User Certificates

  • Article

Applies To: Windows Server 2008

Managing user certificates

There are two types of user certificates, or public-key certificates, that Message Queuing can use: internal certificates and external certificates. An internal certificate is automatically created during Message Queuing Setup for the user installing Message Queuing. External user certificates contain information that is supplied by a certification authority (CA). Unless stated otherwise, the information in this section applies to both types of user certificates.

You manage user certificates for a Message Queuing computer using the Message Queuing Properties dialog box in Computer Management. For information about how to view all user certificates that are registered in Active Directory Domain Services, see View Certificates for Message Queuing. All certificates have a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential. Also, if Message Queuing is installed on a computer operating in a workgroup, and then the computer joins a domain, you must manually renew the internal certificate. For information about how to renew internal user certificates, see Renew Certificates for Message Queuing.

User certificates can be stored in Active Directory Domain Services. If you reinstall Windows 7 or Windows Server 2008 R2 family on a computer (rather than upgrade an existing installation), you must delete the user's previous (now obsolete) certificate. For information about how to delete a user certificate, see Remove Certificates for Message Queuing. Next, you must register the new certificate manually. For information about how to register a user certificate, see Register Certificates for Message Queuing.

Note

If permissions are used to control access to queues, user certificates must be registered in Active Directory Domain Services so that Message Queuing can map the certificate to the respective SID of the user. Although it is possible to send unauthenticated messages to queues that restrict access, doing so could compromise security as the content of such messages could be tampered with or read while en route.

Note

In the case of a cluster, a user profile, which is needed to store a user certificate in the registry, will not be created for a user account that is used only for a cluster service until it logs onto a node of the cluster at least once. After a user profile is created, the user must manually register a user certificate for Message Queuing.

Note

Active Directory Domain Services sets a multi-valued attribute limit of approximately 800 user certificates for a specific user account. This limit is usually exceeded when obsolete user certificates have not been deleted from Active Directory Domain Services. If multiple certificates exist for a user account, only the latest is used, and obsolete certificates can be deleted. For instructions, see Remove Certificates for Message Queuing.

External certificates

External user certificates contain information that is supplied by a certification authority (CA), rather than the SID, for verifying a sender's identity. The information in an external certificate is guaranteed by the CA that created the certificate. The Message Queuing service on the destination computer still validates the digital signature when a message is received but does not validate the external certificate itself. It is the responsibility of the receiving application to validate an external certificate before acting on the message. For more information about certification authorities, see the Windows Server 2008 R2 online help topic Certification Authorities.

An external certificate can be registered in Active Directory Domain Services and then used to authenticate the sender's SID when authenticated messages are sent to other computers in the same forest, precisely as in the case of an internal certificate, but with a possibly higher level of security.

If you register an external certificate in Active Directory Domain Services and thereby associate an SID with the certificate, you can send messages to queues that restrict access. This is because the Message Queuing service verifies the sender's SID. Registering an external certificate thus provides an additional, although optional, measure of authentication, which can be used by the receiving application.

External certificates are required for sending authenticated messages to environments other than Windows 7, Windows Server 2008 R2, Windows Vista, family, Windows Server 2003 family or Windows 2000. Other reasons you may want to use an external certificate include the following:

  • You want to control who can send authenticated messages by controlling the use of certificates. Internal certificates are created automatically during the installation of Message Queuing and can be used by everyone.

  • You want to send messages to someone who does not have access to Active Directory Domain Services.

  • You belong to a workgroup, as opposed to a domain.

In cases where SIDs cannot be used to authenticate the sender, as in the case of a message sent between computers operating in workgroup mode, an external certificate can be used for message authentication. In such cases, when an authenticated message is sent, the Message Queuing service on the source computer creates a digital signature for the message, attaches the digital signature and the applicable external certificate to the message, and sends the message. The Message Queuing service on the destination computer validates the digital signature.

More specifically, on the source computer, the Message Queuing service does the following:

  1. Computes a hash value from a fixed limited portion of the message using a hash algorithm.

  2. Encrypts the hash value using the sender's private cryptographic key to create a digital signature.

  3. Attaches the digital signature, the name of the hash algorithm, and a digital certificate containing the sender's public cryptographic key to the message.

On the destination computer, the Message Queuing service does the following:

  1. Computes a hash value from a fixed limited portion of the message using the same hash algorithm as the source computer.

  2. Decrypts the digital signature attached to the message using the public cryptographic key from the digital certificate to obtain a second hash value.

  3. Compares the two hash values to confirm that the message was not tampered with during delivery.

  4. If the values match, validates the external certificate (this step is optional).

One way to obtain an external certificate is to use Internet Explorer 5 or later to request a certificate from a certification authority. For example, you can contact one of the following representative CA vendors:

  • AT&T

  • InternetMCI Mail

  • Keywitness Canada

  • VeriSign Commercial Software Publishers

In general, you can obtain different levels of external certificates. Some external certificates do not prove your identity. They prove only that you are the same person each time you send a message. This is sufficient for subscription-based applications. Other levels of external certificates prove that you are who you claim to be.