Creating an Enrollment and Distribution Strategy

You eventually will need to decide how to issue certificates to the users, computers, and services that participate in the PKI. The process of requesting and installing the certificates for the user, computers, or services is called the enrollment strategy. There are many types of enrollment methods that you can use, depending on the type of CAs (enterprise or stand-alone), the client computer operating system, the issuing policy requirements, and where the CAs are located in relation to the clients.

The first step in enrollment is issuing the request. You can issue a request to the CA server and obtain a certificate through a web page, the Certificates MMC, a command-line utility, and autoenrollment by the underlying OS. The enrollment strategy you use depends on three factors:

The client’s operating system The underlying operating systems for the clients that will participate will affect the means you can use to enroll and renew a certificate. For example, non-Windows OSes will need to use the web page for enrollment, and autoenrollment is supported by only Windows XP and Windows Server 2003.

The type of CA you will be running There are two types CAs: a stand-alone CA and an enterprise CA. The enterprise CA supports autoenrollment for certificates and the use of Group Policy and certificate templates to control the request and deployment of certificates. Windows Server 2003 and Windows XP support only autoenrollment. A stand-alone server will only support web-based enrollment or command-line enrollment.

The types of user, service, or computer accounts that will receive the certificates. You need to determine if the accounts or computers are connected to Active Directory. Also, are the accounts contained in your organization or external to your organization?

You will need to determine how you will distribute certificates, which is called enrollment. In the following sections you will learn how to enroll clients and servers for certificates through the Web, Certificates MMC, command-line, and autoenrollment. We will then look at automatic and manual enrollment and what user interfaces are available to you for enrollment.

Using Web-Based Enrollment

Web-based enrollment allows you to obtain a certificate or the CA’s certificate through the use of a web browser (see Figure 6.12). This is the primary interface to a Windows Server 2003 CA server. The web-based version is useful for navigating firewalls or for obtaining certificates for non-Windows clients. You can use web-based enrollment if you are trying to enroll for a certificate with a stand-alone CA or an enterprise CA. Web-based enrollment will be installed on any CA by default, but you can also install it on any other Windows Server 2003 server. The web-based enrollment can generate almost any certificate that you can generate through other means except for the smart card logon and autoenrollment certificates because these certificates are issued only from an enterprise CA directly to the client. Web enrollment does not support certificate templates, so all the information for the user and the type of certificate need to be provided by the user. You can request a user certificate through the standard options of the web interface. You can use the advanced options to export a certificate, renew a certificate, request a certificate for another user, and generate keys on the client for a certificate request.

Figure 6.12: Web-based certificate administration

Web-based enrollment also allows you to enroll and renew certificates for smart cards through a smart card enrollment station. A smart card enrollment station will allow you to enroll for certificates on behalf of a user. You would need an Enrollment Agent certificate to enroll for a certificate on behalf of a user. This will allow you to issue smart cards to your users without requiring them to enroll for the certificates that will be stored on their smart cards on their own.

Using the Certificates MMC For Enrollment

The Certificates MMC allows you to enroll for a certificate using the Automatic Certificate Request Setup Wizard (see Figure 6.13). This will only work with enterprise CAs and for Windows 2000, Windows XP, and Windows Server 2003 users, computers, and services. You can use the Certificates MMC to manage the certificate requests on a stand-alone CA but not to make a request through the Automatic Certificate Request Setup Wizard. You can use the MMC only to obtain a certificate for the current user of the application, or if you are an administrator, you can get certificates for yourself, the local computer, or local services on the computer.

Figure 6.13: The Automatic Certificate Request Setup Wizard

Using Command-Line Certificate Enrollment

The certreq.exe command-line utility will allow you to create, submit, accept, and retrieve certificates. Because it is a command-line utility, it can be used from batch files or scripts. You can use it to create and sign cross-certification certificate requests to establish a trust with another CA hierarchy. Certreq.exe will allow you to map the CA certificate to the policy that you will use to set constraints for the Cross Certificate Authority certificate. You can use certreq.exe to request a certificate from a stand-alone CA and enterprise CAs.

Using Autoenrollment

Autoenrollment for certificates is supported on Windows XP clients and Windows Server 2003 against a Windows Enterprise Server 2003 enterprise CA. You can autoenroll for smart card logon, EFS, SSL, and S/MIME certificates for users and computers that log onto an Active Directory environment. Group Policy on the user or computer is used to manage autoenrolled certificates, and the permissions on the certificate template control what certificates a user can request. Autoenrollment will allow you to request user, computer, and smart card certificates. This is a cost-effective way to deploy EFS, smart card, and S/MIME certificates in an Active Directory environment with Windows XP and Windows Server 2003 servers. You choose the certificates that you want the clients to have through Group Policy, as shown in Figure 6.14. You can also control certificates that are issued by controlling the permissions on the certificate template using Global or Universal groups. This will require that you have an enterprise CA and is not supported with a stand-alone CA. If your certificate requires only one authorizing signature, you can use autoenrollment; otherwise autoenrollment will be disabled.

Figure 6.14: The automatic certificate request settings in the Group Policy Editor

Understanding the Difference between Automatic and Manual Enrollment

Whether you choose automatic or manual enrollment will depend on the number of clients you want to enroll, the types of clients, and the security level of the certificate. For example, you might want to install a computer certificate on every client in your organization to validate each computer. This would be a tedious process to do manually, so this would be a case for autoenrollment. In fact, autoenrollment is most useful when you want to enroll clients for computer and IPSec certificates. On the other hand, you might have administrators who use smart card authentication to authenticate with servers for remote management. Because the user authentication certificates stored on the smart card are considered high security, you could require the administrators to manually apply for the certificates to have more control over the approval process. Figure 6.15 shows how you would enable the autoenroll feature on the CA server.

Figure 6.15: The Autoenroll setting on the Security tab

In addition to automatically enrolling a client for certificates, you can choose to manually or automatically approve certificate requests. After the client requests a certificate, you can manually approve the certificate as an administrator using the Certificates MMC or you can develop a complex policy to approve it, which is usually preferred for certificates that require high security. You can also let the certificate request be approved automatically. This works well if you first validate the clients through a domain logon. Automatically approving requests is a good mechanism for providing certificates that are routinely issued or issued in high volume.

Choosing a User Interface

The user interface that you choose for certificate processing will depend on whether you choose automatic or manual certificate enrollment and approval methods. If you choose to use the automatic request, which is through autoenrollment, you will not have a user interface for enrollment. A manual enrollment and approval process will allow you to choose between using a web enrollment page or the Automatic Certificate Request Setup Wizard. A designated administrator or a user can use a web enrollment page to do the following:

• Request a certificate by using a certificate request file.

• Renew certificates by using a certificate renewal request file.

• Request and deploy a basic user certificate.

• Request and deploy other types of certificates.

• Save a certificate request to a file.

• Save the issued certificate to a file.

• Check on pending certificate requests.

• Retrieve a CA certificate.

• Retrieve the latest certificate revocation list.

• Request smart card certificates on behalf of other users if you have been given the proper permissions (have an Enrollment Agent certificate).

You can perform similar tasks using the Certificate Request And Renewal Wizard through the Certificates MMC. However, administrators might prefer to use the Automatic Certificate Request Setup Wizard to create an automatic certificate request for clients. You can start either wizard from the Certificates MMC, which is a tool to request, renew, and manage certificates.

Your decision about what tool to use is simplified if there is a firewall between you and the CA. The Certificates MMC requires DCOM to communicate with the server, and the firewall administrator will most likely not open TCP and UDP ports 135 due to security concerns, so you would need to use a web enrollment page.

Storing Issued Certificates

You will need to store certificates that you create through your CA server in one of the following locations:

Smart card Smart cards are devices that are the size of credit cards and are used to provide security solutions for authentication, e-mail, and data encryption. Smart cards store certificates and the corresponding private key in a secure manner. You can access the private key only through use of a valid PIN. Smart cards use two-factor authentication, meaning that you must have the physical smart card and the valid PIN to authenticate on the network or digitally sign an e-mail message, for example. Smarts cards can enhance network security through these means.

File Certificates can be exported to a file for transfer to another location or to protect a private key by removing it from a computer. Certificates can be exported to file in one of two formats on Windows: Public Key Cryptography Standard (PKCS) #12, which will write the public and private key out to the file, and the PKCS #7 Distinguished Encoding Rules and Base-64, which stores the certificate only.

Computer Certificates for Windows accounts can be securely stored on a computer by encrypting the certificate. That way, only the Windows account will have access to the certificate.

Active Directory You can store server certificates, certificate revocation list certificates, and CA certificates in Active Directory. This makes it easier for Windows clients to access the certificate in a secure manner.

Website You can publish certificates to a website where they can be downloaded to the clients. This is a good idea for certificates that need to be used by partner or customer computers or that need to be checked for revocation from the Internet.

In the “Designing an Enrollment and Distribution Strategy” Design Scenario, you will design an enrollment and distribution strategy for a company.

Design Scenario: Designing an Enrollment and Distribution Strategy

Trinity Imports has a chain of 200 stores throughout the eastern United States and Canada. Each of these stores has a computer that connects to the central office in Philadelphia via a dial-up connection to a local ISP number and then establishes a VPN connection using IPSec to the central office. The central office validates the computer based on its computer certificate. The computer certificates need to be acquired and distributed to the computers. All clients are running Windows XP, and they have an Active Directory domain for each location.

IT Manager The IT staff is already stretched to the limit with the current infrastructure that they support. They can’t take on too much additional responsibility.

CSO We need to validate the computers that dial in for security purposes. The computers will authenticate over IPSec with Kerberos and use a L2TP\IPSec.

1. Question: What would be the best way to deploy certificates that will meet both of their needs? Answer: You would install your issuing CA servers as enterprise CAs on a Windows Server 2003 server. You could then tak e advantage of autoenrollment through the org anization for the computer certificates.