CA Certificates Tools and Settings: Public Key; Security Services

CA Certificates Tools and Settings

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

CA Certificate Tools
CA Certificate Registry Entries
CA Certificate Group Policy Settings

CA Certificate Tools

The following tools are associated with CA certificates.

Certreq.exe: Certreq

Version Compatibility

Certreq is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to manage the certificate containers for users, computers, and services on computers running Windows 2000, Windows XP, and Windows Server 2003.Certreq enables you to submit, retrieve, create, and accept certificate requests that are sent to a Windows Server 2003 CA. You can also use Certreq to create and sign cross-certificate requests. You can also place the Certreq command syntax in a batch file to script certificate requests.

To find more information about Certreq, see “Command Line References” in Tools and Settings Collection.

Certutil.exe: Certutil

Version Compatibility

Certutil can be used on Windows 2000 Server CAs and Windows Server 2003 CAs.

You can use Certutil to extract and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

To find more information about Certutil, see “Command Line References” in Tools and Settings Collection.

Certsrv.msc: Certification Authority Snap-in

Version Compatibility

The Certification Authority snap-in is compatible with Windows Server 2003 and Windows 2000 Server.

The Certification Authority snap-in can be used to manage multiple CAs. It allows you to perform a variety of administrative tasks including:

Starting and stopping the CA.
Backing up and restoring the CA.
Changing exit and policy modules.
Viewing the CA certificate.
Installing or reinstalling a CA certificate for the CA.
Setting security permissions and delegating administrative control for the CA.
Revoking certificates.
Viewing or modifying CRL distribution points.
Publishing CRLs and scheduling CRL publication.
Configuring the types of certificates that are to be issued by the CA.
Viewing information about certificates that have been issued.
Viewing information about certificates that have been revoked.
Viewing pending certificate requests.
Approving or denying pending certificate requests.
Viewing failed certificate requests.
Renewing the CA’s certificate.

CA Certificate Registry Entries

CA certificate-related registry entries correlate to the physical view of the certificate-related data that can be viewed by using the Certificates snap-in.

The registry settings in this section are a subset of the registry settings in “Certificate Services Tools and Settings.” This subset makes it possible to monitor and manage key configuration options associated with CA certificates.

The following registry keys are associated with CA certificates that were distributed via Group Policy:

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

The following registry keys are associated with CA certificates that were not distributed via Group Policy:

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as MMC, to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

HKEY_Current_User\Software\Microsoft\SystemCertificates

HKEY_Current_User\Software\Microsoft\SystemCertificates contains registry settings for user certificates that have been distributed by means other than Group Policy. These keys also contain registry settings relating to the CA certificates that support the user certificates.

The majority of the registry subkeys under SystemCertificates contain binary large objects that pertain to:

Certificates. These entries identify the certificates associated with the registry entry.
CRLs. These entries identify the certificate revocation lists (CRLs) associated with the registry entry.
CTLs. These entries identify the certificate trust lists (CTLs) associated with the registry entry.

The following registry subkeys are located under SystemCertificates. Additional subkeys — which might appear under some registry subkeys — appear below under the registry subkey that they correspond to.

These subkeys appear under SystemCertificates:

AuthRoot

Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA

Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

Root

Registry path

HKEY_Current_User\Software\ Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

trust

Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates contains registry settings for user certificates that have been distributed by using Group Policy. These keys also contain registry settings relating to the CA certificates that support the user certificates.

The majority of the registry entries contain binary large objects that pertain to:

Certificates. These entries identify the certificates associated with the registry entry.
CRLs. These entries identify the CRLs associated with the registry entry.
CTLs. These entries identify the CTLs associated with the registry entry.

The following registry entries are located under SystemCertificates Additional subkeys — which might appear under some registry subkeys — will be detailed below under the registry subkeys that they correspond to.

AuthRoot

Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA

Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

root

Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

trust

Registry path

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs

HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates

HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates contains registry settings for computer certificates that are downloaded from the Active Directory by the auto enrollment feature.

AuthRoot

Registry path

HKEY_Current_User\Software\Microsoft\EnterpriseCertificates\AuthRoot

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA

Registry path

HKEY_Current_User\Software\Microsoft\EnterpriseCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

NTAuth

Registry Path

HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates\NTAuth

Version

Windows Server 2003, Windows XP, and Windows 2000

Any CA that issues smart card logon or domain controller certificates must publish its CA certificate into the NTAuth store in Active Directory. Windows 2000 and Windows 2003 CAs automatically publish their CA certificates in Active Directory. Certificates published by third parties must be imported into the NTAuth store. After you put the non-Microsoft CA in the NTAuth store, domain-based Group Policy adds this registry key to all computers in the domain.

For more information about the NTAuth store, see “How Certificate Services Works” in the Windows Server 2003 Technical Reference.

Root

Registry path

HKEY_Current_User\Software\ Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

trust

Registry path

HKEY_Current_User\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

HKEY_Local_Machine\Software\Microsoft\SystemCertificates contains registry settings for computer certificates that have been distributed by means other than Group Policy. These keys also contain registry settings relating to the CA certificates that support the computer certificates.

AuthRoot

Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

CA

Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates\CA

Version

Windows Server 2003, Windows XP, and Windows 2000

CA contains data about certificates, CRLs, and CTLs from intermediate CAs.

ROOT

Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

ROOT contains data about trusted root CA certificates, CRLs, and CTLs.

trust

Registry path

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates contains registry settings for computer certificates that have been distributed using Group Policy. These keys also contain registry settings relating to the CA certificates that support the computer certificates.

The majority of registry entries contain binary large objects that pertain to:

Certificates. These entries identify the certificates associated with the registry entry.
CRLs. These entries identify the CRLs associated with the registry entry.
CTLs. These entries identify the CTLs associated with the registry entry.

The following registry entries are located under SystemCertificates. Additional subkeys — which might appear under some registry subkeys — will be detailed below under the registry subkeys that they correspond to.

AuthRoot

Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

AuthRoot contains data about certificates, CRLs, and CTLs from non-Microsoft root CAs.

ca

Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Ca contains data about certificates, CRLs, and CTLs from intermediate CAs.

Certificates

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\

Version

Windows Server 2003, Windows XP, and Windows 2000

Certificates contains a unique key for each root CA certificate that is based on the hash of the certificate.

ProtectedRoots

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots

Version

Windows Server 2003 and Windows XP Professional Service Pack 2

ProtectedRoots can be used to:

Disable user root store trust. This prevents CryptoAPI applications from using the user root store in building trusted certificate chains.
Disable user root store changes. This prevents users from adding root CAs to the user trusted root store. This value can also be set through Group Policy in Windows Server 2003.
Disable user root store purge. This prevents the user from removing root CAs from the user trusted store that are also in the local computer trusted root store.
Disable the requirement for NTAuth policy processing. This disables the requirement for an issuing CA to be present in the NTAuth store of the local computer. This value can be set using Group Policy.
Disable name constraint enforcement for undefined name types. By default, Windows XP Professional with Service Pack 2 and Windows Server 2003 reject undefined name types in a name constraint validation. Setting this value forces the acceptance of all name forms that are not explicitly defined.

Note

The option to disable name constraint enforcement is not configurable using Group Policy.

Root

Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Root contains data about trusted root CA certificates, CRLs, and CTLs.

Trust

Registry path

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

Version

Windows Server 2003, Windows XP, and Windows 2000

Trust contains data about enterprise trust certificates, CRLs, and CTLs.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

The registry entries in this hive correlate to CA certificate configuration information that can be configured and viewed using the Certificates and Certification Authority snap-ins, as well as the Certutil command-line tool.

CertSvc\Configuration\CAName

The registry settings in this hive contain information relating to the configuration of the certification authority (CA) installed on the server.

CACertFileName

Registry Path

\CertSvc\Configuration \CAName\ CACertFileName

Version

Windows Server 2003 and Windows 2000 Server

On subordinate CAs, this setting identifies the name and location of the root certificate.

CACertHash

Registry Path

\CertSvc\Configuration \CAName\ CACertHash

Version

Windows Server 2003 and Windows 2000 Server

On subordinate CAs, this setting identifies the hash algorithms — SSH-1, for example — that are used for all CA certificates.

CACertPublicationURLs

Registry Path

\CertSvc\Configuration \CAName\ CACertPublicationURLs

Version

Windows Server 2003 only

This setting identifies the URL of the authority information access point where a client can find a CA certificate. Because the authority information access point is the location of the certificate that was used to sign the certificate, and because a root CA issues the CA certificate to itself, you should leave this setting blank for the root CA.

CAKeyUsage

Registry Path

\CertSvc\Configuration \CAName\ CAKeyUsage

Version

Windows Server 2003 and Windows 2000 Server

This setting makes it possible to disable the digital signature key usage on stand-alone CAs. By default, a stand-alone CA certificate will contain digital signature, certificate signing, and CRL signing key usage values.

Note

Enterprise CAs enforce the key usage based on the subordinate CA template settings.

CAServerName

Registry Path

\CertSvc\Configuration \CAName\ CAServerName

Version

Windows Server 2003 and Windows 2000 Server

This setting records the DNS name of the server on which the CA is running.

CAType

Registry Path

\CertSvc\Configuration \CAName\ CAType

Version

Windows Server 2003 and Windows 2000 Server

This setting records whether the CA is a root, enterprise, or stand-alone CA.

CommonName

Registry Path

\ CertSvc\Configuration \ CAName\ CommonName

Version

Windows Server 2003 and Windows 2000 Server

The common name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. The common name must not exceed 64 characters in length.

Note

Each space in the name will actually use three characters in the total length because of how escape characters are written (%20).

CRLFlags

Registry Path

\ CertSvc\Configuration \ CAName\ CRLFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting allows you to manage cross CA certificate creation. By default, cross CA certificates are generated using predefined extensions in the registry. If desired, this setting can be used to generate cross certificates using the Cross CA certificate template instead. This setting can also be used to disable automatic cross CA certificate generation. .

CRLPublicationURLs

Registry Path

\ CertSvc\Configuration \ CAName\ CRLPublicationURLs

Version

Windows Server 2003 and Windows 2000 Server

Configuring this setting ensures that the correct CRL and AIA information is embedded in each issued certificate so that the certificate's signature and revocation status can be verified.

For all CA types (online or offline, root or subordinate, enterprise or stand-alone), the configuration of the AIA extension and the CRL distribution point extension is critical. If they are not configured correctly or if they contain invalid extensions, there may be unexpected problems. For example, smart card login attempts may not work, there may be invalid e-mail digital signatures, or there may be Web sites that are not trusted.

Note

Changes to CRL distribution points and AIA extensions take effect only after the CA is restarted, and the extensions appear in certificates issued only after the changes are applied. The CRL and AIA configuration processes are different on computers that are running Windows Server 2003 and Windows 2000 Server.

DSConfigDN

Registry Path

\ CertSvc\Configuration \ CAName\ DSConfigDN

Version

Windows Server 2003 and Windows 2000 Server

The distinguished name in DSConfigDNidentifies the namespace of the domain that the CA belongs to. When a root CA is configured as a stand-alone CA, the distinguished name should be the same as the namespace that will be used for the enterprise CA. The distinguished name becomes part of the certificate issuer name and is also part of the CRL and AIA if replacement tokens are used. It is also used by several variables that are used to set the CRL and AIA.

Note

After you use this command to change the registry key, a new CRL and any new CA certificates that are issued must be republished. Only new certificates that are issued after you use the previous command will have this information available. It is important to note that you must reissue and republish any subordinate CA certificate if it was issued before you changed the registry key.

EnforceX500NameLengths

Registry Path

\CertSvc\Configuration \CAName\ EnforceX500NameLengths

Version

Windows Server 2003 and Windows 2000 Server

This setting makes it possible for certificates issued by the CA to bypass X.500 naming restrictions. Windows Server 2003 CAs enforce X.500 naming standards by default. It is possible that deep organizational unit (OU) paths might exceed normal length restrictions. If your organization’s PKI does not need to be compatible with a non-Microsoft PKI, you can configure this registry setting to bypass the X.500 name length restriction.

HighSerial

Registry Path

\CertSvc\Configuration \CAName\ HighSerial

Version

Windows Server 2003 and Windows 2000 Server

This setting can be used to enable alternate forms of fixed length serial number generation. In Windows 2000 CAs, two types of fixed-length serial numbers are generated. In a Windows Server 2003 CA, three types of fixed-length serial numbers are generated. The default and alternate forms are the same as in Windows 2000. The alternate forms can be used to work around serial number encoding issues in certain non-Microsoft PKI applications.

Note

Any length hexadecimal string can be set in the registry (but there must be an even number of digits). The number of bytes used from the registry will be reduced if it would overflow a total of 19 bytes for the serial number. The high byte is manipulated as described previously to avoid problems with certain non-Microsoft applications. The IETF standards specify a maximum of 20 byte serial numbers.

SubjectTemplate

Registry Path

\CertSvc\Configuration \CAName\ SubjectTemplate

Version

Windows Server 2003 and Windows 2000 Server

This setting contains an ordered list of the subject relative distinguished name elements that are allowed in the Subject field of certificates issued by the CA.

This setting can only be set to a small, fixed list of relative distinguished name elements supported by the CA. If, during request processing, a listed relative distinguished name field is empty, or if the field is not populated by the request Subject field or by the policy module, the element will not be included. If the registry value is completely empty, the binary subject encoding from the request is passed through to the issued certificate unmodified.

CertSvc\Configuration\CAName\CSP

Provider

Registry Path

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration \ CAName\ CSP\Provider

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the CSP that is used to generate the CA certificate key material.

Hash Algorithm

Registry Path

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\\CAName\ CSP\ HashAlgorithm

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies the hash algorithm that is used for hashing and signing CA certificate contents.

CertSvc\Configuration\CAName\PolicyModules

Active

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\Active

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the active policy modules.

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy

DisableExtensionList

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\DisableExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting disables the adding of a certificate extension to a certificate that is included by default in certificates issued by an enterprise CA. An example of such a certificate extension could be the S/MIME capabilities extension.

EditFlags

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting enables you to identify the critical and non-critical extensions associated with policy modules, such as enabling basic constraints. The flags that can be configured include:

EDITF_ATTRIBUTEENDDATE. Controls certificate validity time by certificate request. This feature is disabled by default for enterprise CAs, and enabled by default for stand-alone CAs.

Note
- Although the validity period of a certificate is normally set by the CA, the CA can be configured in a way that allows the request to specify the validity period. This CA configuration option can only reduce the validity period of certificates to be issued by a request.
EDITF_ENABLEAKIISSUERNAME. Used to enable or disable the issuer name and issuer serial number.

Note
- You should disable the issuer name and issuer serial number if you renew CA keys when you renew CA certificates or plan to use cross-certificates.

EnableEnrolleeRequestExtensionList

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EnableEnrolleeRequestExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the object identifiers (also known as OIDs) of the rules extensions that are defined by the organization that must appear in the issued certificate. These settings apply to all requests submitted to a stand-alone CA, and to requests submitted to an enterprise CA that use a template which specifies that the request must supply the subject information.

EnableRequestExtensionList

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the object identifiers of the rules extensions defined by the organization that must appear in the issued certificate. By default, extensions that are in the submitted request are added to the CA’s database, but are marked as disabled, so they will not appear in the issued certificate.

RequestDisposition

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RequestDisposition

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify what the policy module should do with incoming and resubmitted requests. Options include:

Process all certificate requests that meet applicable policy and template processing requirements.
Place all initial certificate requests in a pending queue, and process all certificate requests that are resubmitted by an administrator, assuming the requests meet applicable policy and template processing requirements.

RevocationType

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationType

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify an alternative certificate revocation service to function with a Windows Server 2003 CA. This setting enables CRL URLs from the following: Lightweight Directory Access Protocol (LDAP), File Transfer Protocol (FTP), and file locations; CDP extensions; and Active Server Page (ASP)-based revocation.

RevocationURL

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationURL

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the URL for an alternative certificate revocation service that has been configured to function with a Windows Server 2003 CA.

The replacement variables that can be used in the revocation URL are listed in the following table.

Registry Variables for Alternative Revocation Services

Alternative Revocation Service	Registry Variable
SERVERDNSNAME	1
SERVERSHORTNAME	2
SANITIZEDCANAME	3
CERTFILENAMESUFFIX	4
DOMAINDN	5
CONFIGDN	6
SANITIZEDCANAMEHASH	7
CRLFILENAMESUFFIX	8
CRLDELTAFILENAMESUFFIX	9
DSCRLATTRIBUTE	10
DSCACERTATTRIBUTE	11
DSUSERCERTATTRIBUTE	12
DSKRACERTATTRIBUTE	13
DSCROSSCERTPAIRATTRIBUTE	14

In order for the revocation service to function, the application, service, or account connecting to this URL must have Read permissions in the Certification Authority snap-in. If IIS is using a local account, follow the steps for enabling anonymous access in IIS and allowing Anonymous Read access to the CA.

Note

Enabling Anonymous Read access to the CA might expose privacy or security risks.

SubjectAltName

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\SubjectAltName

Version

Windows Server 2003 and Windows 2000 Server

This setting uses an organizational unit for the SubjAltName extension of an issued certificate. This setting is almost never used.

SubjectAltName2

Registry Path

CertSvc\Configuration \CAName\ PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\SubjectAltName2

Version

Windows Server 2003 and Windows 2000 Server

This setting makes it possible for a stand-alone CA to place the e-mail address of the authenticated user making the certificate request in the SubjAltName extension of an issued certificate. This setting is rarely used.

CA Certificate Group Policy Settings

The following public key Group Policy settings are associated with CA certificates:

Trusted Root Certification Authorities for adding trusted root CA certificates to the Trusted Root Certification Authorities store.
Enterprise Trust for configuring certificate trust lists.

Trusted Root Certification Authorities

When you install an enterprise root CA or a stand-alone root CA, the certificate of the CA is added automatically to the Trusted Root Certification Authorities Group Policy object for the domain. You also can add certificates for other root CAs to the Trusted Root Certification Authorities Group Policy object.

Trusted Root Certification Authorities Group Policy can be configured in the following location in the Group Policy MMC snap-in:

Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

The root CA certificates that you add become trusted root CAs for computers within the scope of the Group Policy object. For example, if you want to use a non-Microsoft CA as a root CA in a certification hierarchy, you must add the certificate for the non-Microsoft CA to the Trusted Root Certification Authorities Group Policy object.

To add a certificate for the root CA to the Trusted Root Certification Authorities Group Policy, in the Public Key Policies node, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import. When the Certificate Import Wizard appears, use the wizard to import a certificate file for the certificate of the root CA and add it to Group Policy. The certificate is added to the Trusted Root Certification Authorities store of all computers within the scope of Group Policy the next time it is refreshed on each computer.

You can also use Trusted Root Certification Authorities Group Policy to control the changes users can make to trusted root CA options.

To modify these settings, right-click Trusted Root Certification Authorities, and then click Properties.

To prevent users making any changes to the trusted root CA store, you can clear the Allow users to select new root Certification Authorities (CAs) to trust check box.

To limit client trust of alternative certificate stores, under Client computers can trust the following certificate stores, select one of the following options:

Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
Enterprise Root Certification Authorities

In addition, the following settings under To perform certificate-based authentication of users and computers, CAs must meet the following criteria: can be used to manage certificate-based authentication by certificate holders:

Registered in Active Directory only
Registered in Active Directory and compliant with name constraints requirements for user principal names (UPNs)

Note

For more information about importing non-Microsoft root CA certificates, see the information for HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates\NTAuth, earlier in this document.

Certificate Trust Lists

You can create certificate trust lists (CTLs) to trust specific CAs and to restrict the uses of certificates issued by the CAs. For example, you might use a CTL to trust certificates that are issued by a commercial CA and restrict the permitted uses for those certificates. You might also use CTLs to control trust on an extranet for certificates that are issued by CAs that are managed by your business partners. You can configure CTLs for computers and for users.

Before administrators can create CTLs, they must have a valid trust list signing certificate — such as the Administrator certificate or the Trust List Signing certificate that is issued by enterprise CAs. The trust list signing private key for the administrator is used to sign the CTL for integrity. If the trust list signing certificate for an administrator is invalid, all CTLs that have been created and signed by that administrator also are invalid.

Certificate Trust List Group Policy is configured as part of Public Key Policies\Enterprise Trust in the Security Settings of the Group Policy object for a user or computer in a domain, site, or OU. Certificate Trust List Group Policy can be configured in the following location in the Group Policy MMC snap-in:

Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Enterprise Trust

You use the Certificate Trust Wizard to configure Certificate Trust List Group policy.

To activate the wizard, right-click Enterprise Trust, click New and then click Certificate Trust List. The wizard enables you to configure the following options:

Valid duration. An optional lifetime for the CTL. If you do not specify a lifetime, the CTL expires when the trust list signing certificate expires.
Designate Purposes. Enables you to restrict the purposes for which certificates are trusted. The CTL establishes trust only for certificates that are valid for the selected purposes. A certificate might support all of the listed purposes.
Add Purpose. Enables you to add purposes to the Designate Purposes box. This also requires you to enter an object identifer for the new purpose.
Current CTL Certificates. Displays the certificates of the root CAs that are to be trusted by this CTL. Certificates with certification paths to the root CA are trusted for all designated purposes specified by the CTL.
Add from Store. Adds a root certificate from the Trusted Root Certification Authorities store.
Add from File. Adds a root CA’s certificate from a file.
Remove. Deletes the certificate that is selected in the Current CTL Certificates box.
View Certificate. Enables you to view the certificates that are selected in the Current CTL Certificates box.
Use this certificate. Displays the trust list signing certificate for the private key that is to be used to sign the CTL.
Select from Store. Adds a trust list signing certificate from the Personal store for the administrator.
Select from File. Adds the trust list signing certificate from a file.
View Certificate. Enables you to view the certificate listed in the Use this certificate box.
Add a timestamp to the data. Adds a timestamp to the CTL. The timestamp is used to determine the valid lifetime of the CTL. If a timestamp is not used, the computer clock is used instead.
Timestamp service URL. Identifies the location of the timestamp service that is to be used for the timestamp.
Friendly Name. The optional name that appears in the Microsoft Management Console when the CTL is displayed.
Description. An optional description to describe the CTL.

Related Information

The following resources contain additional information that is relevant to this section.

“Certificates Tools and Settings” in Certificates Technical Reference
“Certificate Services Tools and Settings” in Certificate Services Technical Reference

CA Certificate Tools

Certreq.exe: Certreq

Category

Version Compatibility

Certutil.exe: Certutil

Category

Version Compatibility

Certsrv.msc: Certification Authority Snap-in

Category

Version Compatibility

CA Certificate Registry Entries

HKEY_Current_User\Software\Microsoft\SystemCertificates

AuthRoot

Registry path

Version

CA

Registry path

Version

Root

Registry path

Version

trust

Registry path

Version

HKEY_Current_User\Software\Policies\Microsoft\SystemCertificates

AuthRoot

Registry path

Version

CA

Registry path

Version

root

Registry path

Version

trust

Registry path

Version

HKEY_Local_Machine\Software\Microsoft\EnterpriseCertificates

AuthRoot

Registry path

Version

CA

Registry path

Version

NTAuth

Registry Path

Version

Root

Registry path

Version

trust

Registry path

Version

HKEY_Local_Machine\Software\Microsoft\SystemCertificates

AuthRoot

Registry path

Version

CA

Registry path

Version

ROOT

Registry path

Version

trust

Registry path

Version

HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates

AuthRoot

Registry path

Version

ca

Registry path

Version

Certificates

Registry path

Version

ProtectedRoots

Registry path

Version

Root