Lock IT Down: Setting up Certificate Server in Windows 2000

Learn the steps to making your Windows 2000 server a certificate authority

One of the biggest things in computer security these days is digital certificates. Digital certificates provide security by guaranteeing that communications are from the sender they say they’re from and that the packets haven’t been modified since the time they were sent. Digital certificates are also used to sign files, thus verifying their legitimacy. However, before you can take advantage of digital certificates, you have to set up a Certificate Server. In this Daily Drill Down, I’ll walk you through the process.

Before you begin
Before you begin setting up a Certificate Server, it’s important to point out that you must choose the server very carefully. Setting up a Certificate Server is a semipermanent operation. Once you’ve installed the Certificate Services, you can’t rename the server. You can’t join it to or remove it from a domain, either. You should also plan on backing up the Certificate Server on a regular basis. If the Certificate Server were to crash and you didn’t have a backup, then all of the certificates the server contained could be lost forever. This could cause a catastrophic communications breakdown on your network. Therefore, be sure to select a stable server that you know will be backed up regularly and be sure to protect the server from viruses and physical tampering.

Before you install the Certificate Services, you’ll also need to decide what role you want the Certificate Server to play. To do so, you’ll have to pick the certificate authority type. There are four distinct certificate authority types. A certificate authority can either act as an enterprise certificate authority or as a stand-alone certificate authority. You must also choose whether the certificate authority will act as a root or as a subordinate. The certificate server that I’ll be configuring in my example will act as an enterprise root, but I’ll explain the differences among the various roles so that you can choose which role is right for you.

Enterprise certificate authorities
As the name implies, enterprise certificate authorities are designed to act as a part of the enterprise security infrastructure. Their job is to issue and revoke certificates to end users within a domain. Because of the nature of their duties, enterprise certificate authorities require access to Active Directory. An enterprise certificate authority is automatically trusted by all users and computers within a domain because the server’s certificate is added to the Active Directory’s Trusted Root Certification Authorities list. If you’re planning on implementing smart card security, this is the type of Certificate Server you’ll need to implement.

Stand-alone certificate authorities
Stand-alone certificate authorities don’t interact with Active Directory in any way and therefore don’t require Active Directory to be installed on your network. Stand-alone certificate authorities are designed to provide digital certificates to Internet-based users who won’t be logging in through a domain. Keep in mind that stand-alone certificate authorities are intended to service only external users and therefore can’t be used to service domain logins, including those that are smart-card based.

Root and subordinate certificate authorities
Sometimes an organization is simply too big for a single Certificate Server to handle. In such cases, you can build a Certificate Server chain that’s composed of a root certificate authority and subordinate certificate authorities. The way this works is that the root certificate authority issues certificates to the subordinate certificate authorities, granting them permission to issue and revoke certificates to and from end users and computers. In an enterprise environment, this means that you can delegate permission to issue certificates to branch offices or to other departments by providing them with a subordinate Certificate Server. However, you can still control the overall operation by maintaining control over the root certificate authority. If the root certificate authority is the only Certificate Server in the domain, it can service users and computers without having to rely on a subordinate certificate authority.

Installing the Certificate Services
Now that you’re familiar with the basic roles of Certificate Servers, let’s begin the installation process. Begin by opening the Control Panel and double-clicking on the Add/Remove Programs icon to open the Add/Remove Programs dialog box. Click the Add/Remove Windows Components button to launch the Windows Components Wizard. The wizard’s initial screen contains a list of the various components that you can install. Select the Certificate Services check box from the component list. You’ll see a warning message indicating that after installation of the Certificate Services, the computer can’t join or be removed from a domain. You’ll also be asked if you want to continue. Click Yes.

At this point, make sure that the Certificate Services component is selected and click the Details button. You’ll see that there are two components included in the Certificate Services. The first is the Certificate Services CA. This component takes care of the basic tasks involved in creating a certificate authority. The other component is the Certificate Services Web Enrollment Support. This optional component lets you create a Web page that’s capable of submitting requests and retrieving digital certificates. Select the desired options and click OK. For my example, I’ll be installing both components.

At this point, you’ll be returned to the main component list. Click Next, and you’ll see the screen shown in Figure A. This screen asks you to choose the type of certificate authority you want to create. The choices are Enterprise Root CA, Enterprise Subordinate CA, Stand-alone Root CA, or Stand-alone Subordinate CA. For my example, I’ll be using the Enterprise Root CA option. If you select the Advanced Options check box, you’ll have a chance to select the encryption algorithms you want to use. It isn’t necessary to use the Advanced Options, but I’ll walk you through it just in case you want to use them. Click Next to continue.

Figure A
Selecting the role of the Certificate Server you’re creating is a click away.

Now, you’ll see the screen shown in Figure B (assuming that you’ve chosen to use the Advanced Options). The first window in this dialog box asks you to choose the Cryptographic Service Provider (CSP). By default, Microsoft Base Cryptographic Provider v1.0 is selected, but you can select a different provider if another one better suits your needs. Next, you must select the hash algorithm. Both MD4 and MD5 have known weaknesses, so I recommend sticking with the default value of SHA-1.

Next, you’ll need to select your encryption key length. The default value is 1024 bits. You can go all the way up to 4096 bits, as shown in the figure, but keep in mind that some non-Microsoft encryption services can’t handle values above 1024.

Below the Key Length drop-down list is the Use Existing Keys check box. You can use this check box, along with the window below it and the Import button, to use keys that you’ve previously used. If this is your first Certificate Server or you don’t want to use your old keys, don’t worry about this option. Click Next to continue.

Figure B
Using the Advanced Options allows you to customize your encryption keys.

At this point, you’ll be asked to enter some information to identify the certificate authority. As you can see in Figure C, this information includes things like the organization that the certificate authority services and some contact information. As you enter the identification information, keep in mind that you should avoid using special characters such as ^, &, *, and (. Remember that the information you enter will be encoded in Unicode format, and some applications may have trouble decoding special characters.

Another option on this portion of the wizard allows you to set the time period for which the certificates are valid. The default period is two years, but you can adjust it to meet your needs.

Figure C
You’ll have to enter some information to identify your certificate authority.

Now, just kick back and relax for a while as the wizard generates your encryption keys. When the process completes, you’ll be asked where you want to place the certificate database and database logs. This is the location where the certificate authority’s certificates will be stored. As I said earlier, choose a location that is backed up regularly. There are also two other important options on this screen that you need to be aware of.

First, notice a check box labeled Store Configuration Information In A Shared Folder. You can use this option in situations where Active Directory isn’t being used. Entering the name of a shared folder makes the certificates accessible to clients.

The other option you’ll want to be aware of is the Preserve Existing Certificate Database check box. You’ll need to use this check box if you ever have to reinstall the Certificate Services, so that you don’t overwrite your certificate databases.

Figure D
Enter the location of the certificate database and its log files.

Click Next to continue. If Internet Information Service is running, you’ll see a message stating that you must stop the services before continuing. Windows will give you the chance to stop the services from within the wizard. Windows will now take several minutes to configure the Certificate Services. During this time, you may be asked to insert your Windows 2000 installation media or your Service Pack CD. When the process completes, click the Finish button to close the wizard. At this point, you’ll be asked to reboot the server. When the server reboots, the new certificate authority will be automatically started.

Managing the Certificate Server
Once you’ve installed the Certificate Services, you’ll have to set up a console to manage it. To do so, enter the MMC command at the Run prompt. When Microsoft Management Console loads, select the Add/Remove Snap-In command from the Console menu. When you do, you’ll see the Add/Remove Snap-In properties sheet. Click the Add button on the General tab to display a list of available snap-ins. Select the Certificate Authority snap-in from the list and click Add. You’ll see a dialog box that asks whether the snap-in will be used to manage the local computer or another computer. Select the local computer option and click Finish, followed by the Close and OK buttons. When you’re done, the snap-in will be configured to manage the certificate authority that you’ve just created, as shown in Figure E.

Figure E
You’ll have to use a Microsoft Management Console snap-in to manage the certificate authority you’ve created.

To keep from having to repeat this process every time you want to work with the certificate authority, you can save the console settings through the Save As option on the Console menu. When you do, a shortcut will be automatically created under the Administrative Tools menu, assuming that you save the console settings in the default location.

Digital certificates are one of the most important parts of a network’s security. However, before you can take advantage of digital certificates, you must have a Certificate Server that will be responsible for issuing them. This Daily Drill Down explained how to install and configure a Certificate Server. In part two, I’ll explain some techniques that you can use to manage the Certificate Server you’ve just created.

Editor's Picks