Working with the Local Certificate Store

Previous page
Table of content
Next page

You can work with the certificates that are installed on a computer or for a user account. If you want to work with certificates that are installed on a computer, create a new Microsoft Management Console (MMC) and add the Certificates snap-in. Select the Computer Account option in the Certificates Snap-in selection box. Then select your own local computer or a remote computer. In a single MMC, you could create multiple snap-ins that manage all the certificates on all your servers and/or workstations in your environment. In large environments, this would be unworkable, but in some environments, this might be preferable.

In Figure 25-32, the MMC has both the local computer and the current user Certificates snap-in installed. Notice that under the Certificates - Current User snap-in, you have access to certificates for the following:

click to expand
Figure 25-32: An MMC that has both the local computer and the current user Certificates snap-in installed.

  • User

  • Trusted root certification authorities

  • Enterprise trusts

  • Intermediate certification authorities

  • User’s AD object

  • Trusted publishers

  • Untrusted certificates

  • Third-party root certification authorities

  • Trusted people

Under each of these folders is a certificate folder. If you right-click on that certificate folder, you have import, request, or find abilities that are appropriate for each certificate type. For example, you could request a new certificate for the user under the Personal/Certificates folder by right-clicking on that folder, pointing to New, and selecting Request New Certificate. But under the Trusted Root Certificate Authorities, when you right-click on the Certificates folder, you can Import a certificate but not request a new certificate. Hence, the context menus that are presented when you right-click each folder indicate the type of activities in which you can engage.

There are export, import, and certificate request wizards in this snap-in too. These wizards are designed to help you manage the certificates better and more efficiently. Also, a Find feature (right-click the Certificates object or any top-level folder) will help you find a certificate based on an attribute of that certificate.

If you right-click on the Certificates folder under the Personal folder, you can request a new certificate and launch the request wizard. In three short screens, you’ll be able to create a new certificate for the user represented by the snap-in. In some ways, this is easier than using the Web enrollment forms, though in large organizations, the Web enrollment forms can greatly reduce administrative effort by having the users create and install their own certificates.

Using this snap-in, you can cut and paste certificates using the context menus. Another feature of this console is the autoenrollment feature. Using this feature, requested certificates can be automatically enrolled so that a certificate-by- certificate manual process is avoided.

The way to ensure that a particular certificate is automatically enrolled when the user requests the certificate is to open the Certificate Template snap-in. You will need to add this snap-in to an existing console or to a new console. After you add the Certificate Template to a console, right-click the Users certificate (it could be any certificate, but the Users certificate will be the one that is most often configured for auto-enrollment) and select to duplicate the template.

Give the template a new name on the General tab (Figure 25-33), configure the validity periods, and then on the Request Handling tab, select the Enroll Subject Without Requiring Any User Input option.

click to expand
Figure 25-33: Configuring a user certificate template to autoenroll a user when the certificate request is issued.

You need to be sure that the Autoenroll permission is applied to the Domain Users security group on the Security tab and that the Publish Certificate In Active Directory check box is selected on the General tab (which it is by default). Then add this certificate to the CA snap-in and allow your users to use that certificate for autoenrollment.

What you should know is that the default group policy in Active Directory 2003 is to enable autoenrollment (Figure 25-34). Hence, in most cases, autoenrollment will happen, whether you are using the Web enrollment forms or the Certificates snap-in functionality.

click to expand
Figure 25-34: Group Policy Object on the domain object showing the default setting in Active Directory when Windows Server 2003 is installed.



Previous page
Table of content
Next page
Microsoft Exchange Server 2003 Administrator's Companion
Microsoft Exchange Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735619794
EAN: 2147483647
Year: 2005
Pages: 254
Authors: Walter Glenn, Bill English
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Visual C# 2005 How to Program (2nd Edition)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy