Given the many security issues involved with e-mail, using encryption technology is a must. Certificates are one way to combat security holes and in this Daily Drill Down, Deb Shinder shows you how to manage them for your users using the snap-in tool.
Digital certificates are an important element in your network’s public key infrastructure (PKI), which uses public key cryptography to ensure that the parties engaging in exchange of data and electronic transactions are who they claim to be. Validation of the identity of the parties is accomplished via a trusted third party, called a certification authority (CA). Certificates are used for smart card authentication, IP Security (IPSec), Web authentication, and data encryption methods such as Windows 2000’s Encrypting File System (EFS).
Microsoft has built strong support for certificate services into the Windows 2000 Server and Professional operating systems. In this Daily Drill Down, I will discuss the tools that administrators and users (with the proper permissions) can use to view, request, and manage digital certificates for other users, computers, and services. I will also focus on how administrators can manage certificates via the Certificate MMC snap-in.
The certificate tools
There are a number of ways to work with certificates in Windows 2000, depending on the task you want to perform, your permissions (group membership), the type of certificate, and whether the certificate is being issued by a standalone or enterprise CA.
After evaluating these factors, you can select one of the following tools in Windows 2000 Professional:
- The Certificate Manager
- The Certificate Services Web Pages
- The Certificate MMC snap-in
We will look briefly at when and how each of these tools is used in the following sections.
The Certificate Manager is accessed via Start | Settings | Control Panel | Users And Passwords. Select the Advanced tab and click the Certificates button to open the tool, which is shown in Figure A.
|You can request and manage certificates in Win2K Pro using the Certificate Manager.|
You must be a member of the administrators group to use the Users And Passwords applet in Windows 2000 Professional.
By default, Certificate Manager is used for client authentication and secure e-mail certificates, but you can add “advanced purposes” certificate types, such as server authentication, EFS, IPSec, etc.
The Certificate Services Web pages
The Certificate Services Web pages provide an easy way for users to request certificates. When a Windows 2000 Server on the network is operating as a CA, by default the server hosts certificate services Web pages at http://<servername>/certsrv. Using these pages requires a supported browser: MSIE 4.0 or Netscape 3.01 or above.
If a user is requesting a certificate from a standalone CA (used when Active Directory is not implemented, or on extranets) the Web pages must be used to make the request. Standalone CAs cannot issue smart card certificates for logging on to a Windows 2000 domain, and do not use certificate templates. If the request is made of an enterprise CA (which requires Active Directory), the Certificate snap-in or the Web pages can be used to make the request.
The Certificate Services Web page is shown in Figure B.
|Users can request certificates via a Web browser using the Certificate Services Web pages.|
The Web pages can be used to request a basic certificate or one with advanced options, and to check on pending certificates. Administrators can also use the pages to retrieve the CA certificate or the Certificate Revocation List (CRL). Advanced options include specifying the name of a cryptographic service provider (CSP), managing the key sets, and saving the request to file.
The Certificate MMC snap-in
The tool most commonly used by administrators in managing certificates is the Certificate MMC snap-in. The rest of this Daily Drill Down will focus on how you can use the Certificate snap-in for managing certificates associated with one or more of the following:
- The current logged on user
- The local computer or another computer
- A service account on the local computer or another computer
The Certificate MMC console is shown in Figure C.
|You can use the Certificate snap-in to manage user, computer, and service certificates.|
Although users (with the proper permissions) can use the Certificate snap-in to view, request, and manage their certificates, Microsoft recommends that users do not personally manage their certificates in most cases. Instead, they can be managed by policy settings, automatically by the programs that use certificates, and by administrators.
Using the Certificate snap-in
Certificates are one of many snap-ins that can be added to a custom MMC. The Certificates console does not appear in the Administrative Tools menu. (Although Certification Authority, a different tool, may be there if you’ve installed the Adminpak.msi server tools on your Windows 2000 Pro machine.) You must create a new MMC and add the snap-in to it.
Creating the Certificate MMC
To create a new, empty console, type mmc at the Run prompt. Add the Certificate snap-in by selecting Console in the top menu bar and selecting Add/Remove Snap-in from the context menu.
Click the Add button and you will be provided with a list of snap-ins that can be added, as shown in Figure D.
|Add the Certificate snap-in to the newly created Microsoft Management Console.|
When you click the Add button to add Certificates, you will be asked to select whether the snap-in is to manage certificates for your user account, for a service account, or for a computer account.
You can select only one of the three choices of certificate types to manage. You can, however, add additional Certificate snap-ins to this same MMC if you wish to manage more than one type.
If you select My User Account, a node for Certificates—Current User will be added to the MMC. You can close the Add/Remove Snap-ins dialog box, or you can click Add again to add a second Certificate snap-in for another type of certificate.
If you select Computer Account, you will see the dialog box shown in Figure E, which asks you to choose whether the snap-in will manage the local computer or another computer.
|The Certificate snap-in can be used to manage certificates for the local computer or another computer.|
If you choose to manage another computer, you can browse the network for the computer. If you save the console, this dialog box also allows you to specify whether you want to allow the selected computer to be managed when you launch the console from the command line. After you make your selection, the snap-in is added to the MMC.
If you select Service Account in the initial dialog box, you will see the same dialog box shown in Figure E. However, after you make your selection, you will then see another dialog box, as shown in Figure F, from which you can select the service account to be managed.
|I have selected the IPSEC Policy Agent service account to be managed.|
When you select the account and click Finish, the snap-in will be added to the MMC, which will display the nodes for the Certificate snap-ins you added.
To save the console, click Console on the menu bar and select Save As. Choose a name for the console (for example, Certificates) and a location in which to store it. By default, it will be stored in the Administrative Tools folder in the current user’s profile:
<bootpartition>:\Documents and Settings\<username>
The boot partition in Microsoft terminology is the partition on which your Windows 2000 operating system files (in the Winnt folder, by default) are stored.
You can open the console from that location in the future, or if you wish it to appear in the Administrative Tools menu, you can:
- Move it to the Administrative Tools folder for All Users
- Create a shortcut to it in the Administrative Tools folder for All Users.
Selecting the View mode
You can select a View mode for each Certificate snap-in by selecting the certificates node in the left console pane and selecting Options from the View menu. You will be able to select whether to display the physical certificate stores and/or archived certificates and choose from the following views:
- Certificate purpose
- Logical certificate store
The logical certificate store is the default view. The certificate store is the location where certificates, CRLs, and certificate trust lists are stored. The logical store view for the Current User Certificates snap-in is shown in Figure G.
|The logical store view is the default view.|
The same snap-in, with the certificate purpose view selected, is shown in Figure H.
|The certificate purpose view arranges groups of certificates by purpose in the left console pane.|
For the remainder of this Daily Drill Down, we will be working with Certificates in the default logical store view.
Requesting a new certificate
To request a certificate via the Certificate snap-in, you invoke the Certificate Request Wizard by right-clicking the Personal subnode in the User Or Computer Certificates snap-in and selecting All Tasks | Request New Certificate from the context menu. The Wizard will walk you through the steps of selecting a CA (this must be an enterprise CA), choosing a certificate template, and, optionally, selecting a CSP and specifying strong private key protection (see Figure I).
|The Certificate Wizard’s advanced options allow you to select a CSP.|
The configurations of the enterprise CA that make the request will determine what types of certificate templates are available. Examples include Administrator, User, Basic EFS, and EFS Recovery Agent.
The user requesting the certificate must have been granted access to the templates in order to use them.
Renewing a certificate
When issued, a certificate is valid for a specific time period. You can use the snap-in to renew a certificate before or after it expires, as shown in Figure J.
|You can renew a certificate with the same key set or generate a new one.|
Note that you will need to know the enterprise CA that issued the original certificate in order to renew it. If the certificate was issued by a standalone CA, you must use the Certificate Services Web pages to renew it.
Finding and viewing a certificate
To find a certificate, highlight the user, computer, or service node and select Find Certificates from the Action menu. The certificate search tool, shown in Figure K, will appear and you can search by issuing CA, entity to whom the certificate was issued, the hash, or the serial number. Thus, you can search the entire certificate store or a portion thereof.
|You can search for certificates by several criteria using the Find Certificates tool.|
You can view the pertinent information about a certificate by double-clicking it in the right details pane to display the certificate’s properties sheet. The Details tab will provide a summary of the following information:
- Version and serial number
- Algorithm used for the digital signature
- Issuing CA
- Dates of validity (“to” and “from”)
- Subject (user, computer, or service for which the certificate is issued)
- Public key information
- Certificate template
- Friendly name given to the certificate (specified when requested)
- Other pertinent information
The Certification Path tab shows not only the path in the logical store, but also indicates the certificate’s status (OK, not trusted, expired, etc.).
Moving a certificate
You can move a certificate from one logical store to another by selecting the certificate in the details pane, choosing Cut from the Action menu, selecting the logical store to which you want to move the certificate, and choosing Paste from the Action menu. You can move more than one certificate at a time by selecting multiple certificates to cut and paste, using the [Ctrl] key.
Deleting a certificate
You can delete a certificate by selecting the certificate or multiple certificates in the right details pane, and then choosing Delete from the Action menu (or right-clicking it and selecting Delete). You will be prompted with a message warning that if you delete the certificate, you will not be able to decrypt any data that was encrypted using the certificate. If you wish to delete the certificate anyway, click Yes. Microsoft recommends that unless you are very sure you won’t need the certificate again, you should back it up using the Export function (discussed below).
Editing the properties of a certificate
You can change certain properties of a certificate. To do so, select it in the right details pane and choose Properties from the Action menu (or right-click and select Properties). You will be able to edit the Friendly Name, Description, and purpose(s) of the certificate, using the Properties sheet shown in Figure L.
|You can edit some of the certificate’s properties using the Properties dialog box.|
Importing and exporting certificates
You can export a certificate to a different location in order to create a backup of the certificate before deleting it, as mentioned above. Select the certificate you want to export in the right details pane and choose Export from the Action menu (or right-click it and select All Tasks | Export).
The Export Wizard will guide you through the process. If the certificate’s private key is exportable, you will be asked whether to export the private key along with the certificate. You will be required to specify a file format for the exported certificate from one of the following:
- PKCS #7 (This choice allows you to include all certificates in the certification path.)
You will be asked to enter a filename and path to which the file will be saved.
Exporting a certificate does not remove it from the certificate store; it merely places a copy of it (in the selected file format) in the specified location.
To restore a deleted certificate that was exported to a file, right-click Personal | Certificates under the selected user, computer, or service node in the left console pane and choose All Tasks | Import. The Import Wizard will prompt you to enter the path where the certificate file is stored. If you are importing a PKCS #12 file with the private key encrypted, you will have to enter the password used to encrypt the key. You can specify the location in the certificate store in which the certificate will be put, or you can have it automatically placed according to certificate type.
You can install an exported certificate by navigating to the file in which it is saved, right-clicking, and selecting Install Certificate, or Install PFX (depending on the file format).
Importing the certificate into the store does not remove the saved file from its location. It will still be available until you delete it.
Digital certificates serve many purposes, and Microsoft has made certificate services easy to use and manage as part of a Windows 2000 network’s public key infrastructure. In this Daily Drill Down, I have focused on how to use one of the three certificate management tools available in Windows 2000 Professional: the Certificate MMC snap-in.
You learned how to add the Certificate snap-in for the user account, a computer account, or a service to a newly created management console, and how to select the preferred console view. We discussed the performance of common administrative tasks relating to certificates: requesting a new certificate, renewing certificates, finding certificates within the store, viewing or editing their properties, moving, and deleting certificates. Finally, you learned how to back up certificates by exporting to a file and how to restore a certificate from an exported file back to the certificate store.