Using Digital Certificates
You can install certificates and configure certificate settings for Internet Explorer by using the following methods:
- Within the browser, you can use the Internet Explorer Certificate Manager by clicking the Tools menu, clicking Internet Options, and then clicking the Content tab. You can also configure advanced security options for certificates by clicking the Tools menu, clicking Internet Options, and then clicking the Advanced tab.
- You can use the Internet Explorer Customization wizard to create custom packages of Internet Explorer that include preconfigured lists of trusted certificates, publishers, and CAs for your user groups. If you are a corporate administrator, you can also lock down these settings to prevent users from changing them.
- After the browser is deployed, you can use the IEAK Profile Manager to manage certificate settings through the automatic browser configuration feature of Internet Explorer. You can automatically push the updated information to each user's desktop computer, enabling you to manage security policy dynamically across all computers on the network.
The options for configuring certificates are the same whether you access them from Internet Explorer 5, the Internet Explorer Customization wizard, or the IEAK Profile Manager. For more information about using the Internet Explorer Customization wizard and the IEAK Profile Manager, see Chapter 15, "Running the Internet Explorer Customization Wizard" and Chapter 22, "Keeping Programs Updated."
Note Outlook Express also includes certificates, called "digital IDs," which can be configured separately within the e-mail program.
Installing and Removing Trusted Certificates
The Internet Explorer Certificate Manager enables you to install and remove trusted certificates for clients and CAs. Many CAs have their root certificates already installed in Internet Explorer. You can select any of these installed certificates as trusted CAs for client authentication, secure e-mail, or other certificate purposes, such as code signing and time stamping. If a CA does not have its root certificate in Internet Explorer, you can import the root certificate into Internet Explorer. Each CA's Web site contains instructions describing how to obtain the root certificate. You may also want to install client certificates, which are used to authenticate users' computers as clients for secure Web communications.
To install or remove clients and CAs from the list of trusted certificates
- On the Tools menu, click Internet Options, and then click the Content tab.
- Click Certificates.
- Click one of the following tabbed categories for the type of certificates you want to install or remove:
- Personal - Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category.
- Other People - Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs.
- Intermediate Certification Authorities - This category contains all certificates for CAs, including trusted root certificates.
- Trusted Root Certification Authorities - This category includes only self-signing certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA.
The following illustration shows the Certification Manager with the Intermediate Certification Authorities category selected.
- In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list.
- To add other certificates to the list, click Import. The Certificate Manager Import wizard steps you through the process of adding a certificate.
To export certificates from the list, click Export. The Certificate Manager Export wizard steps you through the process of exporting a certificate.
To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.
The following illustration shows the Advanced Options dialog box.
To delete an existing certificate from the list of trusted certificates, click Remove.
To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View.
Adding Trusted Publishers and Credentials Agencies
To designate a trusted publisher or credentials agency (also called certification authority and issuer of credentials) for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher or credentials agency. Active content that is digitally signed by trusted publishers or credentials agencies with a valid certificate will download without user intervention, unless downloading active content is disabled in the settings for a specific security zone.
To add a trusted publisher or credentials agency
- Use Internet Explorer to download signed active content from the publisher or credentials agency.
- When the Security Warning dialog box appears, select Always trust content from publisher or credentials agency name.
The following illustration shows the Security Warning dialog box.
- To download the software and control, and add the publisher or credentials agency to the list of trusted publishers and credentials agencies, click Yes.
Removing Trusted Publishers and Credentials Agencies
You can use the Authenticode Security Technology dialog box to remove publishers and credentials agencies from the list of trusted authorities.
To remove a trusted publisher or credentials agency
- On the Tools menu, click Internet Options, and then click the Content tab.
- Click Publishers.
- To remove a trusted publisher or credentials agency, select the name of the agency from the list, and then click Remove.
The following illustration shows a list of trusted publishers and credentials agencies.
Configuring Advanced Security Options for Certificate and Authentication Features
You can easily configure options for certificate and authentication features that your users may need.
To configure advanced security options for certificates
- On the Tools menu, click Internet Options, and then click the Advanced tab.
- In the Security area, review the options that are selected.
- Depending on the needs of your organization and its users, select or clear the appropriate check boxes.
For example, to enable Fortezza support for users with Fortezza Crypto Cards and the Fortezza CSP plug-in for Internet Explorer, select the Use Fortezza check box.
The following illustration shows the Security check boxes.
For information about security options for user privacy features, see Chapter 8, "Content Ratings and User Privacy."