Windows 2000 Certificate Services and Public Key Infrastructure

Previous Topic Next Topic

Using the Web Enrollment Support Pages

To use the Web Enrollment Support pages, open the following URL with your Web browser:

http://<servername>/certsrv

where <Servername> is the name of the server computer where the Web Enrollment Support pages are installed.

When the Welcome page appears in your browser window, choose one of the options described in Table 16.20.

Table 16.20 Welcome Page Options

Option Description
Retrieve the CA certificate or certificate revocation list Retrieves the CA's certificate or the most current CRL. When you click Next, the Retrieve The CA Certificate or Certificate Revocation List page appears. You can also use this page to establish trust for the CA on the local computer by installing the certification path for the CA's certificate in the certificate store of the local computer.
Request a certificate Requests a basic certificate or to submit a certificate request by using advanced options, as described later in this chapter. When you click Next, the Choose Request Type page appears.
Check on a pending certificate Checks the status of a pending certificate request and installs the certificate after the request has been approved. When you click Next, the Check On a Pending Certificate Request page appears. Use this option for certificate requests that are sent to stand-alone CAs. If you don't check the status of pending certificates within 10 days, the pending certificates are not issued and you must request the certificate again.

After you have selected an option, click Next. Different Web pages appear for each option.

Choosing the Type of Certificate to Request

You can use the Choose Certificate Type page to request user certificates or to submit a certificate request by using the advanced options that are described in Table 16.21.

Table 16.21 Choose Certificate Type Page

Option Description
User certificate request Select one of the certificate types listed. For enterprise CAs, you can select User Certificate. For stand-alone CAs, you can select either E-Mail Protection Certificate or Web Browser Certificate. The Web Browser and E-Mail Protection certificates for stand-alone CAs together provide most of the functionality of the User certificate type for enterprise CAs (except for EFS functionality). When you click Next, the User Certificate - Identifying Information page appears.
Advanced request Makes a certificate request by using advanced options. When you click Next, the Advanced Certificate Requests page appears.

After you select an option, click Next, and then complete the certificate request process by using the Web pages that appear.

When you request a certificate from an enterprise CA, the CA uses the certificate template and user account information in Active Directory to verify your user account and determine whether to approve or deny the certificate request. However, by default, stand-alone CAs store certificate requests as "pending" until a CA administrator approves or denies the request. Use the stand-alone Web pages to submit a request for a certificate from the stand-alone CA, and then return later to the Web pages to check the status of the pending request. When the request has been approved, you are prompted to install the issued certificate. You can configure stand-alone CAs to grant certificate requests immediately, but this is a significant security risk and is not recommended.

Submitting User Certificate Requests

You can use the User Certificate - Identifying Information page to request user certificates by using the options that are described in Table 16.22.

Table 16.22 User Certificate - Identifying Information Page

Option Description
Identifying Information(stand-alone CAs only) Enter identification information that is to appear in the certificate including Name, E-Mail, Company, Department, City, State, and Country/region. Enterprise CAs obtain this information from Active Directory. This information is included in the Subject field of the certificate when it is issued.
More options Displays advanced options for choosing the CSP or for choosing strong private key protection.
Enable strong private key protection Provides strong private key protection. When this option is selected, the system prompts the user for permission before it performs cryptographic operations with the user's private key.
CSP The default CSP is the Microsoft Base Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, depending on whether the Windows 2000–based client that requests the certificate is exportable or not. You have the option of choosing a CSP from the selection list, which is used for the private key. The CSP you choose must support the type of certificate to be issued. For example, a smart card CSP cannot support a Basic EFS certificate.

After you configure options in the User Certificate - Identifying Information page, click Next. For enterprise CAs, requests are submitted to the CA and approved immediately. For a stand-alone CA, certificate requests are held as "pending" until an administrator approves the certificate request. You must return to the Welcome page within 10 days and select the Check on a pending certificate option to determine whether a pending certificate request has been approved. When the certificate is issued, the Issued Certificate page appears so that you can install the certificate.

Submitting Advanced Certificate Requests

You can use the Advanced Certificate Requests page to request certificates by using advanced options that are described in Table 16.23.

Table 16.23 Advanced Certificate Requests Form

Option Description
Submit advanced requests to this CA using a form. Submits an advanced certificate request by using a Web form. When you click Next, the Advanced Certificate Request form appears.
Submit a certificate request using a base 64 encoded PKCS #10 file or a renewal request using a base 64 encoded PKCS #7 file Submits a certificate request by using a certificate request or a certificate renewal file. When you click Next, the Submit a Saved Request page appears.
Request a certificate for a smart card on behalf of another user by using the Smart Card Enrollment Station Requests smart card certificates for other users. When you click Next, the Smart Card Enrollment Station page appears.

After you select an option, click Next, and then use the Web pages that appear to submit the advanced request.

Advanced Certificate Request Form

You can use the Advanced Certificate Request form to submit certificate requests by using the options that are described in Table 16.24.

Table 16.24 Advanced Certificate Request Page

Option Description
Identifying Information(stand-alone CAs only) Type identification information that is to appear in the certificate, including Name, E-mail, Company, Department, City, State, and Country/region. Enterprise CAs obtain this information from Active Directory. This information is included in the Subject field of the certificate when it is issued.
Intended Purpose(stand-alone CAs only) Choose the intended purpose of the certificate that is to be requested from the selection.
Certificate Template(enterprise CAs only) Choose the certificate template from the selection list that is to be used by the enterprise CA to process the certificate request and issue the certificate.
CSP The default CSP is the Microsoft Base Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider, depending on whether the Windows 2000 client that requests the certificate is exportable or not. You have the option of choosing a CSP from the selection list, which is to be used for the private key. The CSP you choose must support the type of certificate that is to be issued. For example, a smart card CSP cannot support a Basic EFS certificate.
Key Usage Select the basic purpose of the certificate that is to be issued. The options are Exchange, Signature, or Both. If you click Exchange, the key can be used for symmetric key exchange only. If you click Signature, the key can be used for digital signing only. The default is Both, so the key can be used for both purposes.
Key Size For a Key Usage of Exchange or Both, you can enter a key length from 384 bits to 1,024 bits. The minimum recommended key length is 512 bits. For a Key Usage of Signature, you can enter a key length from 384 bits to 16,384 bits. Key generation for very large signing keys can take a considerable amount of time.
Create new key set This is selected by default, so a new private key and public key set are created for the issued certificate. Click Select the container name to enter a container name for the private key in the Container name box.
Use existing key set Uses an existing private key and public key set. You also can enter the name of the key container in the Container name box. You must not reuse private keys if the maximum safe lifetime of the key might be exceeded.
Enable strong private key protection Provides strong private key protection. When this option is selected, the system prompts the user for permission before it performs cryptographic operations with the user's private key.
Mark keys as exportable Enables the private key to be exported. Private keys that are used for digital signing (signatures) cannot be enabled for export.
Use local machine store Stores a certificate that is to be issued in the HKEY_LOCAL_MACHINE subtree of the system registry for the local computer. You must be an administrator to use this option. The default certificate storage location for user certificates is the Personal certificate store for the user. Select this option to request and install computer certificates for the local computer.
Hash Algorithm Select the message digest (hash) algorithm that is used to sign the certificate request and ensure its integrity. The default algorithm is SHA-1. You can choose another algorithm from the selection list, which is used to sign the certificate request.
Save request to a PKCS #10 file Saves the certificate request to a file rather than submitting the request to the CA. You must also type a file name in the File name box. You can submit the request file to a CA later.
Attributes Enter additional attributes for the requested certificate in the Attributes box. For more information about certificate attributes and the syntax to use, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

For enterprise CAs, the Advanced Certificate Requests form enables you to request all certificate types that are supported by the enterprise CA's certificate issuing policy. Enterprise CAs use certificate templates and information in the logged-on user's user account to process and issue the requested certificates. For offline certificate templates, you must type identifying information in the following fields of the Web form:

This information is included in the Subject field of the certificate when it is issued. For online certificate templates, this information is obtained from the Windows 2000 user account of the logged on user.

For stand-alone CAs, you also can choose the following types of certificates in Intended Purpose:

Certificate uses are based on the object identifier contained in the Extended Key Usage field of X.509 version 3 certificates. You can optionally choose Other types of certificates from the selection list and enter the object identifier in the Usage OID box. Some object identifiers for certificate types that are not included in the Intended Purpose selection list include the following:

For more information about the available types of certificates and their object identifiers, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

After you have configured the options in the Advanced Certificate Request page, click Next. For enterprise CAs, requests are submitted to the CA and approved immediately. For a stand-alone CA, certificate requests are held as "pending" until an administrator approves the certificate request. You must return to the Welcome page within 10 days and select the Check on a pending certificate option to determine whether a request has been approved. When the certificate is issued, the Issued Certificate page appears so that you can install the certificate.

Submit a Saved Request Page

You can use the Submit a Saved Request page to submit a request file to the CA by using the options that are described in Table 16.25.

Table 16.25 Submit a Saved Request Page

Option Description
Saved Request Paste the certificate request into the Saved Request box, or click Browse to locate and select a request file that is to be inserted in Saved Request. Requests can be either base 64 encoded PKCS #10 certificate requests or PKCS #7 renewal requests.
Certificate Template(enterprise CAs only) Choose the certificate template from the selection list that is to be used by enterprise CAs to process the certificate request and issue the certificate.
Attributes Enter additional attributes for the requested certificate in the Attributes box. For more information about certificate attributes and the syntax you must use, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

After you have configured the options in the Submit a Saved Request page, click Next. For enterprise CAs, requests are submitted to the CA and approved immediately. For a stand-alone CA, certificate requests are held as "pending" until an administrator approves the certificate request. You must return to the Welcome page within 10 days and select the Check on a pending certificate option to determine whether a pending certificate request has been approved. When the certificate is issued, the Issued Certificate page appears so that you can install the certificate.

Smart Card Enrollment Station Page

To enable central and secure administration of your smart card program, the Web Enrollment Support pages include the Smart Card Enrollment Station page so that trusted administrators or security personnel can enroll for smart card certificates on the behalf of other users. Things to keep in mind for using this station include the following:

You can modify the Enroll permissions for the Enrollment Agent, Smart Card Logon, and Smart Card User certificate templates to allow other users and security groups to enroll for these certificates. For example, you can modify the ACLs for the smart card certificate templates to grant the Domain Users security group (all user accounts in the domain) Enroll permissions so that they can request or renew their own smart card certificates. However, this weakens the overall security provided by smart cards and is not recommended.

In addition, when someone has an Enrollment Agent certificate, they can enroll for a certificate and generate a smart card certificate on behalf of anyone in the organization. The resulting smart card might then be used to log on to the network and impersonate the real user. The unauthorized impersonator can have all the rights and permissions that are granted to the authorized user. For this reason, it is strongly recommended that your organization maintain strict security policies over who can be issued this certificate type.

For example, to minimize the risk of Enrollment Agent certificate misuse, you can configure one dedicated subordinate CA with restrictive administrative controls to issue Enrollment Agent certificates for your organization. After the initial Enrollment Agent certificates have been issued, the administrator of the CA can disable the issuance of Enrollment Agent certificates until they are needed again. By restricting which administrators can operate the CA service on the subordinate CA, the service can be kept online for the generation and distribution of CRLs, if necessary. Other CAs in the hierarchy can conceivably still issue Enrollment Agent certificates if their issuing policy settings are changed, but you can determine whether inappropriate Enrollment Agent certificates are issued by regularly checking the Issued Certificates log for each CA.

You also can change the ACLs on the Enrollment Agent, Smart Card Logon, and Smart Card User certificate templates to grant Enroll permissions to a small group of trusted administrators only. For example, you might allow only members of a smart card security officers security group to have Enroll permissions for the Enrollment Agent, Smart Card Logon, and Smart Card User certificate templates.

Tip

In Windows 2000, only one certificate and one private key can be stored on a smart card. Windows 2000 Certificate Services includes the Smart Card User certificate template, which supports network logon authentication, client authentication for Web communications, and secure mail. To provide maximum functionality for smart cards, you can issue this certificate to smart card users rather than the Smart Card Logon certificate, which is valid only for network logon authentication.

You can use the Smart Card Enrollment Station page to enroll users for smart card certificates by using the options described in Table 16.26.

Table 16.26 Smart Card Enrollment Station Options

Option Description
Identifying Information(stand-alone CAs only) Type identification information that is to appear in the certificate, including Name, E-mail, Company, Department, City, State, and Country/region. Enterprise CAs obtain this information from Active Directory.
Intended Purpose(stand-alone CAs only) From the selection list, choose the intended purpose of the certificate that is to be requested.
Certificate Template(enterprise CAs only) From the selection list, choose the certificate template that is to be used by the enterprise CA to process the certificate request and issue the certificate. For example, choose either Smart Card Logon or Smart Card User.
Cryptographic Service Provider Choose the smart card CSP that is appropriate for the user's smart card. For example, choose the Gemplus GemSAFE Card CSP for Gemplus smart cards or the Schlumberger Cryptographic Service Provider for Schlumberger smart cards.
Administrator Signing Certificate From the selection list, click Select Certificate to choose your Enrollment Agent certificate. You cannot use an Enrollment Agent certificate that belongs to someone else.
User to Enroll Click Select User to select a user account from Active Directory for which you are enrolling the smart card certificate.

After you have configured all of the options, insert the user's smart card in the smart card reader. Then click Enroll to request the smart card certificate. The PIN confirmation process and dialog boxes that appear differ depending on the specific smart card CSP that is used.

For the Schlumberger Cryptographic Service Provider, the Smart Card PIN Confirmation dialog box appears. For the Gemplus GemSAFE Card CSP, an untitled dialog box appears. Use the dialog box to confirm the PIN for the smart card. You also have the option of changing the PIN. Table 16.27 describes the options for the Schlumberger CSP dialog box. Table 16.28 describes the Gemplus CSP dialog box.

Table 16.27 Smart Card PIN Confirmation Dialog Box (Schlumberger CSP)

Option Description
Please enter your PIN Type the correct PIN for the smart card that is inserted in the smart card reader. Click OK to submit the PIN for confirmation by the CSP.
Change PIN after Confirmation Select this check box to change the PIN. When you click OK, the CSP confirms the PIN you typed in the Please enter your PIN box, and then displays the Change PIN on Smartcard dialog box. Type the new PIN in the New PIN box; type it again in the Confirm New PIN box. Click OK to change the PIN.

Table 16.28 Untitled Dialog Box (Gemplus CSP)

Option Description
Unlabeled box Type the correct PIN for the smart card that is inserted in the smart card reader. Click Change to change the PIN, or click OK to submit the PIN for confirmation by the CSP.
Change Changes the PIN. The CSP confirms the PIN you typed in the unlabeled box and displays the Please Enter New PIN Code dialog box. Type the new PIN in the top (unlabeled) box, and then type it again in the bottom (unlabeled) box. Click OK to change the PIN.

It is recommended that you assign a unique PIN for each smart card that is issued. Your policies for PINs can be much less restrictive than your policies for network passwords. In general, network passwords require long and complex composition, and it is recommended that users change them often. Users are more likely to write down their complex passwords because they are hard to remember. However, PINs can be changed infrequently and can be relatively short and easy to remember so that users are less likely to write them down. PINs are managed by the smart card CSP and can be changed only when smart card certificates are issued or renewed.

After the smart card PIN is confirmed or successfully changed, the smart card CSP generates the public key and private key set, and then stores the private key and the certificate on the user's smart card. When the smart card certificate is issued, the Status section of the Smart Card Enrollment Station page appears with a message that explains that the smart card is ready. Click View Certificate to display the certificate and verify that the user account information and the certificate type are correct. Click New User to submit another certificate request by using the Smart Card Enrollment Station page.

Installing the Certificate After It Is Issued

For enterprise CAs, the certificate is approved and issued after a short time unless the request is denied. For stand-alone CAs, certificate requests are held as "pending" until an administrator approves the request and the CA issues the certificate.

When certificates (except smart card certificates) are issued by CAs, the Issued Certificate page appears. Click Install this certificate to install the certificate in the Personal certificate store for the logged-on user. If you are requesting a certificate for a computer, you must select the Use local machine store option on the Advanced Certificate Request Form page to install the certificate in the Personal store for the computer rather than in the Personal store for the logged-on user.

For subordinate CA certificates, click Install this certification path to install the certification path file for the CA. You then can use the Certification Authority console to install the certification path file and certify the CA.

© 1985-2000 Microsoft Corporation. All rights reserved.