Exam 70-124: Objective 5.3: Advanced Certificate Management Issues

After going through all of the previous material, there might still be some advanced issues that you find yourself dealing with at one time or another when working with Certificate Services. These issues are described in the following paragraphs.

Exam 70-124: Objective 5.3.1: Publishing Certificates in Active Directory

By default, all certificates issued by an Enterprise CA are published to Active Directory. If for some reason you need to change the location where certificates are published to, you can do so by modifying the certificate-publishing behavior of the CA, as outlined in Exercise 4.13

Exercise 4.13: Selecting the Publication Location for New Certificates

1. Click Start | Programs | Administrative Tools.

2. Open Certification Authority.

3. Right-click on your CA and select Properties from the context menu.

4. Switch to the Exit Module tab, select the Exit Module you want to configure, and click Configure. This opens the Properties page shown in Figure 4.44.

   
   Figure 4.44: Selecting the Publication Location for New Certificates

5. Click OK twice after making your selections.

Exam 70-124: Objective 5.3.3: Recovering Key Management Server Issued Keys

The Exchange Key Management Server (KMS) makes native use of the Windows 2000 Server Certificate Services, and thus needs no additional CA to perform its duties. The Windows 2000 CAs take care of all certificate issuance and revocation for users enrolled in Advanced Security through KMS, as well as maintaining the CRL and CTL. KMS is flexible and can use any Enterprise CA in an organization in the event that the first CA contacted is busy or unavailable. If you're an Enterprise CA is set up as a subordinate to a trusted third-party CA, such as one provided by VeriSign or Thawte, e-mail users can send messages both inside and outside of the organization using their digital certificates for signing and encryption of the e-mail messages.

KMS actually creates two sets of key pairs when a user is enrolled for Advanced Security:

• The first pair is created by the KMS, and utilized for message encryption.

• The second pair is created by Outlook, and used for digitally signing messages.

The public key created by the KMS is kept in Active Directory and used for decrypting and authenticating incoming messages. The private key created by KMS is kept in an encrypted database maintained by the KMS itself and is only available to its authorized user (the user holding the certificate used to create the key pair). As such, a user may need to recover this private key from time to time. This happens most often when a computer fails or is replaced, thus wiping out the settings that the user had previously configured in Outlook for secure e-mail messaging.

Fortunately, the KMS provides an extremely easy mechanism for recovering lost KMS keys. Exercise 4.14 presents the process for recovering a KMS key and assumes that you have KMS configured and in operation on your network. If not and you would like to read more about using KMS in Exchange 2000, see the article "Key Management Service in Exchange 2000 Server" located at http://msexchange.org/tutorials/Key_Management_Service_In_Exchange_2000_Server.html.

Exercise 4.14: Recovering a Lost KMS Key

1. Click Start | Programs | Microsoft Exchange | System Manager. This opens the Exchange System Manager (ESM).

2. Expand the organizational node and select the Advanced Security node within it. In the right pane of the window, right-click Key Manager and select All Tasks | Recover Keys from the context menu, as shown in Figure 4.45.

   
   Figure 4.45: The Exchange System Manager

3. Enter your KMS administrative password (not the same as your KMS startup password or your regular Windows network password) as shown in Figure 4.46 and click OK.

   
   Figure 4.46: Entering the KMS Administrative Password

4. Select the method of locating users as shown in Figure 4.47. Click OK to continue.

   
   Figure 4.47: Selecting the User Selection Method

5. Select the users you need to recover KMS keys for, and click Recover when you have added them all to the right side of the window, as shown in Figure 4.48.

   
   Figure 4.48: Selecting Users for Recovery

6. Click OK to acknowledge the completion of key recovery.

7. Click Close to complete the recovery process.

8. Figure 4.49 shows the results of the recovery process—the user is now able to configure e-mail security from within Outlook.

   
   Figure 4.49: Configuring for E-mail Security

Exam 70-124: Objective 5.3.2: Windows XP Auto-enrollment

One of the new features in Certificate Services in Windows XP and Windows .NET Server 2003 is the concept of auto-enrollment of new certificates and approved renewals. Auto-enrollment is based on a combination of Group Policy settings and Version 2 Certificate template properties, which require Windows XP and Windows .NET Server. This combination provides for Windows XP Professional clients to automatically enroll users with new and newly renewed certificates at every Group Policy refresh (computer startup, user login event, or during a configured Group Policy refresh event).

By providing a means to automatically issue approved certificates and enable PKI-based applications such as EFS, Secure Sockets Layer (SSL), and smart cards, auto-enrollment can greatly reduce the workload incurred in managing a large PKI environment. Certificates are still requested through standard means (via the Microsoft Management Console [MMC] or by using Web Enrollment), but are now automatically installed when the certificate request has been approved and issued. Thus, the user or administrator is no longer required to perform this time-consuming step.

Auto-enrollment is managed via Group Policy and the new Certificate Templates snap-in. For more background information on auto-enrollment, see "Certificate Autoenrollment in Windows XP," located at www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.asp. Exercise 4.15 walks you through the basic configuration of auto-enrollment. This can be done on a local Windows XP machine via Local Group Policy or on a Windows .NET Server 2003 using Active Directory Users and Computers to edit Group Policy.

Exercise 4.15: Configuring Auto-enrollment

1. If you are working locally on a Windows XP Professional computer, skip to step 5.

2. On your Windows .NET Server 2003, open the Active Directory Computers and Users console.

3. Right-click the site, domain, or Organizational Unit (OU) that you want to configure Group Policy for and click Properties.

4. Click the Group Policy tab. Select a Group Policy Object to edit and click the Edit button. Skip to step 9 to continue this procedure.

5. On a local Windows XP computer, click Start | Run. Enter MMC into the Run box and click OK.

6. From the blank MMC console, click the File menu and then click Add/Remove Snap-in.

7. In the Add/Remove Snap-in dialog box, click Add.

8. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. Select Local Computer and click Finish.

9. To configure user settings for auto-enrollment, expand the following nodes: User Configuration | Windows Settings | Security Settings | Public Key Policies (see Figure 4.50).

   
   Figure 4.50: Locating the Auto-enrollment Setting

10. Right-click the Autoenrollment Settings object and select Properties from the context menu (see Figure 4.51).

    
    Figure 4.51: Configuring the Auto-enrollment Settings Object

11. If you want to automatically enroll certificates, ensure that the Enroll certificates automatically radio button is selected. If you want to further automate certificate processing and provide for automatic renewal, removal, and cleanup of certificates in Active Directory, you should also consider selecting the two checkboxes as well. When you have configured user auto-enrollment to your satisfaction, click OK to close the Properties window.

12. If you want to configure auto-enrollment of computer certificates, you can do it from the same location within the Computer Configuration node, as shown in Figure 4.52.

    
    Figure 4.52: Configuring Computer Auto-enrollment

13. Close any open Group Policy windows.