Extensions (S/MIME), Secure Electronics Transactions (SET) protocol, and Authenticode. Certificate Server can issue certificates for both clients and servers in the X.509 version 3 format.

Installing Certificate Server

Installation of Certificate Server is accomplished by using the Windows NT 4.0 Option Pack. The total disk space requirements for Certificate Server are just 11.8 MB. In fact, 9.9 MB of that space is occupied by the Certificate Server online documentation. The minimum hardware requirements for Certificate Server are the same as those for IIS 4.0. The installation is a wizard-driven process that takes only a couple of minutes to complete. During installation, you'll be prompted to either choose to create a root certificate for the certificate authority being created or to create a certificate request file that you can use to obtain a certificate from another CA. How you respond to this prompt should be based upon whether you want Certificate Server to be the root CA at the top of the CA hierarchy or you want it to be a nonroot CA that participates in an already established CA hierarchy.

After you have completed the installation of Certificate Server, you will need to either reboot your machine or manually start the Certificate Authority service. For a manual start, choose Start|Settings|Control Panel and then choose Services. You should then select the Certificate Authority service from the list in the Services dialog box and select Start, as shown in Figure 23-1.

click to view at full size.

Figure 23-1. The Certificate Authority service in the Services dialog box in the Windows NT 4.0 Control Panel.

Certificate Server Architecture

Certificate Server has a server engine and database as well as other modules that communicate with the server engine to perform various tasks. External applications, such as those written in Microsoft Visual Basic, Microsoft Visual C++, Microsoft Visual J++, and Visual InterDev (Active Server Pages), can interact with the server engine via COM interfaces. The other modules in the architecture include administration tools, policy module, extension handlers, intermediary, and exit modules, as shown in Figure 23-2.

click to view at full size.

Figure 23-2. The Certificate Server architecture, showing the server engine and the server database modules.

Some of the interfaces available in Certificate Server are shown in Table 23-1. This will be of interest later on as we start writing ASP code within Visual InterDev 6.0 to programmatically access Certificate Server functionality.

Table 23-1. Interfaces imported and exported by the server engine of Certificate Server.

Interface Description
ICertConfig Used by clients to get information about a server
ICertRequest Used to send a request to the server and get the result of the request
ICertAdmin Used by administration programs to manage requests, certificates, and revocation
ICertServerPolicy Used by the policy module to get and set certificate and request properties
ICertServerExit Used by exit modules to get and set certificate and request properties
ICertExit Exported by exit modules; used by the server engine to deliver finished certificates and revocation information
ICertPolicy Exported by the policy module; used by the server engine to check requests and get properties for certificates

To work with Certificate Server, you access it via the browser. You can get to the administration tools at http://localhost/certsrv. Figure 23-3 shows the main administration page for Certificate Server.

click to view at full size.

Figure 23-3. The main administration page for Certificate Server.

Here you can access four different items: the Certificate Administration Log Utility, the Certificate Administration Queue Utility, the Certificate Enrollment Tools, and the Certificate Server Documentation. Interestingly enough, many of these utilities are written in Active Server Pages. The database used to store certificate information is a Microsoft Access database named certsrv.mdb. As you can see in Figure 23-2, the server database is divided into two parts: the server queue and the server log. The server queue maintains a list of all certificate requests, and the server log maintains copies of all issued certificates. The certificate enrollment page has several links for installing CA certificates, processing certificate requests, and requesting client authentication certificates for Microsoft Internet Explorer and Netscape Navigator.

Installing a CA Certificate into Your Browser

A CA certificate is the digital certificate that authenticates the certificate authority that you are using. It's essentially the ID card for the CA. For your browser to enter into a dialog with a CA, the CA's certificate needs to be installed into your browser.

To install a CA certificate into your browser, you can either install a certificate from a third-party CA such as VeriSign or install the root CA certificate that has been generated for you by Certificate Server.

To install a root CA certificate into the Internet Explorer 4.0 browser from Certificate Server, follow these steps:

  1. Make sure that Certificate Server is installed and has been configured as a root CA.

  2. Go into the main administration page of Certificate Server at http://localhost/certsrv, and click the Certificate Enrollment Tools hyperlink.

  3. Select the Install Certificate Authority Certificates option.

  4. Select the certificate that you have generated from Certificate Server by clicking the appropriate hyperlink, as shown in Figure 23-4.

  5. In the File Download dialog box, choose Open This File From Its Current Location and click OK.

  6. Click OK in the New Site Certificate dialog box.

Within Internet Explorer 4.0, you can check that the CA certificate has been installed correctly by choosing Internet Options from the View menu and then selecting the Content tab. Next click the Authorities button in the Certificates group box. You'll now be presented with a list of CAs whose certificates have been installed into your browser. From here you have the ability either to view the details of the certificate or to delete the certificate.

click to view at full size.

Figure 23-4. The Certificate Authority Certificate List page. This page allows you to install a CA certificate into your browser.


Previous page
Table of content
Next page
Programming Microsoft Visual InterDev 6. 0
Programming Microsoft Visual InterDev 6.0
ISBN: 1572318147
EAN: 2147483647
Year: 2005
Pages: 143
Authors: Nicholas D Evans, Ken Miller, Ken Spencer
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Network Security Architectures
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Cisco CallManager Fundamentals (2nd Edition)
101 Microsoft Visual Basic .NET Applications
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy