Certificate Support and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Certificate Functionality
Certificates, and the public key infrastructures (PKIs) used to issue and manage them, support authentication and encrypted exchange of information on open networks such as the Internet, extranets, and intranets. A certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. With certificates, host computers on the Internet establish trust in a certification authority (CA) that certifies individuals and resources that hold private keys. Trust in a PKI is ultimately based on a root certificate, that is, a certificate from a CA at the top of a public key hierarchy that establishes a well-defined level of integrity and security for the hierarchy.
Examples of times that a certificate is used are when a user:
Uses a browser to engage in a Secure Sockets Layer (SSL) session
Accepts a certificate as part of installing software
Accepts a certificate when receiving an encrypted or digitally signed e-mail message
When learning about PKI, it is important to learn how certificates are issued and validated as well as how they expire or are revoked (if they need to be invalidated before they expire). This can help you understand the importance of up-to-date certificate revocation information, which can be crucial when a user's application is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information.
In an organization where clients run Windows Vista and servers run Windows Server 2003, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Features in a Managed Environment."
Also note that in Group Policy for Windows Vista, you can control public key policies in more specific ways than was possible with previous Windows operating systems. For more information, see "Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista," later in this section.
The Update Root Certificates Feature in Windows Vista
The Update Root Certificates feature in Windows Vista is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by a user's application. Specifically, if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the user's computer.
The Update Root Certificates feature can be turned off in Windows Vista by using Group Policy. For more information, see "Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista," later in this section.
Overview: Using Certificate Features in a Managed Environment
In an organization where clients run Windows Vista and servers run Windows Server 2003, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services feature. Another step that might be appropriate is to configure the publication of certificate revocation information to Active Directory® Domain Services. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.
When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choice for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.
Some of the concepts to study when learning about certificates include:
Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:
You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at:
Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME).
Encryption keys and how they are generated.
Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority.
Ways that Active Directory Domain Services and Group Policy can work with certificates.
The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:
Help for products in the Windows Server 2003 family.
You can view Help for products in the Windows Server 2003 family on the Web at:
The Microsoft Windows Server 2003 Deployment Kit and the Microsoft Windows Server 2003 Technical Reference.
You can view links on the Windows Deployment and Resource Kits Web site at:
"Certificate Revocation and Status Checking," a white paper on the Microsoft TechNet Web site at:
Links to information about public key infrastructure for Windows Server 2003 on the Microsoft Web site at:
The Microsoft Root Certificate Program Web site at:
Topics about public key policy settings in Group Policy (in Windows Server 2003) on the TechNet Web site at:
In a medium to large organization, for the greatest control of communication with the Internet, it is recommended that you manage the list of certification authorities yourself, meaning that you would use Group Policy to turn off the Update Root Certificates feature on Windows Vista and to configure settings related to public key policies.
How Update Root Certificates Communicates with Sites on the Internet
This subsection focuses on how the Update Root Certificates feature communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Features in a Managed Environment" provides references for the configuration choices that control the way other certificate features communicate with sites on the Internet.
If the Update Root Certificates feature has not been turned off through Group Policy, and the user's application is presented with a certificate issued by a root CA that is not directly trusted, the Update Root Certificates feature communicates across the Internet as follows:
Specific information sent or received: The Update Root Certificates feature sends a request to http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the root CA that is not directly trusted is named in the list, Update Root Certificates obtains the certificate for that root CA and places it in the trusted certificate store on the user's computer. No user authentication or unique user identification is used in this exchange.
Default setting and ability to disable: Update Root Certificates is turned on by default in Windows Vista. You can turn off this feature by using Group Policy.
Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.
Logging: Events are logged in Event Viewer in Windows Logs\Application with a Source of CAPI2. Events containing information such as the following are logged:
For Event ID 7:
Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site
For Event ID 8:
Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value
Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Windows Update Web site.
Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet
If you want to prevent the Update Root Certificates feature in Windows Vista from communicating automatically with the Windows Update Web site, you can turn off this feature by using Group Policy. For more information, see “To Turn Off the Update Root Certificates Feature by Using Group Policy,” later in this section.
How Turning Off Update Root Certificates on Users' Computers Can Affect Users and Applications
If the user is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates feature is turned off through Group Policy, the user can be prevented from completing the action that required authentication. For example, the user can be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.
Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista
The procedures in this section describe:
How to use Group Policy to turn off the Update Root Certificates feature for computers running Windows Vista.
How to view Group Policy for controlling public key policies for computers running Windows Vista.
To Turn Off the Update Root Certificates Feature by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.
Important You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista.
To View Group Policy for Controlling Public Key Policies for Windows Vista
See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console (GPMC) by running gpmc.msc, and then edit an appropriate GPO.
Note You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.
View the settings that are available.
Expand User Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.
View the settings that are available.
For information about using Group Policy for controlling public key policies, see the TechNet Web site at: