Export (0) Print
Expand All

Chapter 6 - Digital Certificates

Microsoft® Internet Explorer 6 uses digital certificates to authenticate clients and servers on the Web and to ensure that browser communications are secure. Read this chapter to learn about certificates and about how to configure settings for the certificates that you trust.

Related Information in the Resource Kit

  • For more information about Internet Explorer features that help ensure user privacy, see "Users' Privacy." 

  • For more information about using the Internet Explorer Customization Wizard to preconfigure security settings, see "Running the Microsoft Internet Explorer Customization Wizard." 

Understanding Digital Certificates

To verify the identity of people and organizations on the Web and to ensure content integrity, Internet Explorer uses industry-standard X.509 v3 digital certificates. Certificates are electronic credentials that bind the identity of the certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign information digitally. These electronic credentials assure that the keys actually belong to the person or organization specified. Messages can be encrypted with either the public or the private key and then decrypted with the other key.

Each certificate contains at least the following information:

  • Owner's public key 

  • Owner's name or alias 

  • Expiration date of the certificate 

  • Serial number of the certificate 

  • Name of the organization that issued the certificate 

  • Digital signature of the organization that issued the certificate 

Certificates can also contain other user-supplied information, including a postal address, an e-mail address, and basic registration information, such as the country or region, postal code, age, and gender of the user.

Certificates form the basis for secure communication and client and server authentication on the Web. You can use certificates to do the following:

  • Verify the identity of clients and servers on the Web. 

  • Encrypt channels to provide secure communication between clients and servers. 

  • Encrypt messages for secure Internet e-mail communication. 

  • Verify the sender's identity for Internet e-mail messages. 

  • Put your digital signature on executable code that users can download from the Web. 

  • Verify the source and integrity of signed executable code that users can download from the Web. 

The following illustration shows the basic process of using public and private keys to encrypt and decrypt a message sent over the Internet.

Dd361898.ierk601(en-us,TechNet.10).gif 

Certificates are authenticated, issued, and managed by a trusted third party called a certification authority (CA). The CA must provide a combination of three essential elements:

  • Technology, such as security protocols and standards, secure messaging, and cryptography 

  • Infrastructure, including secure facilities, backup systems, and customer support 

  • Practices, including a defined model of trust and a legally binding framework for managing subscriber activities and resolving disputes 

A commercial CA must provide services that both your organization and your users trust. In addition to obtaining certificates from CAs, you can implement a certificate server, such as Microsoft Certificate Server, and use it to provide certificate services for your Web infrastructure.

Commercial Certification Authorities

Commercial CAs issue certificates that verify the electronic identity of individuals and organizations on the Web. The primary responsibility of a CA is to confirm the identity of the people and organizations seeking certificates. This effort ensures the validity of the identification information contained in the certificate. Many commercial CAs offer certificate services for Microsoft products, in addition to a wide range of other certificate services.

CAs perform the following types of services:

  • Issue, renew, and revoke certificates. 

  • Authenticate the identities of individuals and organizations. 

  • Verify the registrations of individuals and organizations. 

  • Publish and maintain a Certificate Revocation List (CRL) of all certificates that the CA has revoked. 

  • Handle legal and liability issues related to security. 

Commercial CAs issue various types of certificates, including the following:

  • Personal certificates for digitally signing communications and assuring secure transactions over the Internet and intranet 

  • Client authentication and server authentication certificates for managing secure transactions between clients and servers 

  • Software publisher certificates for digitally signing software 

CAs can also issue many other types of certificates. Each CA operates within the charter of its Certification Practices Statement (CPS). You can visit the CA's Web site and read the CPS to understand the types of certificates issued by that CA and the operating procedures that the CA follows.

When you choose a CA, you should consider the following issues:

  • Is the CA a trusted entity operating a certification practice that can both meet your needs and operate efficiently in your region? Other people should be able to immediately recognize your CA as reputable and trustworthy. If you choose a CA with a questionable reputation, users might reject your certificate. Therefore, you should thoroughly research the commercial CA you plan to use so that you and your users can be assured about the CA's trustworthiness. 

  • Is the CA familiar with your organization's business interests? Look for a CA from which you can leverage technical, legal, and business expertise. 

  • Does the CA require detailed information from you to verify your trustworthiness? Most CAs require such information as your identity, your organization's identity, and your official authority to administer the Web server for which you are requesting a certificate. Depending on the level of identification required, a CA might need additional information, such as professional affiliations or financial records, and the endorsement of this information by a notary. 

  • Does the CA have a system for receiving online certificate requests, such as requests generated by a key manager server? An online system can speed up the processing of your certificate requests. 

  • Does the CA give you enough flexibility and control over how certificates are issued and authenticated? Some commercial CA services and products might not integrate with your existing security model and directory services. 

  • Does the cost of the CA service meet your requirements? Substantial costs can be associated with obtaining a server certificate, especially if you need a high level of assurance of identification. 

Certificate Servers

Depending on your relationship with your users, you can obtain server certificates from a commercial CA, or you can issue your own server certificates. For services on your intranet, user trust is typically not an issue, and you can easily configure Internet Explorer to trust server certificates issued by your organization. For services on the Internet, however, users might not know enough about your organization to trust certificates issued by your certificate server. Therefore, you might need to obtain server certificates that are issued by a well-known, commercial CA to ensure that users trust your Internet sites.

You can implement a certificate server, such as Microsoft Certificate Server, to manage the issuance, renewal, and revocation of industry-standard certificates. You can use these certificates in conjunction with servers that support Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to build a secure Web infrastructure for the Internet or your intranet. For large organizations with complex Web needs, certificate servers can offer many advantages over commercial CAs, including lower costs and total control over certificate management policies.

Authenticode Technology

Microsoft® Authenticode® 2.0 is client-side software that watches for the downloading of Microsoft® ActiveX® control (.ocx) files, cabinet (.cab) files, Java applets, and executable files in order to provide reliable identity of the code. Authenticode displays certificate information, such as the name included in the digital signature, an indication of whether it is a commercial or personal certificate, and the date when the certificate expires. This information enables users to make a more informed decision before continuing with the download.

The software publisher digitally signs software (including .exe, .dll, .ocx, and .cab files) when it is ready for publication. Software publishers that obtain a code-signing certificate from a CA can use Authenticode signing tools to digitally sign their files for distribution over the Web. Authenticode looks for the signatures (or the lack of signatures) in the files that users attempt to download. For more information about how to digitally sign files by using Authenticode signing tools, see "Preparing for the IEAK" in this Resource Kit and the MSDN® Web site at http://msdn.microsoft.com/.

If a piece of software has been digitally signed, Internet Explorer can verify that the software originated with the named software publisher and that no one has tampered with it. If you enable this feature, Internet Explorer displays a verification certificate if the software meets these criteria. A valid digital signature, though, does not necessarily mean that the software is without problems. It just means that the software originated with a traceable source and that the software has not been modified since it was published. Likewise, an invalid signature does not prove that the software is dangerous, but just alerts the user to potential problems. When a digital signature fails the verification process, Internet Explorer reports the failure, indicates why the signature is invalid, and prompts the user to choose whether to proceed with the download.

You can configure Internet Explorer to handle software in different ways, depending on the status of the digital signature. Software can be unsigned, signed using valid certificates, or signed using invalid certificates. The digital signatures used to sign these certificates can also be valid or invalid.

For each available security zone, users can choose an appropriate set of ActiveX security preferences. These preferences control whether users are prompted or blocked from downloading or running controls for sites that are hosted within the zone. Also, Internet Explorer maintains a list of controls that will never load within the browser and a list of administrator-approved controls.

How you configure Internet Explorer to respond to certificates depends on various factors, such as the level of trust you have in the security zone where the content originated. If you are deploying Internet Explorer in an organization, you might also want to consider the level of trust that you have for the intended user group and the users' level of technical expertise. You might, for example, trust unsigned software from your intranet, but not trust unsigned software from the Internet. In that case, you would configure Internet Explorer to automatically download and run unsigned active content from the intranet without users' intervention and prevent the download of unsigned active content from the Internet. For more information about setting up security zones, see "Security Zones" in this Resource Kit.

Secure Client and Server Communication

Certificates can be used for secure communication and user authentication between clients and servers on the Web. Certificates enable clients to establish a server's identity, because the server presents a server authentication certificate that discloses its source. If you connect securely to a Web site that has a server certificate issued by a trusted authority, you can be confident that the data you securely transmitted is usable only by the person or organization identified by the certificate. Similarly, certificates enable servers to establish a client's identity. When you connect to a Web site, the server can be assured about your identity if it receives your client certificate.

The following sections describe security technologies that ensure secure communication between clients and servers.

Secure Channels

The exchange of certificates between clients and servers is performed by using a secure transmission protocol, such as SSL or TLS. SSL 2.0 supports only server authentication. SSL 3.0 and TLS 1.0 support both client and server authentication. Secure transmission protocols can provide the following four basic security services:

  • Client authentication. Verifies the identity of the client through the exchange and validation of certificates. 

  • Server authentication. Verifies the identity of the server through the exchange and validation of certificates. 

  • Communication privacy. Encrypts information that is exchanged on a secure channel between clients and servers. 

  • Communication integrity. Ensures the integrity of the contents of messages that are exchanged between clients and servers, by ensuring that messages have not been altered during transmission. 

Note Encrypting all traffic over secure channels can put a heavy load on clients and servers. Therefore, secure channel encryption is typically used only for the transfer of small amounts of sensitive information, such as personal financial data and user authentication information.

You can change the set of protocols that are enabled for client and server authentication on the Advanced tab in the Internet Options dialog box. For more information, see "Using Digital Certificates" later in this chapter.

Server Gated Cryptography

For environments that require the highest-possible level of security, such as online banking, you can implement Server Gated Cryptography (SGC) to provide stronger encryption for communication between clients and servers. SGC enables a 128-bit server with an SGC certificate to communicate securely with all versions of Internet Explorer by using 128-bit SSL encryption. For example, SGC enables financial institutions with Internet servers based on Microsoft® Windows NT® to use 128-bit SSL encryption for secure financial transactions.

Note 128-bit SSL encryption is broadly available both in the United States and internationally. Internet Explorer 6 ships with 128-bit SSL encryption as the default encryption setting.

The key benefits of SGC include the following:

  • Banks and financial institutions can securely conduct financial transactions with their retail customers worldwide without those requiring customers to change their standard Web browser or financial software. 

  • Online banking does not require any special client software. For example, customers can use all standard, off-the-shelf, exportable versions of Internet Explorer to connect to an SGC server and conduct secure transactions by using 128-bit encryption. 

  • SGC is fully interoperable with Netscape browsers and servers. Therefore, Internet Explorer users can communicate with Netscape servers by using 128-bit encryption. 

CryptoAPI 2.0

CryptoAPI 2.0 provides the underlying security services for certificate management, secure channels, and code signing and verification (Authenticode technology). Using CryptoAPI, developers can easily integrate strong cryptography into their applications. Cryptographic Service Provider (CSP) modules interface with CryptoAPI and perform several functions, including key generation and exchange, data encryption and decryption, hashing, creation of digital signatures, and signature verification. CryptoAPI is included as a core component of the latest versions of Microsoft® Windows®. Internet Explorer automatically provides this support for earlier versions of Windows.

Integrated Windows Authentication

Integrated Windows Authentication is a secure authentication method that uses a cryptographic exchange between a client and a server rather than transmitting a user name and a password to determine the client's authentication. This mutual exchange ensures the client's authentication before a secure connection is established.

Integrated Windows Authentication also provides data integrity and privacy services, which ensure that an unsecured party cannot read or modify transmitted data. These services are based on secret key encryption, which is used to encrypt and decrypt the data. This authentication method is particularly useful for transactions between clients and servers on open networks where they are not physically secure.

To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication check box. For more information about enabling advanced security options, see "Using Digital Certificates" later in this chapter.

Server Certificate Revocation

Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection.

Note Microsoft® Outlook® Express also includes certificate revocation, which is controlled through a separate option within the e-mail program.

To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box. For more information about enabling advanced security options, see "Using Digital Certificates" later in this chapter.

Publisher's Certificate Revocation

Internet Explorer 6 includes support for publisher's certificate revocation, which verifies that an issuing CA has not revoked a publisher's certificate. To enable publisher's certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for publisher's certificate revocation check box. For more information about enabling advanced security options, see "Using Digital Certificates" later in this chapter.

Using Digital Certificates

You can install certificates and configure certificate settings for Internet Explorer by using the following methods:

  • Within the browser, you can use the Internet Explorer Certificate Manager to install certificates. You can also configure advanced security options for certificates on the Advanced tab in the Internet Options dialog box. 

  • You can use the Internet Explorer Customization Wizard to create custom packages of Internet Explorer that include preconfigured lists of trusted certificates, publishers, and CAs for your user groups. If you are a corporate administrator, you can also lock down these settings to prevent users from changing them. 

  • After deploying the browser, you can use the IEAK Profile Manager to manage certificate settings through the automatic browser configuration feature of Internet Explorer. You can automatically push the updated information to each user's desktop computer, enabling you to manage security policy dynamically across all computers on the network. 

The options for configuring certificates are the same whether you gain access to them from Internet Explorer 6, the Internet Explorer Customization Wizard, or the IEAK Profile Manager. For more information about using the Internet Explorer Customization Wizard and the IEAK Profile Manager, see "Running the Microsoft Internet Explorer Customization Wizard" and "Keeping Programs Updated" in this Resource Kit.

Note Outlook Express also includes certificates, called digital IDs, which can be configured separately within the e-mail program.

Installing and Removing Trusted Certificates

The Internet Explorer Certificate Manager enables you to install and remove trusted certificates for clients and CAs. Many CAs have their root certificates already installed in Internet Explorer. You can select any of these installed certificates as trusted CAs for client authentication, secure e-mail, or other certificate purposes, such as code signing and time stamping. If a CA does not have its root certificate in Internet Explorer, you can import it. Each CA's Web site contains instructions that describe how to obtain the root certificate. You might also want to install client certificates, which are used to authenticate users' computers as clients for secure Web communications.

To install or remove clients and CAs from the list of trusted certificates

  1. On the Tools menu, click Internet Options, and then click the Content tab. 

  2. Click Certificates. 

  3. Click one of the following tabbed categories for the type of certificates you want to install or remove:

    • Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. 

    • Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs. 

    • Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates. 

    • Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. 

    • Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences. 

      The following illustration shows the Certificate Manager with the Intermediate Certification Authorities category selected. 

      Dd361898.ierk602(en-us,TechNet.10).gif 

  4. In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list. 

  5. Work with particular certificates through one of the following methods:

    • To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. 

    • To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate. 

    • To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced

      Dd361898.ierk603(en-us,TechNet.10).gif 

    • To delete an existing certificate from the list of trusted certificates, click Remove

    • To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View

Adding Trusted Publishers

To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher. Active content that is digitally signed by trusted publishers with a valid certificate will download without user intervention, unless you have disabled the downloading of active content in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences.

To add a trusted publisher

  1. Use Internet Explorer to download signed active content from the publisher. 

  2. When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box. 

    Dd361898.ierk604(en-us,TechNet.10).gif 

  3. To download the software and control and add the publisher to the list of trusted publishers, click Yes

Configuring Advanced Security Options for Certificate and Authentication Features

You can easily configure options for certificate and authentication features that your users might need.

To configure advanced security options for certificates

  1. On the Tools menu, click Internet Options, and then click the Advanced tab. 

  2. In the Security area, review the selected options. 

  3. Depending on the needs of your organization and its users, select or clear the appropriate check boxes. 

    For example, to enable SSL 3.0, select the Use SSL 3.0 check box. 

    Dd361898.ierk605(en-us,TechNet.10).gif 

For information about security options for user privacy features, see "Users' Privacy" in this Resource Kit.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft