Working with Microsoft Certificate Services

Microsoft Certificate Services allows you to issue and revoke digital certificates. You can use these certificates to enable SSL sessions and to authenticate the identity of your intranet, extranet, or Internet Web site.

Understanding Certificate Services

Certificate Services is a Windows service that runs on a designated certificate server. Certificate servers can be configured as one of four types of CAs:

• Enterprise root CA The certificate server at the root of the hierarchy for a Windows domain. It’s the most trusted CA in the enterprise and must be a member of the Active Directory service and have access to it.

• Enterprise subordinate CA A certificate server that will be a member of an existing CA hierarchy. It can issue certificates but must obtain its own CA certificate from the enterprise root CA.

• Stand-alone root CA The certificate server at the root of a non-enterprise hierarchy. It’s the most trusted CA in its hierarchy and doesn’t need access to Active Directory.

• Stand-alone subordinate CAA certificate server that will be a member of an existing non-enterprise hierarchy. It can issue certificates but must obtain its own CA certificate from the stand-alone root CA in its hierarchy.

Certificate servers don’t have to be dedicated to Certificate Services and can be the same servers you use for Web publishing. However, it’s a good idea to designate specific servers in your domain that will act as certificate servers and to use these servers only for that purpose.

Once you install Certificate Services on a computer, you’re limited in what you can and can’t do with the computer. Specifically, you can’t do the following:

• You can’t rename a computer running Certificate Services.

• You can’t change the domain membership of a computer running Certificate Services.

You manage Certificate Services using a Microsoft Management Console (MMC) snap-in called the Certification Authority snap-in and a Web-based Active Server Pages (ASP) application that can be accessed in a standard Web browser. In the snap-in, you have full control over Certificate Services. The Web-based application, on the other hand, is primarily used to retrieve Certificate Revocation Lists (CRLs), to request certificates, and to check on pending certificates. You can access the Web-based application from the following URL: http://hostname/certsrv.

Figure 8-1 shows the Certification Authority snap-in’s main window. As you can see, five containers are under the root authority. These containers are used as follows:

• Revoked Certificates Contains all certificates that have been issued and then revoked.

  
  Figure 8-1: Use the Certification Authority snap-in to manage Certificate Services.

• Issued Certificates Contains all certificates that have been approved and issued by the Certificate Services administrator.

• Pending Requests Contains all pending certificate requests for this CA. If you’re an administrator on the certificate server, you can approve requests by right-clicking them and selecting Issue. The default configuration is to process requests automatically, which means that no administrator involvement is required.

• Failed Requests Contains any declined certificate requests for this CA. If you’re an administrator on the certificate server, you can deny requests by right-clicking them and selecting Deny.

  Note

  The label for the root node of the snap-in is set to the name of the CA. In the example, the CA name is Corporate Root CA.

• Certificate TemplatesContains a set of certificate templates that are configured for different intended purposes. These templates provide basic rules for the various types of certificates. Additional certificate templates can be installed by right-clicking Certificate Templates, selecting New, and then clicking Certificate Template To Issue. (Certificate Templates are available only with enterprise root and subordinate CAs.)

Installing Certificate Services

If the server isn’t running IIS and you want to be able to retrieve CRLs to request certificates or to check on pending certificates through a browser, you must install IIS prior to installing Certificate Services. To install Certificate Services, complete the following steps:

1. Log on to the certificate server using an account with Administrator privileges or, if you’re creating an enterprise CA, Enterprise Administrator privileges.

2. Click Start, choose Control Panel, and then Add Or Remove Programs. This displays the Add Or Remove Programs dialog box.

3. Start the Windows Components Wizard by clicking Add/Remove Windows Components.

4. Select the Certificate Services check box. When prompted to confirm the action, click Yes and then click Next.

5. As shown in Figure 8-2 on the following page, select the CA type. The options are as follows:

   • Enterprise Root CA Establishes the root CA in an Active Directory domain. This option is available only if your server participates in a domain.

   • Enterprise Subordinate CA Establishes a subordinate CA that will be a member of an existing hierarchy. This option also requires connectivity to Active Directory.

   • Stand-Alone Root CA Establishes a stand-alone root CA that doesn’t require connectivity to Active Directory.

   • Stand-Alone Subordinate CA Establishes a subordinate CA that will be a member of an existing hierarchy. The server doesn’t require connectivity to Active Directory.

     
     Figure 8-2: Choose the type of CA that you want to install.

     Note

     Select the Use Custom Settings… check box if you want to choose the cryptographic service provider (CSP) and hashing algorithms used to generate keys. In most cases, however, the default values are acceptable.

6. As shown in Figure 8-3, enter the common name for the CA, such as Corporate Root CA, and set the CA certificate’s expiration date. Most CA certificates are valid for at least five years. Click Next.

7. Specify the storage location for the configuration database and log. By default, the certificate database and log are stored in the \%SystemRoot%\ System32\CertLog folder. Click Next.

   
   Figure 8-3: Identify the CA and set an expiration date for the root CA certificate.

   Tip

   If hundreds or thousands of users use your CA, you might want the database and log files to be stored on separate drives. By placing these files on separate drives, you can improve the CA’s performance and responsiveness. In all cases the database and log files should be on NTFS volumes. This ensures that the security permissions can be set to restrict access to these files by user account.

8. If IIS is running on the certificate server, Windows will need to shut down the related services before continuing. Click Yes when prompted to do this. The Windows Components Wizard begins installing and configuring Certificate Services.

9. Click Finish to complete the process. If you installed Certificate Services on a computer running IIS, you can configure these services for Web access (see the following section of this chapter).

Accessing Certificate Services in a Browser

When you install Certificate Services on a computer running IIS, the default (or primary) Web site is updated so that you can perform key certificate tasks through a Web browser. These tasks include:

• Retrieving CRLs

• Requesting certificates

• Checking on pending certificates

The structures that make Web-based requests possible are files configured for use in three virtual directories:

• CertSrv Contains files necessary for Web-based access to Certificate Services and is located in \%SystemRoot%\System32\CertSrv by default. This directory is set up as a pooled application called CertSrv.

• CertControl Contains files necessary for controlling Certificate Services and is located in \%SystemRoot%\System32\CertSrv\CertControl by default.

• CertEnroll Contains files necessary for controlling Certificate Services and is located in \%SystemRoot%\System32\CertSrv\CertEnroll by default.

  Tip

  If these directories aren’t available for some reason, you can create virtual directories that map aliases to their physical locations. In a command prompt, type certutil –vroot. The command-line utility Certutil creates the necessary virtual directories for you and maps them to their default locations.

Once you’ve configured Web-based access to Certificate Services, you can access these services by typing http://hostname/certsrv/, where hostname is the Domain Name System (DNS) or NetBIOS name of the host server, such as ca.microsoft.com or CASrvr. Figure 8-4 shows the main page for Certificate Services.

Figure 8-4: Use the Web-based interface to retrieve CA certificates or revocation lists, to request certificates, or to check on pending certificates.

Starting and Stopping Certificate Services

Microsoft Certificate Services runs as a Windows service on the certificate server. You can stop and start this service on a local system by completing the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Right-click the root node for the CA, and then select All Tasks.

3. Select Stop Service to stop Certificate Services.

4. Select Start Service to start Certificate Services.

You can stop and start services on a remote system by completing the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools, then right-click the Certification Authority node.

2. To display the Certification Authority dialog box, from the shortcut menu, select Retarget Certification Authority.

3. As shown in Figure 8-5, select Another Computer, type the name of the computer to which you want to connect and then click Finish. You can also type the server’s Internet Protocol (IP) address or fully qualified domain name (FQDN), or click Browse to search for the computer.

   
   Figure 8-5: You can connect to both local and remote CAs.

4. In the Certification Authority snap-in, right-click the root node for the CA and then select All Tasks.

5. Select Stop Service to stop Certificate Services.

6. Select Start Service to start Certificate Services.

Backing Up and Restoring the CA

If your organization publishes its own CA, you should back up the CA information routinely. Backing up the CA information ensures that you can recover critical CA data, including:

• CA private key and certificate

• CA configuration information

• CA log and pending request queue

You can perform two types of backups:

• Standard Creates a full copy of certificate database, logs, and pending request queues.

• Incremental Creates a partial copy of certificate database, logs, and pending request queues. This copy contains only the changes since the last standard backup.

In a very large CA implementation, you can perform incremental backups of the database, logs, and queues by selecting Perform Incremental Backups. To use incremental backups, you must do the following:

1. First perform a standard backup.

2. Perform successive incremental backups at later dates.

When you use incremental backups, you must also restore incrementally. To do this, complete the following steps:

1. Stop Certificate Services.

2. Restore the last standard backup.

3. Restore each incremental backup in order.

4. Start Certificate Services.

Creating CA Backups

To back up the CA information on your certificate server, complete the following steps:

1. Create a folder that Certificate Services can use to store the backup information. This directory must be empty, and you should create it on the local machine where Certificate Services is installed.

2. Start the Certification Authority snap-in, right-click the root node for the CA, choose All Tasks, and then select Back Up CA. This starts the Certification Authority Backup Wizard.

   Note

   Certificate Services must be running when you back up the CA. If the service isn’t running, you’ll see a prompt asking you if you want to start the service. Click OK.

3. Click Next and then select the items you want to back up, as shown in Figure 8-6. The options are:

   • Private Key And CA Certificate

   • Certificate Database And Certificate Database Log

     
     Figure 8-6: Specify the certification items that you want to back up.

4. If this is an incremental backup, select Perform Incremental Backup. Incremental backups can be performed only when backing up the certificate database and log.

5. Type the file path to the backup folder in the Back Up To This Location field or click Browse to search for this folder. If you specify a folder that doesn’t exist, you’ll be given the option of creating it.

6. Click OK or Next. Type and then confirm a password that will be used to protect the private key and CA certificate files.

7. Click Next and then click Finish. The wizard creates a backup of the selected data.

Recovering CA Information

If you ever need to recover the CA information, you can do this by completing the following steps:

1. The Certificate Services can’t be running when you restore the CA. In the Certification Authority snap-in, right-click the root node for the CA, choose All Tasks, and then select Stop Service.

2. Right-click the root node a second time, choose All Tasks, and then select Restore CA. This starts the Certification Authority Restore Wizard.

3. Click Next and then select the items you want to restore, as shown in Figure 8-7. The options are:

   • Private Key And CA Certificate

   • Certificate Database And Certificate Database Log

     
     Figure 8-7: Specify the certification items that you want to restore from a backup.

4. Type the file path to the backup folder in the Restore From This Location field or click Browse to search for this folder. You should always restore the last complete backup before restoring any incremental backups.

5. Click Next. Type the password used to protect the CA files and then click Next again.

6. Click Finish. The wizard restores the selected data and starts the Certificate Services service.

Configuring Certificate Request Processing

Unlike previous versions of Certificate Services, the version shipping with IIS 6 is configured for autoenrollment by default. This means authorized users can request a certificate, and the CA automatically processes the certificate request so that the user can immediately install the certificate.

If you want to view or change the default request processing policy, follow these steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Right-click the CA node and then select Properties. This displays the Properties dialog box.

3. Select the Policy Module tab and then click Properties.

4. If you want to process requests manually, select Set The Certificate Request Status To Pending. The Administrator Must Explicitly Issue The Certificate.

5. If you want the CA to automatically process requests, select Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate.

6. Click OK twice.

Approving and Declining Pending Certificate Requests

If you’ve configured the CA so that certificates must be manually processed, you’ll find that pending certificate requests are displayed in the Certification Authority snap-in’s Pending Requests container.

You can approve pending requests by completing the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Select the Pending Requests container. You will see a list of pending requests, if any.

3. Right-click the request that you want to approve, choose All Tasks, and then select Issue.

4. Certificate Services generates a certificate based on the request and places this certificate in the Issued Certificates container.

5. Certificates are valid for one year. After this period they must be renewed.

You can decline pending certificate requests by doing the following:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Select the Pending Requests container. You should see a list of pending requests.

3. Right-click the request that you want to decline, choose All Tasks, and then select Deny.

4. When prompted to confirm the action, select Yes.

   Caution

   Denied requests are moved to the Failed Requests container and can’t be restored. The user must resubmit a new request.

Generating Certificates Manually in the Certification Authority Snap-In

Once you’ve issued a certificate, you can manually create the certificate file that you need to install. To do this, complete the following steps:

1. Start the Certification Authority snap-in, by clicking Certification Authority in Administrative Tools.

2. Select the Issued Certificates container. You should see a list of certificates issued by this root CA, if any.

3. Right-click the certificate that you want to generate and select Open. This displays the Certificate dialog box.

4. Select the Details tab and then select Copy To File. This starts the Certificate Export Wizard. Click Next.

5. Select the Base-64 Encoded X.509 (.CER) export file format and then click Next.

6. Specify the name of the file you want to export. Be sure to use .cer as the file extension. Click Browse if you want to use the Save As dialog box to set the file location and name.

7. Click Next and then click Finish. Click OK after the Certificate Export Wizard confirms that the certificate was successfully exported. You can now install the certificate file as described in the section of this chapter entitled “Processing Pending Requests and Installing Site Certificates.”

Revoking Certificates

Server certificates are valid for one year and can be revoked if necessary. Typically, you revoke a certificate when there’s a change in the site’s status or when the customer for whom you issued the certificate cancels the service subscription. To revoke a certificate, complete the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Select the Issued Certificates container. You should see a list of issued certificates.

3. Right-click the certificate that you want to revoke, choose All Tasks, and then select Revoke Certificate. The Certificate Revocation dialog box is displayed.

4. As shown in Figure 8-8, use the Reason Code drop-down list to specify a reason for the revocation and then click Yes.

   
   Figure 8-8: In the Certificate Revocation dialog box, specify the reason you’re revoking the certificate.

5. The CA marks the certificate as revoked and moves it to the Revoked Certificates container.

By default, CAs publish CRLs weekly and CRL changes daily. You can change this setting through the Revoked Certificates Properties dialog box by performing the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Right-click the Revoked Certificates container, then select Properties and use the CRL Publication Interval fields to set a new interval for publishing the CRL and CRL changes, as shown in Figure 8-9.

   
   Figure 8-9: Set the schedule for publishing the CRL. By default, the publication interval is a week.

3. Click OK.

Reviewing and Renewing the Root CA Certificate

The root CA certificate is valid for the period that was specified when the certificate was created. To view the expiration date or to review the certificate properties, complete the following steps:

1. Start the Certification Authority snap-in by clicking Certification Authority in Administrative Tools.

2. Right-click the root node for the CA and then select Properties. This displays the Root CA Properties dialog box.

3. Click View Certificate in the General tab.

4. As shown in Figure 8-10, use the Certificate dialog box to review the root CA certificate’s properties, including the valid from and to dates.

   
   Figure 8-10: The Certificate dialog box shows the root CA certificate’s properties.

The root CA certificate is usually valid for five years. If you’re approaching the end of the five-year period, you should renew the certificate. You should also renew the root CA certificate if one of the following situations exists:

• The signing key is compromised.

• A program requires a new signing key to be used with a new certificate.

• The current CRL is too big and you want to move some of the information to a new CRL.

To renew the root CA certificate, complete the following steps:

1. Log on locally to the CA server.

2. Right-click the root node for the CA again, choose All Tasks, and then select Renew CA Certificate.

3. If prompted to stop Certificate Services, click Yes. Certificate Services can’t be running when you renew the CA. The Renew CA Certificate dialog box shown in Figure 8-11 is displayed.

   
   Figure 8-11: When you renew the root CA certificate, you can generate new public and private keys. Do this if the key has been compromised or a new key is required.

4. In the Renew CA Certificate dialog box, select Yes if you want to generate a new public and private key pair. Otherwise, select No.

5. Click OK. Certificate Services is restarted automatically and a new certificate is issued.