Export (0) Print
Expand All
Expand Minimize
This topic has not yet been rated - Rate this topic

Certificate Support and Internet Communication (Windows Server 2003)

Updated: July 31, 2004

Applies To: Windows Server 2003 with SP1

The following subsections provide information about:

  • The benefits of the certificate functionality built into operating systems in the Microsoft Windows Server 2003 family, including the benefits of Update Root Certificates

  • How Update Root Certificates communicates with sites on the Internet

  • How to control Update Root Certificates to limit the flow of information to and from the Internet

Benefits and Purposes of Certificate Functionality

Certificates, and the public key infrastructure of which they are a part, support authentication and encrypted exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. With certificates, host computers on the Internet no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certification authority that certifies individuals and resources that hold private keys. The host can establish this trust through a certificate hierarchy that is ultimately based on a root certificate, that is, a certificate from an authority that is trusted without assurances from any other certification authority.

Examples of times that a certificate is used are when you:

  • Use a browser to engage in a Secure Sockets Layer (SSL) session

  • Accept a certificate as part of installing software

  • Accept a certificate when receiving an encrypted or digitally signed e-mail message

When learning about public key infrastructure, it is important to learn not only about how certificates are issued, but how certificates are revoked, and how information about those revocations is made available to clients. This is because certificate revocation information is crucial for an application that is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet for information not only about certification authorities, but also for certificate revocation information.

In an organization where servers run products in the Microsoft Windows Server 2003 family, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Components in a Managed Environment."

The Update Root Certificates component in the Windows Server 2003 family is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by an application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the computer. Note that the Update Root Certificates component is optional, that is, it can be removed or excluded from installation on a computer running a product in the Windows Server 2003 family.

Overview: Using Certificate Components in a Managed Environment

In an organization where servers run products in the Windows Server 2003 family, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services component. Another step that might be appropriate is to configure the publication of certificate revocation information to the Active Directory® directory service. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.

When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choosing for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.

Some of the concepts to study when learning about certificates include:

  • Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates)

  • Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME)

  • Encryption keys and how they are generated

  • Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority

  • Certificate revocation

  • Ways that Active Directory and Group Policy can work with certificates

The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:

How Update Root Certificates Communicates with Sites on the Internet

This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment," provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet.

If the Update Root Certificates component is installed on a server, and an application is presented with a certificate issued by a root authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows:

  • Specific information sent or received: Update Root Certificates sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on the server. No user authentication or unique user identification is used in this exchange.

    The Windows Update Web site is located at:

    http://windowsupdate.microsoft.com/

  • Default setting and ability to disable: Update Root Certificates is installed by default with products in the Windows Server 2003 family. You can remove or exclude this component from installation on a server.

  • Trigger and user notification: Update Root Certificates is triggered when the server is presented with a certificate issued by a root authority that is not directly trusted. There is no user notification.

  • Logging: Events containing information such as the following will be logged:

    • Event ID: 7

      Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site

    • Event ID: 8

      Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value

  • Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Information about Update Root Certificates activity is not stored on any server at Microsoft.

  • Transmission protocol and port: The transmission protocol is HTTP and the port is 80.

Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet

If you want to prevent the Update Root Certificates component in the Windows Server 2003 family from communicating automatically with the Windows Update Web site, you can remove or exclude this component from installation on servers. You can do this during deployment by using standard methods for unattended installation or remote installation, as described in Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003). If you are using an answer file, the entry is as follows:

[Components]
Rootautoupdate = Off

How removing or excluding Update Root Certificates from servers can affect applications

If a server is presented with a certificate issued by a root authority that is not directly trusted, and the Update Root Certificates component is not installed on that server, you (or your application) will be prevented from completing the action that required authentication. For example, you might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.

If you choose to remove or exclude Update Root Certificates from servers, consider providing instructions that tell administrators what to do if they receive untrusted certificates.

Procedures for Excluding or Removing the Update Root Certificates Component from an Individual Computer

The following procedures describe:

  • How to use Control Panel to remove the Update Root Certificates component from an individual computer running a product in the Windows Server 2003 family.

  • How to exclude the Update Root Certificates component during unattended installation of a product in the Windows Server 2003 family by using an answer file.

To remove the Update Root Certificates component from an individual computer running a product in the Windows Server 2003 family

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add or Remove Windows Components (on the left).

  4. Scroll down the list of components to Update Root Certificates, and make sure the check box for that component is cleared.

  5. Follow the instructions to complete the Windows Components Wizard.

To exclude the Update Root Certificates component during unattended installation by using an answer file

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003).

  2. In the [Components] section of the answer file, include the following entry:

    Rootautoupdate = Off

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.