Lesson 3: Maintaining Certificate Authorities
CAs don't require much in the way of specific maintenance. The most important administrative tasks in addition to regular backup are the revocation of certificates that should no longer be used and the maintenance of the CRL.
Revoke certificates
View and publish the CRL
Back up the CRL
Restore the CRL
Revoking Certificates
Certificate authorities are designed to issue certificates, but they can also take them back. Certificates are designed to be autonomousonce issued, they contain all the information necessary to validate themselves, so contacting the issuing server is not necessary.
But that doesn't cover the case in which a certificate must be rescinded. There are numerous reasons why a certificate might be obsolete before it expires:
The business activity using the certificate has been discontinued.
The association between the organization and the employee represented by the certificate has changed.
The administrator suspects that the keys have been compromised.
The certificate protocol does not allow for any intrinsic mechanism to rescind a certificate other then expiration. For this reason, the X.509 protocol includes a procedure for listing certificates by serial number that the administrator wants to rescind. This list is called the certificate revocation list (CRL).
In Windows 2000, the CRL is stored in Active Directory for enterprise CAs and as a text file in a shared directory for stand-alone CAs. Because of the potential size of the CRL, it is not published to the Active Directory database or the CRL text file each time that a certificate is revoked. Rather, the CRL expires and is republished on a periodic basis that can be set by the administrator. The default period is one week, which is sufficient for most purposes.
It is up to the service receiving the certificate to check the issuing CA when the certificate is presented to determine if the CA has been revoked.
When a particularly important revocation occurs or a large number of certificates have been revoked by administrative action, an administrator can choose to immediately publish the CRL before the normal expiration period.
Issuing Certificates
When a user requests a certificate through Active Directory in an enterprise CA, the certificate is issued by the CA by default. This is automatic because the user's identity is already certified; the user holds a user account in the Active Directory database.
For stand-alone certificates, an administrator must choose to issue each pending certificate request. The administrator must validate the identity of the user and verify that the user issued the request. For example, the administrator might telephone the requestor for verification.
Once the administrator has determined that the request is valid, the administrator can select the certificate in the Pending Requests folder within the CA management console and select Issue. The CA digitally signs the certificate and places it in the Issued Certificates folder so that the user can download it.
The Exchange 2000 Key Management Service (KMS) uses the Windows 2000 Certificate Authority service to automatically generate certificates for Exchange and Outlook users. KMS provides an easy method for recovering lost private keys for users: By right-clicking on the Key Manager and selecting All Tasks, and then clicking Recover Keys, you can select the users who require key recovery. Those users will receive an e-mail from the KMS detailing the steps they need to follow to re-install their private key. More information about KMS is provided with Exchange Server 2000 and the Microsoft Exchange Server 2000 Resource Kit.
Backing Up and Restoring CAs
As with all crucial enterprise data, certificates must be backed up to avoid losing them in the event of a hardware failure. If the CA database is lost, a new CA will have to be established. Existing issued certificates would not be revocable, and certificates previously on the CRL could no longer be revoked.
Routine CA Database Backups
Although the CA management console contains a facility for backing up and restoring the certificate database, your primary mechanism for backing up the CA should be the Windows 2000 Backup tool or your enterprise backup management software. The Certificate Database will be picked up as a part of any normal server backup process and can be retained along with your traditional full system backup.
As long as you perform regular full system backups, there is no need to use the backup and restore mechanism provided by the CA management console for the purpose of restoring a CA. The backup and restore mechanism provide by the CA management console is primarily used to transfer a CA from one server to another.
Backing Up the Certificate Database Using the CA Management Console
The Certificate Authority management console provides a mechanism for backing up the CA's certificate as well as the database of issued, pending, and revoked certificates. You can use the CA Backup Wizard to manually back up the CA database, but there is no mechanism for performing automatic periodic backups.
Treat the CA backup facility as a secondary, manual backup mechanism for such purposes as transferring an existing CA from one server to another or retaining a permanent record of CA certificates.
The CA Backup Wizard is capable of creating full backups or incremental backups. Making incremental backups of the certificate authority, while supported, is not recommended. The problem with incremental backups is that the entire body of backup files from the last full backup through the most recent incremental backup is required to restore the database. The sum total size of all of these backups is no larger than the size of a current full backup. Figure 5.12 provides an example of the contents of a CA Backup folder after a CA backup operation.
Figure 5-12. A CA Backup folder
Incremental backups are used in traditional backups so that many older sets of data can be retained in case a file is lost. But keeping old copies of a CA has no value. Previous backups of a CA do not contain the most recent CRL, so if you had to restore one, you would not know which certificates were no longer revoked. CA databases are not particularly large. Even very large CAs can be backed up to a file that would be less than a few gigabytes in size. Given the problems that incremental backups can cause and the lack of any real benefit to performing them for a CA, you should always run full backups.
Consider backing up your CA to flash memory, and keeping a single CA backup on your flash memory device. USB flash memory devices are easy to mount in servers and come in sizes up to 1 GB, which is large enough to back up most CAs. Flash memory is the most reliable form of digital storage available.
Practice: Managing CAs
In this practice, you manage CAs by revoking a certificate, verifying the information in a CRL, updating a CRL, and then changing the CRL publication date. You'll finish by backing up and then restoring a CA.
Exercise 1: Revoking a Certificate
In this exercise, you revoke a certificate that is being discontinued.
To revoke a certificate
Click Start, point to Programs, Administrative Tools, and choose Certificate Authority. The Certificate Authority console opens.
In the console, expand Certification Authority, Fabrikam Enterprise Root Certifier, and select Issued Certificates.
In the right pane of the console, right-click the certificate with the Issued Common Name of Fabrikam Web SSL And S/MIME Extranet Certifier, select All Tasks, and then choose Revoke Certificate (Figure 5.13).
Figure 5-13. Revoking a certificate in the Certification Authority console
The Certificate Revocation dialog box appears, as shown in Figure 5.14. In the Reason Code box, select Cease Of Operation, and click Yes. The certificate will disappear from the Issued Certificates list.
Figure 5-14. Selecting a reason for revoking a certificate
Click the Revoked Certificates folder. Note that the certificate now appears in this folder.
Exercise 2: Managing the CRL
This exercise walks you through the procedures for viewing and updating the CRL, and for updating the publication interval.
To view the CRL
Click Start, point to Programs, Administrative Tools, and then click Certificate Authority. The Certificate Authority console opens.
Expand Certification Authority and Fabrikam Enterprise Root Certifier.
Right-click Revoked Certificates and choose Properties. The Revoked Certificates Properties dialog box appears.
Click View Current CRL.
When the Certificate Revocation List dialog box appears, click the Revocation List tab. Verify that the CRL is empty.
Why does the CRL appear to be empty when certificates have been revoked?
Click OK to close the Certificate Revocation List dialog box.
Click OK to close the Revoked Certificates Properties dialog box.
To immediately update the CRL
Right-click Revoked Certificates, point to All Tasks, and choose Publish.
A message box appears informing you that the current CRL is still valid. Click Yes to publish a new CRL.
Repeat the procedure for viewing the CRL to verify that the revoked certificates now appear in it.
To change the CRL publication interval
Click Start, point to Programs, Administrative Tools, and click Certificate Authority.
Expand Certification Authority and Fabrikam Enterprise Root Certifier.
Right-click Revoked Certificates, and select Properties. The Revoked Certificates Properties dialog box appears, as shown in Figure 5.15.
Figure 5-15. The CRL Publication Parameters
For the Publication Interval, type 2 in the box, and select Days from the drop-down list box.
Click OK. The CRL will now be published every two days.
Exercise 3: Backing Up a CA
In this exercise, you back up a CA to avoid losing the ability to issue, revoke or renew certificates for the CA.
To back up a CA
Start the Certificate Authority management console.
Right-click Fabrikam Enterprise Root Certifier, point to All Tasks, and choose Backup CA. The Certification Authority Backup Wizard appears.
Click Next. The Items To Back Up page appears, as shown in Figure 5.16.
Figure 5-16. Backing up items using the Certification Authority Backup Wizard
In the Items To Backup page, select Private Key And CA Certificate, and select Issued Certificate Log And Pending Certificate Request Queue.
Type C:\WINNT\Temp\CABackup in the Back Up To This Location box, and click Next.
A dialog box appears asking if you want to create the directory. Click OK.
Type the same random secure password in both the Password and Confirm Password boxes. Click Next.
Click Finish. A progress bar will appear indicating backup progress. When it disappears, the backup is complete.
In Windows Explorer, browse to C:\WINNT\Temp\CABackup. Notice that a file called Fabrikam Enterprise Root Certifier.p12 exists, along with a folder called Database, as shown in Figure 5.17. The .p12 file is an export of the CA's certificate. The files inside the Database folder are Active Directory backup files containing all the certificates for the CA.
Figure 5-17. A CA Backup certificate and database
Exercise 4: Restoring a CA
In this exercise, you use the Certification Authority Restore Wizard, which is very similar to the Certification Authority Backup Wizard. Using this wizard, you stop the Certificate Services and restore from the files you previously backed up.
To restore a CA
Start the Certificate Authority management console.
Right-click Fabrikam Enterprise Root Server, point to All Tasks, and click Restore CA.
A message box appears asking if you want to stop Certificate Services. Click OK.
When the Certification Authority Restore Wizard appears, click Next.
In the Items To Restore page, select Private Key And CA Certificate, and select Issued Certificate Log And Pending Certificate Request Queue.
Click Browse and browse to C:\WINNT\Temp\CABackup, select CABackup, and click OK. Click Next.
The Provide Password page appears. Type the password you entered in the previous exercise, and click Next.
Click Finish to restore the database.
You might see a message box asking for additional incremental files. Click No to indicate that there are no additional files.
You might see a message box asking if you would like to start Certificate Services. If so, click Yes. Otherwise, right-click Fabrikam Enterprise Root Certifier, select All Tasks, and click Start Service.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
What are the two mechanisms through which a certificate can be rendered invalid?
What are the two methods by which the CRL is published in Windows 2000?
What is the best way to back up a CA?
Lesson Summary
CAs require very little administration. Outside of normal server backup, administrators can choose to independently back up the CA's certificate and the certificate database using the Certificate Authority management console.
Certificates can be revoked by the CA that issued them at any time. Reasons for revoking a certificate include no longer offering the service for which the certificate is required, suspected compromise of the certificate's private keys, or a change in relationship between the issuing organization and the certified entity.
Certificates that have been revoked are listed in the server's CRL, the list of certificate serial numbers that have been revoked. The CRL can be published by any network mechanism. In Windows 2000, the CRL is published in the Active Directory database or in a text file within a shared directory.
All certificate management functions are performed through the Certificate Authority management console.