Managing the Public-Key Infrastructure


Now that you understand the Windows Server 2003 public-key infrastructure and are familiar with how Certificate Services works, you need to learn how to install and manage the Certification Authority snap-in. You can use this Microsoft Management Console snap-in to manage one or more CAs. For more information about how to create a customized snap-in, see Chapter 8, “Managing Exchange Server 2003.”

Installing and Configuring Certificate Services

If you do not include Certificate Services as an optional component during the installation of Windows Server 2003, you can install it at any time by selecting the Certificate Services component in Add/Remove Programs (Figure 25-2). Immediately upon selecting Certificate Services, you’re presented with a message box indicating that once Certificate Services is installed, you can’t rename this server or move it from the domain.

click to expand
Figure 25-2: Selecting Certificate Services in Add/Remove Programs.

On the CA Type selection page (Figure 25-3), you’re given the chance to choose the type of CA server you want to install. The default is an enterprise root CA. Select the appropriate type for your installation.

click to expand
Figure 25-3: CA Type selection page.

If you want to configure advanced options for the public and private keys, select the Use Custom Settings To Generate The Key Pair And CA Certificate check box and then click Next. The page shown in Figure 25-4 appears. Table 25-4 describes the choices you’re given in this screen.

click to expand
Figure 25-4: Setting advanced options for public and private key pairs.

Note

Installing an enterprise CA requires Active Directory services, so the CA computer must already be joined to the Windows Server 2003 domain.

Table 25-4: Advanced options for public and private key pairs

Option

Description

CSP

Select the Cryptographic Service Provider (CSP) to be used to generate the public key and private key set for the CA certificate. The default CSP is the Microsoft Strong Cryptographic Provider.

Hash Algorithms

The default is SHA-1, which provides the strongest cryptographic security.

Allow This CSP To Interact With The Desktop

Be sure to select this check box. Unless you do so, system services will not interact with the desktop of the user who is currently logged on. If you’re logging on using a smart card or some other hardware device, you need to allow the CSP to interact with the desktop to allow the user to log on.

Key Length

The default key length is 2048 bits for the Strong Cryptographic Provider and 1024 bits for the Basic Cryptographic Provider. The minimum key length is 512 bits, and the maximum is 4096 bits. Generally, the longer the key, the longer the safe lifetime of the private key.

Use Existing Keys

Allows you to choose an existing private key from the list. The existing private key is used for the CA. You might need to use this option to restore a failed CA.

Use The Certificate Associated With This Key

Enables the selection of the certificate that is associated with the existing private key that is used for the CA. You might need to use this option to restore a failed CA.

Import

Gives you the ability to import a private key that is not in the Use Existing Keys list. For example, you might import a private key from an archive for a failed CA.

View Certificate

Displays the certificate associated with the private key in the Use Existing Keys list.

Enter the CA identifying information, as illustrated in Figure 25-5, and then click Next.

click to expand
Figure 25-5: Entering CA identifying information.

You’ll see a quick screen indicating that the key pair is being generated. It will appear for fewer than 2 seconds in most cases. After the key is generated, Setup needs to know where to put the database. Enter the appropriate path. As Figure 25-6 shows, you can also select the Store Configuration Information In A Shared Folder check box. This option creates a folder that makes information about CAs available to users. It is useful only if you are installing a standalone CA and do not have Active Directory.

click to expand
Figure 25-6: Specifying data storage locations.

When you click Next, you see a message box indicating that Microsoft Internet Information Services (IIS) services must be stopped. Just click OK, and the wizard will configure the components. When it is done, you are finished installing Certificate Services. A shortcut to the Certification Authority snap-in appears in the Administrative Tools menu. Figure 25-7 illustrates the basic Certification Authority snap-in.

click to expand
Figure 25-7: Certification Authority snap-in.

Installing Web Enrollment Support

By default, when Windows Server 2003 Certificate Services is installed, the same server will also have installed Web enrollment support (Figure 25-8). You can also choose to install the Web enrollment form on another Windows Server 2003–based computer. You might do so if the traffic volume for Certificate Services is high and you need to spread the enrollment traffic load over more than one server.

click to expand
Figure 25-8: Web enrollment home page.

The default location for the Web enrollment pages is <drive:>\%windir%\System32\Certsrv, where <drive:> is the letter of the disk drive on which the pages are installed. To install the Web enrollment pages on a server other than the one housing Certificate Services, start the Add/Remove Programs tool in Control Panel and select Certificate Services, as though you were installing it. Then click Details and clear the Certificate Services check box (Figure 25-9). Verify that the Certificate Services Web Enrollment Support check box is selected, and then click OK. Follow the wizard to completion.

click to expand
Figure 25-9: Installing Web enrollment support on a separate server.

Using the Web Enrollment Pages

Users can access the Web enrollment pages via the default URL http://servername/certsrv. On the welcome screen, you have several options. Clicking the Download A CA Certificate, Certificate Chain, Or CRL option retrieves the CA’s certificate or the most current CRL. Click Next to display a screen allowing you to perform a couple of different tasks, including establish a trust for the CA certificate chain, which involves installing the certification chain for the CA’s certificate in the certificate store of the local computer (Figure 25-10). Selecting this option will be most useful when you need to trust a subordinate CA but do not have the certificate of the root CA in your local certificate store.

click to expand
Figure 25-10: Retrieving the CA’s certificate.

More often, you will use this Web site to obtain a new user certificate. To begin the process, click the Request A Certificate link. On the next page that appears (Figure 25-11), you can either request a user certificate or submit an advanced certificate request. For information about the advanced options, see the next section, “Making an Advanced Request.”

click to expand
Figure 25-11: Requesting a new certificate.

To request a new basic user certificate, click the User Certificate link. The User Certificate - Identifying Information page appears (Figure 25-12). Here you are informed that no more information is needed for the CA to generate a certificate. Clicking the Submit button initiates the certificate generation process. Clicking the More Options link allows you to specify the cryptographic service provider and the request format for the certificate. In most circumstances, you will want to click the Submit button; the More Options area is only for advanced users.

click to expand
Figure 25-12: Message indicating system is ready to submit a certificate request.

After you click Submit, the certificate is generated. Click Yes or OK when the two message boxes appear to finish the submission request. The next support page gives you the opportunity to install the certificate (Figure 25-13).

click to expand
Figure 25-13: Message indicating system is ready to install the certificate.

Clicking the Install This Certificate link installs the certificate on the local computer. The certificate is available only to the user for whom the certificate was generated. If other users log on to the computer, they will not be able to use this certificate. The final enrollment page then appears, indicating that the certificate has been installed properly. To verify that the certificate has been created, open the Certification Authority snap-in and open the Issued Certificates folder. The user’s certificate is displayed in the details pane (Figure 25-14).

click to expand
Figure 25-14: Verifying that a user certificate has been created.

You can also verify that the user certificate has been installed by opening the Microsoft Outlook 2003 client, choosing Options from the Tools menu, and then clicking on the Security tab (Figure 25-15). In the Encrypted area, click the Settings button to reveal the Change Security Settings screen (Figure 25-16).

click to expand
Figure 25-15: Verifying that a user certificate has been installed.

click to expand
Figure 25-16: Change Security Settings screen.

Click the Choose button for both the signing and encryption certificate to show that the certificate is installed in Outlook. Select OK in the Select Certificate window to assign the certificate that was just created to the Outlook client (Figure 25-17). Figure 25-18 illustrates how the certificates appear in the Security tab after being selected. The hash algorithm and encryption algorithm can be changed, but not the certificate itself.

click to expand
Figure 25-17: Selecting the Users Certificate for assignment in the Outlook client.

click to expand
Figure 25-18: The Users Certificate assigned to the Outlook client for both encryption and signing.

If different certificates are installed, you can specify a particular certificate by clicking the Choose button and making a selection (Figure 25-19). Although the items in the list look like multiple copies of the same certificate, they are not. Each item is a unique certificate.

click to expand
Figure 25-19: Choosing a certificate for personal use.

Making an Advanced Request

The Advanced Request option allows you to specify additional options while making a certificate request. Figure 25-20 shows the three types of requests available. The first choice, Create And Submit A Request To This CA, walks you through an advanced form. You can use this advanced form to request any certificate types supported by the enterprise CA. You’ll also use this form to configure the key, format, and hash options for the certificate request. Generally, only administrators use this form because it is likely to be too complicated for the average user.

click to expand
Figure 25-20: The three options available for an advanced certificate request.

The second choice, Submit A Certificate Request Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64- Encoded PKCS #7 File, allows you to submit a certificate request using a file rather than a form. The file must already exist in base 64, using either the #10 or #7 PKCS encoding format. You will need to select which type of certificate is being requested in the Certificate Template section as well.

The last choice, Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station, allows an administrator to create a certificate for a smart-card user that can then be installed onto the physical card.

Viewing Information About Certificates

You can view specific information about certificates by navigating to the Issued Certificates folder in the Certificate Authority and then opening an individual certificate. To open a certificate, right-click it and then choose Open. Figure 25-21 shows the General tab of the property sheet for a user certificate. This tab lists the purpose of the certificate, the issuer, to whom the certificate is issued, and the dates the certificate is valid. If you compare the information for a user certificate with the information for a domain controller certificate (Figure 25-22), you’ll notice that the purposes are very different. Remember that the purpose of a certificate is derived from its template.

click to expand
Figure 25-21: General tab of the property sheet for a user certificate.

click to expand
Figure 25-22: General tab of the property sheet for a domain controller certificate.

The Issuer Statement button is grayed out in Figures 25-21 and 25-22 because in this case, the issuing CA does not provide a statement. If the issuing CA for a given certificate does provide a statement, you can click this button to read additional information about the certificate from the issuing CA’s Web site.

The Details tab shows the information contained in the certificate. When you select an item in the Field column, the contents of that field are revealed in the Value column. Figure 25-23 shows the Public Key field selected. The Value column indicates that it is a 1024-bit key.

click to expand
Figure 25-23: Details tab of a certificate’s property sheet.

The Certification Path tab (Figure 25-24) shows the trust status of the certificate. If there is a problem with either the certificate or the path, a warning will appear in this tab with information explaining the problem.

click to expand
Figure 25-24: Certification Path tab of a certificate’s property sheet.

On the client side, you can use Outlook 2003 to edit certain certificate properties. With the certificate open, click the Edit Properties button at the bottom of the Certificate’s properties Details tab to see the sheet shown in Figure 25-25. Here you can change the friendly name and description for the certificate. You can also restrict the purposes for which the certificate can be used. By default, all purposes are enabled, but you can manually disable certain purposes or disable all purposes, which would make the certificate invalid.

click to expand
Figure 25-25: Editing certificate properties in Outlook 2003.

The Cross-Certificates tab (Figure 25-26) allows you to specify cross-certificates for this certificate. Cross-certificates are special certificates that are used to establish complete or qualified one-way trusts between otherwise unrelated CAs. If your organization has multiple, distributed IT departments, you might not be able to establish a single, trusted root. In this situation, you can implement a network hierarchy trust model in which all CAs are self-signed and trust relationships between CAs are based on cross-certificates.

click to expand
Figure 25-26: Cross-Certificates tab in the certificate properties.




Microsoft Exchange Server 2003 Administrator's Companion
Microsoft Exchange Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735619794
EAN: 2147483647
Year: 2005
Pages: 254

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net