Windows 2000 Certificate Services and Public Key Infrastructure

Previous Topic Next Topic

Windows 2000 Certificate Services

Figure 16.2 shows a functional block diagram of Windows 2000 Certificate Services.

Figure 16.2    Certificate Services Functional Diagram
Enlarge figure

Figure 16.2 Certificate Services Functional Diagram

The components of Windows 2000 Certificate Services work in conjunction with Microsoft CryptoAPI and cryptographic service providers (CSPs) to perform a variety of tasks, including the following:


note-icon

Note

In Windows 2000, all cryptographic functions and private key management are performed by Microsoft CryptoAPI in conjunction with CSPs. Any system service or application can request cryptographic services by using Microsoft CryptoAPI.

Entry Module

The default entry module processes standard PKCS (public key cryptography standards) 10 certificate requests made through remote procedure calls (RPCs) or the Hypertext Transfer Protocol (HTTP). The entry module is a dynamic-link library (DLL) that cannot be customized. Windows 2000 services usually use RPCs to submit certificate requests to enterprise CAs. However, the Web Enrollment Support pages use Hypertext Transfer Protocol (HTTP) to submit certificate requests to CAs.

Certificate requests to Certificate Services are placed in a pending queue until they are approved or denied by the policy module.


note-icon

Note

You can develop custom certificate enrollment applications that submit RPC or HTTP requests to Certificate Services. For more information about developing custom applications for Windows 2000 Certificate Services and about the required certificate request format, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

Policy Modules

The policy module determines whether a certificate request must be approved, denied, or queued (left pending) for a later decision by the administrator about whether or not to issue the certificate. Windows 2000 Certificate Services includes a default policy module that incorporates CA policy for both enterprise and stand-alone CAs. You can also build custom policy modules for special needs.

Enterprise CA Policy   Enterprise CA policy always issues a certificate or denies a request immediately. Enterprise CA policy uses Active Directory to determine the identity of the requester, and then automatically determines whether the requester has security permissions to receive a certificate of the type that is being requested.

Stand-alone CA Policy   By default, stand-alone CA policy sends certificate requests to a pending queue so that an administrator can approve or deny them. You have the option of setting stand-alone CA policy to automatically approve all certificate requests. However, because a stand-alone CA does not verify the identity of requesters who are using Active Directory, there is no way to verify the identity and validity of the certificate requester automatically. Therefore, setting a stand-alone CA to approve certificate requests automatically can pose a significant security risk.

Custom Policy Modules   The policy module is a fully customizable DLL. For more information about how to customize policy modules, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. You can change the installed policy module by using the Certification Authority console. You can also develop your own policy modules or acquire a third-party policy module when one is available.


note-icon

Note

It is recommended that you use custom policy modules with stand-alone CAs only. Enterprise CAs require the enterprise policy module to ensure proper integration with Active Directory. Using a custom policy module with an enterprise CA can produce both problems and unpredictable results.

When Certificate Services determines whether to grant certificate requests, the policy module can check information in the request against various sources for verification, such as a directory service, an external legacy database, or credit information from an outside authority. The policy module also can send alerts to the appropriate administrator if manual (offline) approval of the request is required.

The policy module can insert additional certificate attributes or extensions that might be required by a client application. For example, information such as a job title and a signing limit into certificates can be inserted and used by an online purchasing form to determine whether the user can sign for the amount requested.

The policy module can use additional information included in the certificate request to incorporate requested attributes in the issued certificate. For example, certificate requests to stand-alone CAs must include all information about the requested certificate; so the policy module incorporates this information into each certificate that is issued. However, enterprise CAs use certificate templates to specify certificate attributes; so certificate requests to enterprise CAs require less information.

Certificate Templates

For enterprise CAs, certificate templates define the attributes for certificate types. You can configure enterprise CAs to issue specific certificate types to authorized users and computers. When a CA creates a certificate, the certificate template is used to specify its attributes, such as the authorized uses for the certificate, the cryptographic algorithms that are to be used with it, the public key length, and the certificate lifetime. Certificate templates are stored in Active Directory and provide information for each of the certificate types that are listed in Table 16.1.

Table 16.1 Certificate Types for Enterprise CAs

Certificate Type Purpose of the Issued Certificate
Administrator Used for authenticating clients and for EFS, secure mail, certificate trust list (CTL) signing, and code signing.
Authenticated Session Used for authenticating clients.
Basic EFS Used for EFS operations.
CEP Encryption (offline request) Used to enroll Cisco Systems, Inc. routers for IPSec authentication certificates from a Windows 2000 CA.
Code Signing Used for code signing operations.
Computer Used for authenticating clients and servers.
Domain Controller Used for authenticating domain controllers. When an enterprise CA is installed, this certificate type is installed automatically on domain controllers to support the public key operations that are required when domain controllers are supporting Certificate Services.
EFS Recovery Agent Used for EFS encrypted-data recovery operations.
Enrollment Agent Used for authenticating administrators that request certificates on behalf of smart card users.
Enrollment Agent (computer) Used for authenticating services that request certificates on behalf of other computers.
Exchange Enrollment Agent (offline request) Used for authenticating Microsoft® Exchange Server administrators that request certificates on behalf of secure mail users.
Exchange Signature Only (offline request) Used by Exchange Server for client authentication and secure mail (used for signing only).
Exchange User (offline request) Used by Exchange Server for client authentication and secure mail (used for both signing and confidentiality of mail).
IPSec Used for IPSec authentication.
IPSec (offline request) Used for IPSec authentication.
Root Certification Authority Used for root CA installation operations. (This certificate template cannot be issued from a CA and is used only when installing root CAs.)
Router (offline request) Used for authentication of routers.
Smart Card Logon Used for client authentication and logging on with a smart card.
Smart Card User Used for client authentication, secure mail, and logging on with a smart card.
Subordinate Certification Authority (offline request) Used to issue certificates for subordinate CAs.
Trust List Signing Used to sign CTLs.
User Used for client authentication, EFS, and secure mail (used for both signing and confidentiality of mail).
User Signature Only Used for client authentication and secure mail (used for signing only).
Web Server (offline request) Used for Web server authentication.

Many certificate templates are provided for online requests from enterprise CAs. Online certificate templates are used to issue certificates to requestors that have Windows 2000 accounts and that support obtaining certificates directly from an enterprise CA. Certificate templates for offline requests are used to issue certificates to requestors that do not have Windows 2000 accounts or that do not support obtaining certificates directly from an enterprise CA. When a certificate is issued for online requests, identification information about the requestor is obtained from the requestor's Windows 2000 user account for inclusion in the certificates that are issued. Offline requests must include the requestor's identification information in the certificate request when the request is submitted. When you use the Certificate Services Web Enrollment Support pages to request offline certificates from an enterprise CA, enter the identification information (name, e-mail address, department, and so forth), in the Web form before you submit the request to the CA.

For example, you might use the Web Enrollment Support pages to obtain a Web Server certificate for a third-party Web server, and then install the certificate on the appropriate server computer. Likewise, you might obtain an offline IPSec certificate, and then manually install the certificate on a non-Windows 2000 IPSec client. The Subordinate Certification Authority certificate template is an offline template because the identification information for the subordinate CA is entered during the installation process.

An enterprise CA only issues the certificate types that are specified by its certificate issuing policy. By default, Windows 2000 enterprise CAs are installed so that they are ready to issue several types of certificates. You can modify the default configuration by using the Certification Authority console in MMC to specify the types of certificates that are to be issued by each CA.

Stand-alone CAs do not use certificate templates. Therefore, certificate requests to them must include all of the information that is necessary to define the type of certificate that is to be issued. When Windows 2000 services submit certificate requests to stand-alone CAs, the requests include the information that is necessary to define the type of certificate that is being requested. You can use the Web Enrollment Support pages for stand-alone CAs to submit certificate requests to stand-alone CAs for a variety of types of certificates.

Certificate Database

The certificate database records all certificate transactions. It tracks all certificate requests and records whether they were granted or denied. It records information for the issued certificate, such as the serial number and expiration date. It provides a complete audit trail for each certificate from request to expiration. It also flags and tracks certificates that are revoked by CA administrators. You can use the Certification Authority console to manage the audit trail.

Because the certificate database is a transaction database, it includes certificate log files, which record all certificate transactions. By default, the certificate database and the certificate log files are installed at the following location:

<Drive:>\WINNT\System32\CertLog


where <Drive:> is the letter of the disk drive where the CA is installed.

At the time you install the CA, you have the option of choosing another location to install either the database or the logs, including storing the database and log files separately on different drives.

Exit Modules

The exit module packages the issued certificate in the appropriate transport mechanism or protocol and distributes it to the location specified in the request. Certificate requests can specify that the certificate be distributed to Lightweight Directory Access Protocol (LDAP) directory services, file systems, or URLs. An exit module also delivers certificate revocation lists (CRLs) to CRL distribution points.

The default enterprise exit module publishes certificates and CRLs to Active Directory, and the default stand-alone exit module publishes certificates and CRLs to the local file system. However, Windows 2000 Certificate Services supports multiple exit modules and you can use the Certification Authority console to install them for a CA. For example, you can install exit modules that send certificates and CRLs in e-mail messages or send them to public folders on the network. You can also install exit modules that post certificates to legacy open database connectivity (ODBC) databases or to third-party Lightweight Directory Access Protocol (LDAP) directory services.

Like the policy module, the exit module is a DLL and is fully customizable. For more information about customizing exit modules, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. You can change the installed exit module by using the Certification Authority console. You also can develop your own exit modules or acquire third-party exit modules.

Certification Authority Console

The Certification Authority console is an MMC snap-in that you can use to manage multiple CAs, performing a variety of administrative tasks that include the following:

For more information about how to use the Certification Authority console to manage a CA and perform specific administration tasks, see Certificate Services Help.

To add a Certification Authority console to MMC

  1. Open MMC.
  2. Click Console, and then click Add/Remove Snap-in or press CTRL+M.

    The Add/Remove Snap-in dialog box appears.

  3. Click Add.

    The Add Standalone Snap-in dialog box appears.

  4. Select Certification Authority from the list of snap-ins, and then click Add.

    The Certification Authority dialog box appears.

  5. Choose one of the following:

    You can click Add in the Add Standalone Snap-in dialog box again to add more Certification Authority consoles.

    The Add/Remove Snap-in dialog box displays the snap-ins that you have added and that are to be installed in MMC.

  6. When you have finished adding snap-ins, in the Add Standalone Snap-in dialog box, click Close.
  7. In the Add/Remove Snap-in dialog box, click Close.

Figure 16.3 shows an example of a Certification Authority console that has been added to MMC. This console manages the CA on the local computer.

Figure 16.3    Certification Authority Console
Enlarge figure

Figure 16.3 Certification Authority Console

The Certification Authority (Local) console node has been expanded to show all of the containers for an enterprise CA named Enterprise-Root-CA. These containers are used as follows:

Revoked Certificates   Click this container to show information about all revoked certificates for this CA. To manually publish CRLs, right-click the Local node. Click All Tasks, and then click Publish. To change the CRL publication schedule, right-click the Local node, and then click Properties. To view a certificate, double-click the certificate. Use the dialog boxes that appear to publish the CRL, change the CRL publication schedule, or view the certificate.

Issued Certificates   Click this container to show information about all certificates that have been issued by this CA. To revoke a certificate, right-click the certificate, and then click All Tasks. Then click Revoke Certificate. To view a certificate, double-click the certificate. Use the dialog boxes that appear to revoke or view certificates.

Pending Requests   Click this container to show information about all certificates that are pending for this CA. To approve a pending certificate request, click this container, and then right-click the certificate request. Click All Tasks, and then click Issue. To deny a pending certificate request, click this container and then right-click the certificate request. Click All Tasks, and then click Deny. Use the dialog box that appears to deny the certificate request.

Failed Requests   Click this container to show the information about all certificate requests that have failed. The information in the Request Disposition Message column explains why the request failed.

Policy Settings (Enterprise CAs Only)   Select this container to show the types of certificates that the enterprise CA can issue. To remove one of the types of certificates, select the type you want to delete, and then press DELETE. To add another type of certificate, right-click the container. Click New, and then click Certificate to Issue. Use the dialog box that appears to add the types of certificates that you want to issue.

When you click a container (such as the Failed Requests container), by default, many of the columns that can be displayed in the details pane of the console are hidden.

To change the columns that are displayed in the details pane for a container

  1. Right-click the container, click View, and then click Choose Columns.

    The Modify Columns dialog box appears.

  2. Use the Modify Columns dialog box to add, remove, or change the order in which columns appear, and then click OK.

    For more information about how to use the Modify Columns dialog box, see Certificate Services Help.

© 1985-2000 Microsoft Corporation. All rights reserved.