Lesson 2: Deploying User Certificates

Lesson 2: Deploying User Certificates

Certificates can be used to bind a user's identity to a public/private key pair for purposes such as logging on to Web sites, securing e-mail, and encrypting files. Windows 2000 supports these functions through the user certificates template, which generates certificates appropriate for each of these purposes for individual users within the domain.

The user certificates deployment methodology is designed for users to request and install their own certificates, primarily because user certificates are stored within the profile of each user logged on.

---

After this lesson, you will be able to

• Deploy user certificates using the Certificates management console

• Deploy user certificates using the Microsoft Certificate Services Web site

Estimated lesson time: 30 minutes

---

Deploying Certificates to Users

User certificates allow you to combine numerous functions, such as securing e-mail, encrypting files, and authenticating with extranets, in a single certificate that can be thought of as a user's digital identity. This certificate can perform all functions in Windows 2000 that are specific to a user.

For the purpose of securing e-mail, user certificates are compatible only with Microsoft Outlook. Other e-mail packages require more identity information than a user certificate provides. Certificates can be created for these packages using the S/MIME certificate template on a stand-alone CA.

Allowing Users to Request and Install Certificates

User certificates are digitally signed by the CA when they are requested. The certificates are immediately returned to the requesting user unless you configure the CA to require administrative intervention by modifying its exit policy in the CA Administrative console. This means that users can request and immediately install their own certificates from the enterprise CA by using the Microsoft Certificate Services Web site (CertSrv), shown in Figure 6.8. This Web site is installed by default when a CA is created on a machine where Internet Information Services (IIS) is installed.

Figure 6-8. The Microsoft Certificate Services Web site

If you installed IIS after Certificate Services, you will not have the CertSrv virtual directories or files installed. Run certutil vroot from the command prompt to install them.

Certificates are issued automatically only to users who have proven their identity by logging on using an Active Directory account. If you would still like to confirm each certificate before it is issued, you can change the CA's exit policy for the specific template by opening the template's Properties dialog box, selecting Exit Policy, and clearing the option to automatically issue certificates to authenticated users.

To ensure that certificates are issued correctly to a domain user, you must ensure that the domain user has authenticated with the CA through the IIS CertSrv Web site. Because the connection is made through IIS, the CertSrv virtual directory on the Certificate server must be configured to authenticate using domain authentication. Allow integrated Windows authentication only to prevent any other type of authentication from taking place. This will automatically log on users so that the correct credentials are requested. If other types of authentication are allowed, the user's correct credentials might not be passed, and certificate generation might fail or a useless certificate might be generated.

Users can also request certificates using the Certificates snap-in if they have access to the Microsoft Management Console (MMC). However, this method requires more administrative talent and is less familiar to end users than navigating a Web site, and access to the MMC is usually restricted by Group Policy.

An easy way to roll out certificates throughout an enterprise is to send a mass e-mail message to users with an embedded link to their proper CA. Include step-by-step instructions with screen shots showing how to request and install their certificates. You can use the Certification Authority management console to determine which users have successfully completed the steps and which require further assistance.

Automated Deployment of User Certificates

EFS encryption certificates are requested, created, and deployed by the system whenever they are needed to encrypt files in a domain. User or administrator intervention is not required for this specific type of certificate.

User certificates must be deployed to users from within their own user profiles, which means that for the most part, users must request their own certificates. While it is technically possible for administrators to log on as each user and perform the request in an environment that uses roaming profiles, the network and administrative overhead to do this would be prohibitive.

Microsoft does not support any automated means for administrators to bulk deploy user certificates or even to create user certificates on behalf of users.

It is possible to use the Certreq.exe command-prompt utility to create a logon script that can automate the request and retrieval of certificates. Performing this sort of certificate rollout involves considerable capacity planning and programming expertise and is therefore beyond the scope of this book.

Manually Creating Certificates

User certificates are designed for deployment by end users rather than by administrators. While it is possible to configure the CertSrv Web site on a CA to request credentials each time a user connects so that an administrator can create certificates for individuals manually, you must take special precautions, such as closing Microsoft Internet Explorer between certificate requests, to ensure that the administrator is working within the correct user's account logon context in the Web session. User certificates created within the wrong user context will be useless.

Internet Explorer will remain logged on using the same user's credentials for as long as it is open. If administrators will be generating certificates for multiple users in a single logon session, you must ensure that you close and reopen Internet Explorer between sessions. You should also configure the CertSrv virtual directory for Basic Authentication so that administrators can log on as each of the various users independently. If integrated authentication is used, every certificate requested will be generated for the user who is logged on to the machine, rather than the user specified in the certificate, so the certificate will be useless.

Once created, the certificates have to be exported and then manually imported into each user's profile before they can be used.

Moving Certificates

When users change computers, their certificates must move with them. There are three ways to move certificates between workstations:

• Back up and restore the operating system on the workstation.

• Enable roaming profiles.

• Export certificates on one machine and import them on another.

Backing Up and Restoring the Operating System

Performing a complete backup and restoration of a workstation operating system, while somewhat extreme, successfully moves all aspects of a user's working environment as long as the target machine is sufficiently similar to the source machine for the restore to work. In most cases, full machine backup and restore will work without fail.

Of course, backing up and restoring a full machine is time intensive, administratively complicated, usually unnecessary, and destructive to the configuration of the target machine. It has the advantage of moving encrypted files intact without problems, however, and it may be your first choice if your environment makes use of EFS to encrypt local files.

Using Roaming Profiles

User certificates are stored in a user's profile in a special location referred to as the certificate store. Users in environments that support roaming profiles do not need to be concerned with moving certificates manually because the certificates follow the user wherever they log on.

Enabling roaming profiles is the easiest method of moving certificates and is frequently the only convenient way to move certificates. It also preserves the user's desktop settings and files. Even if the change is temporary and used only to transport a user's certificates and settings, you should convert a user's profile to a roaming profile using the system Control Panel and have the user download the profile to the destination machine by logging on, if possible. You can then convert the roaming profile back to a local profile on the destination machine.

Exporting and Importing Certificates

Certificates can be imported and exported in a variety of formats. The format you use will depend on the application that needs to import it.

PKCS #12 Personal Information Exchange format is required to export Windows 2000 certificates that contain a private key. This certificate format is designed for the transport of private keys that are specific to a certain user. Windows 2000 allows you to export a certificate only if you specified the exportable option under advanced settings when you generated it using the CertSrv Web site or if it is an EFS encryption certificate. PKCS #12 is the only format that can export a private key.

You must specify that a certificate is exportable using advanced settings on the Certificate Services Web site before the certificate is created. Certificates that have not been marked for export cannot be exported. To move certificates that have not been marked for export, you must enable roaming profiles instead.

To export a certificate, open the Certificates management console, right-click the certificate, point to All Tasks, and choose Export. Follow the prompts to create an exported PKCS #12 certificate file that can be imported on another workstation. Figure 6.9 shows the wizard window that appears at the end of the process of exporting a certificate.

Don't weaken your security posture or the privacy of user certificates by marking them as exportable when they are created. Use the roaming profiles feature of the operating system, even if only temporarily, to move personal certificate stores when necessary. If you are moving a certificate store between physically separate facilities, consider using the backup/restore method rather than the import/export method.

Figure 6-9. Exporting a certificate to a file

Practice: Deploying and Moving Certificates

In this practice, you deploy a user certificate for a single user, and then export the certificate for use on another machine. Because user certificates are designed to be deployed by end users rather than by administrators, this process shows you the steps each user needs to perform when requesting certificates.

Exercise 1: Deploying User Certificates Through the Certificates Services Web Site

In this exercise, you establish that Integrated Windows authentication is the only authentication method that is allowed. After defining the authentication method, you request and install a user certificate.

To set Certificate Services Web site authentication

1. Log on to the domain controller.

2. Click Start, point to Programs, point to Administrative Tools, and click Internet Services Manager. The Internet Information Services management console appears.

3. Expand Internet Information Services, then dc01, and then Default Web Site.

4. Right-click the CertSrv virtual directory, and click Properties. The CertSrv Properties dialog box appears.

5. Click the Directory Security tab, and click Edit in the Anonymous Access And Authentication Control group. The Authentication Methods dialog box appears, as shown in Figure 6.10.

   

   Figure 6-10. Setting authentication methods for a Web site

6. Select Integrated Windows Authentication, and clear all other check boxes.

7. Click OK to close the Authentication Methods dialog box.

8. Click OK to close the CertSrv Properties dialog box.

9. Close the Internet Information Services management console.

To request a certificate

1. From the client computer, log on as user packerman in domain.Fabrikam.com.

2. Browse to http://dc01/certsrv/. The Microsoft Certificate Services Web site appears.

3. Select Request A Certificate, and click Next. The Choose Request Type page appears.

4. Leave the User Certificate Request option selected, as shown in Figure 6.11, and click Next.

   

   Figure 6-11. Requesting a user certificate

5. Click Submit. The Protected Item dialog box appears.

6. Click OK. The dialog box will appear again. Click OK again.

7. When the Certificate Issued dialog box appears, click Install This Certificate.

8. From the Tools menu, choose Internet Options.

9. When the Internet Options dialog box appears, click the Content tab.

10. Click Certificates. The Certificates dialog box displays a list of installed certificates, as shown in Figure 6.12.

    

    Figure 6-12. Certificates installed in the current user's profile

11. Double-click the Pilar Ackerman certificate. When the Certificate Information window appears (Figure 6.13), verify the certificate's uses.

    

    Figure 6-13. Properties of a certificate

12. Close the dialog boxes and the Web browser.

Exercise 2: Moving a Certificate Between Workstations

In this exercise, the EFS certificate for the domain administrator account is exported from a file server and imported to a workstation. In this domain, users do not have access to the MMC, and their certificates have not been marked as exportable, so it would not be possible to export and import user certificates for non-administrative users.

To automatically generate an EFS certificate

Perform this procedure on the Windows 2000 Server.

1. Log on as Administrator.

2. Right-click a blank area of the desktop, point to New, and click Text Document. A new text document icon appears on the desktop.

3. Change the document's name to Encrypted.txt.

4. Right-click Encrypted.txt, and click Properties. The Properties dialog box for Encrypted.txt appears.

5. Click Advanced to view the Advanced Attributes for Encrypted.txt, as shown in Figure 6.14.

   

   Figure 6-14. Setting the advanced attributes for a document

6. Select Encrypt Contents To Secure Data, and click OK.

Setting encryption for a file results in the automatic generation of an EFS certificate.

7. Click OK to close the Encrypted.txt Properties dialog box. An encryption warning message appears.

8. Select Encrypt The File Only, and click OK.

   The server will request an EFS encryption certificate from the CA; the certificate will be automatically issued and used to encrypt the text file.

To create a certificates console for the administrator

Perform this procedure on the Windows 2000 Server while logged on as Administrator.

1. Click Start, and then click Run to open the Run dialog box.

2. Type mmc in the Open field, and click OK. A blank management console appears.

3. On the Console menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.

4. Click Add. The Add Standalone Snap-in dialog box appears.

5. Double-click Certificates. The Certificates snap-in dialog box appears with options for the type of certificates to manage.

6. Select My User Account, and click Finish.

7. Click Close to close the Add Standalone Snap-in dialog box.

8. Click OK to close the Add/Remove Snap-in dialog box.

9. From the Console menu, choose Save.

10. Type Administrator Certificates in the File Name box, and then click Save.

To export the EFS certificate

1. In the Administrator Certificates console, expand Certificates Current User, expand Personal, and then select the Certificates folder.

   Certificates issued to the administrator are listed in the window, as shown in Figure 6.15.

   

   Figure 6-15. The list of certificates issued to the administrator

2. In the Intended Purposes column, find the certificate issued to the administrator Encrypting File System.

3. Right-click the certificate, point to All Tasks, and then click Export. The Certificate Export Wizard appears.

4. Click Next. The Export Private Key page appears asking if you want to export the private key along with the certificate.

5. Select Yes, Export The Private Key, and click Next. The Export File Format page appears, providing options for exporting the certificate.

6. Leave the default Enable Strong Protection check box selected, and click Next. The Password window appears.

7. Type and confirm a password for the certificate, and then click Next.

   Use a more complex password than the account's logon password to secure private certificates.

8. On the File To Export page, click Browse. When the Save As dialog box appears, insert a blank formatted floppy disk into the computer's floppy disk drive, and browse to the floppy disk drive.

9. Type AdminEFS.pfx as the File Name of the certificate, and then click Save. A:\AdminEFS.pfx should appear in the File Name box.

10. Click Next, and then click Finish.

11. In the message box that appears, click OK to acknowledge that the export was successful.

To import an EFS certificate file

Perform this exercise on a workstation joined to the domain.

1. Insert the floppy disk containing the Administrator's EFS certificate.

2. Open the floppy disk drive in Windows Explorer.

3. Double-click AdminEFS.pfx. The Certificate Import Wizard appears.

4. Click Next. The File To Import page appears, requesting the name of the file to import. The correct file name already appears in the File Name box.

5. Click Next. The Password page appears requesting the password that was used to encrypt the certificate.

6. Enter the password you used to secure the certificate, and click Next. The Certificate Store page appears, asking which store you want to add the certificate to.

7. Leave Automatically Select Certificate Store selected, and click Next.

8. Click Finish.

9. In the message box that appears, click OK to acknowledge that the import was successful.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

1. Can administrators create user certificates on behalf of users without knowing their account user name and password?

2. For which purposes can user certificates be used?

3. Where is a user's certificate store permanently stored?

4. What is the recommended method for moving certificate stores when a user changes workstations?

5. Which certificate format is used to export and import user certificates?

6. Which type of certificates can be exported without being explicitly marked as exportable?

Lesson Summary

• User certificates are designed to accomplish most of the purposes for which end users require public keys: file encryption, e-mail security, and authentication with third parties.

• User certificates are automatically issued by the CA when they are requested unless the administrator changes the CA's exit policy. This means that users can request and immediately install certificates through the CA's CertSrv Web site.

• User certificates can be used to secure e-mail in Outlook, but they do not contain the required identity information for most other e-mail packages.

• Personal certificates are stored in a user's profile, so they will automatically move in a roaming profiles environment. You can manually export and import user certificates that have been marked as exportable by using the Certificates management console.