Certificate Support and Resulting Internet Communication in Windows Vista

In This Section

Benefits and Purposes of Certificate Functionality

Overview: Using Certificate Features in a Managed Environment

How Update Root Certificates Communicates with Sites on the Internet

Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet

Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista

Benefits and Purposes of Certificate Functionality

Certificates, and the public key infrastructures (PKIs) used to issue and manage them, support authentication and encrypted exchange of information on open networks such as the Internet, extranets, and intranets. A certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. With certificates, host computers on the Internet establish trust in a certification authority (CA) that certifies individuals and resources that hold private keys. Trust in a PKI is ultimately based on a root certificate, that is, a certificate from a CA at the top of a public key hierarchy that establishes a well-defined level of integrity and security for the hierarchy.

Examples of times that a certificate is used are when a user:

  • Uses a browser to engage in a Secure Sockets Layer (SSL) session

  • Accepts a certificate as part of installing software

  • Accepts a certificate when receiving an encrypted or digitally signed e-mail message

When learning about PKI, it is important to learn how certificates are issued and validated as well as how they expire or are revoked (if they need to be invalidated before they expire). This can help you understand the importance of up-to-date certificate revocation information, which can be crucial when a user's application is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information.

In an organization where clients run Windows Vista and servers run Windows Server 2003, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Features in a Managed Environment."

Also note that in Group Policy for Windows Vista, you can control public key policies in more specific ways than was possible with previous Windows operating systems. For more information, see "Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista," later in this section.

The Update Root Certificates Feature in Windows Vista

The Update Root Certificates feature in Windows Vista is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by a user's application. Specifically, if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the user's computer.

The Update Root Certificates feature can be turned off in Windows Vista by using Group Policy. For more information, see "Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista," later in this section.

Overview: Using Certificate Features in a Managed Environment

In an organization where clients run Windows Vista and servers run Windows Server 2003, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services feature. Another step that might be appropriate is to configure the publication of certificate revocation information to Active Directory® Domain Services. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.

When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choice for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.

Some of the concepts to study when learning about certificates include:

  • Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:

    https://go.microsoft.com/fwlink/?LinkID=29138

    You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at:

    https://go.microsoft.com/fwlink/?LinkId=29924

  • Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME).

  • Encryption keys and how they are generated.

  • Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority.

  • Certificate revocation.

  • Ways that Active Directory Domain Services and Group Policy can work with certificates.

The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:

In a medium to large organization, for the greatest control of communication with the Internet, it is recommended that you manage the list of certification authorities yourself, meaning that you would use Group Policy to turn off the Update Root Certificates feature on Windows Vista and to configure settings related to public key policies.

How Update Root Certificates Communicates with Sites on the Internet

This subsection focuses on how the Update Root Certificates feature communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Features in a Managed Environment" provides references for the configuration choices that control the way other certificate features communicate with sites on the Internet.

If the Update Root Certificates feature has not been turned off through Group Policy, and the user's application is presented with a certificate issued by a root CA that is not directly trusted, the Update Root Certificates feature communicates across the Internet as follows:

  • Specific information sent or received: The Update Root Certificates feature sends a request to http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the root CA that is not directly trusted is named in the list, Update Root Certificates obtains the certificate for that root CA and places it in the trusted certificate store on the user's computer. No user authentication or unique user identification is used in this exchange.

  • Default setting and ability to disable: Update Root Certificates is turned on by default in Windows Vista. You can turn off this feature by using Group Policy.

  • Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.

  • Logging: Events are logged in Event Viewer in Windows Logs\Application with a Source of CAPI2. Events containing information such as the following are logged:

    For Event ID 7:

    Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site

    For Event ID 8:

    Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value

  • Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Windows Update Web site.

  • Transmission protocol and port: The transmission protocol is HTTP and the port is 80.

Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet

If you want to prevent the Update Root Certificates feature in Windows Vista from communicating automatically with the Windows Update Web site, you can turn off this feature by using Group Policy. For more information, see “To Turn Off the Update Root Certificates Feature by Using Group Policy,” later in this section.

How Turning Off Update Root Certificates on Users' Computers Can Affect Users and Applications

If the user is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates feature is turned off through Group Policy, the user can be prevented from completing the action that required authentication. For example, the user can be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.

Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Vista

The procedures in this section describe:

  • How to use Group Policy to turn off the Update Root Certificates feature for computers running Windows Vista.

  • How to view Group Policy for controlling public key policies for computers running Windows Vista.

To Turn Off the Update Root Certificates Feature by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate Group Policy object (GPO).

  2. Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista.

To View Group Policy for Controlling Public Key Policies for Windows Vista

  1. See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console (GPMC) by running gpmc.msc, and then edit an appropriate GPO.

Note

You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).

  1. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.

  2. View the settings that are available.

  3. Expand User Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.

  4. View the settings that are available.

For information about using Group Policy for controlling public key policies, see the TechNet Web site at:

https://go.microsoft.com/fwlink/?LinkId=74584