Managing Certificates
Public-key certificates serve as the security medium for many of the Windows 2000 protocols and mechanisms. Network authentication, IPSec, Encrypting File System (EFS), Secure Socket Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME) all use certificates. MMC provides the Certificates snap-in for the single purpose of managing user, computer, and service certificates.
To add the Certificates snap-in to MMC, run mmc.exe from the Start menu. From the Console menu, select Add/Remove Snap-In. Click the Add button and select Certificates from the list of snap-ins provided. You'll be given a choice of which account to manage certificates for: My User Account, Service Account, or Computer Account. For the service and computer accounts, you can select which computer the snap-in will manage. For the service account, you'll also need to specify which service to manage.
NOTE
Users can manage only their personal certificates. Certificates for computers and services are managed by administrators.
The certificate store is made up of five categories: Personal, Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certification Authorities, and Active Directory User Object. Trusted Root and Intermediate CA certificates are preloaded. To view the details of any certificate, double-click the certificate. Figure 18-11 shows the public key of a VeriSign root certificate.
Figure 18-11. The public key of a VeriSign root certificate.
Exporting Certificates and Private Keys
The Export command in the Certificates snap-in really provides two distinct functions. First, it allows a certificate or certificate chain to be exported for the purpose of sharing it with users or computers that are not privy to a certificate directory. Second, it allows the export of a certificate or certificate chain along with the associated private key for cryptographic use on another machine.
NOTE
By default, only private keys for basic EFS and EFS recovery agents are marked as available for export. This keeps all other private keys from being unnecessarily exposed. Certificates and keys that are purposely meant to be exported can be marked during certificate request.
You can export any type of certificate, including those in root CAs. Naturally, only certificates with available private keys (that is, personal certificates) that are marked as exported can be exported together. To export a certificate, follow these steps:
- Find the certificate in the Certificates snap-in and right-click the entry.
- Point to All Tasks and choose Export. You'll be welcomed to the Certificate Export Wizard.
- Make your way through the wizard, choosing whether to export the private key (if available).
- Choose the format for storing the certificate. DER Encoded Binary and Base 64 Encoded are single-certificate formats. With the PKCS #7 format, you can include the full certificate chain. Private-key combinations are stored in a PKCS #12 file and are password protected; you'll need to specify a password for the file.
- Enter a target path and filename for the exported certificate.
TIP
With a highly populated certificate database, finding a particular certificate for exporting or enabling may be difficult. Use the Find Certificate command, found by right-clicking the Certificates snap-in, to locate certificates by issuer (Issued By), subject (Issued To), fingerprint (SHA1 Hash or MD5 Hash), or serial number.
Importing Certificates
Users can import certificates into any one of the certificate categories found in the certificate store. In the Certificates snap-in, right-click the certificate category to which you want to import the certificate, point to All Tasks, and choose Import. Enter the certificate filename, which should have a standard certificate format extension (.PFX, .P12, .CER, .CRT, .P7B, .STL, .SPC, .CRL, or .SST). For PKCS #12 files, which contain private keys as well as certificates, you'll need to enter the password used to protect the file.
CAUTION
Root certificates are the basis of trust for certificate verification. Be extremely careful when importing a root certificate. Ensure that the certificate was received from a trusted source and that the certificate thumbprint matches a trusted publication.
Requesting Certificates
Before using any application that relies on the public-key infrastructure, you'll need a certificate. Chapter 19 covers how to configure and install Microsoft Certificate Services. Certificate servers configured to be enterprise CAs can request certificates by using the Certificates snap-in.
TIP
Using Internet Explorer version 3 or later, you can request certificates from Microsoft Certificate Services, running in either Standalone or Enterprise mode, through the Web interface.
The certificate request process involves first generating a key pair consisting of a public key and a private key. The private key is stored and protected on the local computer. The public key, along with information identifying the user, is sent to the CA as a certificate request. If the CA determines that the user, device, or service is authorized for the certificate being requested, the CA generates and signs the certificate. The certificate can then be retrieved with the Certificates snap-in and placed in the local certificate store.
To request a certificate, right-click the Certificates folder under the Personal certificate store. Point to All Tasks, choose Request New Certificate, and follow the instructions in the Certificate Request Wizard. You'll need to choose a certificate type (the purpose for which the certificate will be used), a friendly name for the certificate, and the CA that will issue the certificate, if more than one is available. To allow you to download the certificate once the CA has issued it, the Certificate Request Wizard provides the Install Certificate option.
CAUTION
The advanced options of the Certificate Request Wizard will allow private keys to be exported. Be extremely judicious when selecting this option. Exported private keys can allow other users to read your encrypted data.
Enabling Certificates for Specific Purposes
Certificates can be issued for specific types of uses. These uses are programmed directly into the certificate, using a certificate extension field. For example, the Key Usage certificate extension tells whether a certificate can be used for data signing, certificate signing, nonrepudiation, or other functions. The Enhanced Key Usage extension extends this property to other uses, such as time stamping or file recovery.
Certificates can also be enabled for certain purposes on an account basis. That is, a user or administrator can decide which certificates to allow or disallow for specific uses. While the actual certificate can't be modified, the attributes in the certificate store can be configured. For example, a certain certificate may have no internal key usage restriction. However, a user may want to enable that certificate only for code signing and secure e-mail.
To set certificate purposes, right-click the certificate and choose Properties. The three choices for enabling certificate purposes, as shown in Figure 18-12, are Enable All Purposes For This Certificate, Disable All Purposes For This Certificate, and Enable Only The Following Purposes. Choose the third option and select the purposes you want that certificate used for. Remember that only purposes allowed by the actual certificate or certificate path will appear in the list.
Figure 18-12. Options for enabling certificate purposes.
EAN: 2147483647
Pages: 366