Certificate Support and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of certificate functionality

Overview: Using AD CS features in a managed environment

How Update Root Certificates communicates with Internet sites

Controlling the Update Root Certificates feature to prevent the flow of information to and from the Internet

Procedures for viewing or changing Group Policy settings that affect certificates in Windows 7 and Windows Server 2008 R2

Additional references

This section describes how certificate-related services in Windows® 7 and Windows Server® 2008 R2 communicate across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.

Benefits and purposes of certificate functionality

Certificates and public key infrastructures (PKIs) are an important means of enhancing the security of communication on open networks such as the Internet, extranets, and intranets. Certificates serve as digitally-signed statements that bind the value of a public key to the person, device, or service that holds the corresponding private key. With certificates, host computers on the Internet establish trust in a certification authority (CA) that certifies individuals and resources that hold private keys. Trust in a PKI is hierarchical and ultimately based on a root certificate, that is, a certificate from a CA at the top of a public key hierarchy that establishes a well-defined level of integrity and security for the hierarchy.

For example, a certificate might be used when a user:

  • Uses a smart card to log onto a computer or network.

  • Evaluates and accepts a certificate as part of installing software.

  • Encrypts an e-mail message so that only intended recipients can view it.

  • Digitally signs a document to verify the identity of the signer.

When learning about PKIs, it is important to learn how certificates are issued and validated and how they expire or are revoked (if they need to be invalidated before they expire). This can help you understand the importance of up-to-date certificate revocation information, which can be crucial when an application is seeking to verify that a particular certificate is currently considered trustworthy. Certificate revocation information can be managed and distributed in the form of certificate revocation lists (CRLs), and through Online Responders that are based on the Online Certificate Status Protocol (OCSP). Applications that are presented with a certificate might contact a site on an intranet or the Internet not only for information about CAs, but also for certificate revocation information.

In an organization where servers run the Windows Server 2008 R2 operating system, you have a variety of options in the way certificates and certification revocation are handled. For more information about these options, see Additional references later in this section.

In the Group Policy settings for Windows Server 2008 R2, you can control public key policies more specifically than in previous Windows operating systems. For more information, see Procedures for viewing or changing Group Policy settings that affect certificates in Windows 7 and Windows Server 2008 R2 later in this section.

The Update Root Certificates feature in Windows 7 and Windows Server 2008

The Update Root Certificates feature in Windows 7 and Windows Server 2008 R2 is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by an application on the server. If the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) contacts the Windows Update Web site to see if Microsoft® has added the certificate of the root CA to its list of trusted root certificates. If the CA is on the list, its certificate is automatically added to the set of trusted root certificates on the server.

The Update Root Certificates feature can be turned off in Windows 7 and Windows Server 2008 R2 by using Group Policy. For more information, see Procedures for viewing or changing Group Policy settings that affect certificates in Windows 7 and Windows Server 2008 R2 later in this section.

Overview: Using AD CS features in a managed environment

In an organization where servers run the Windows Server 2008 R2 operating system, you have a variety of options for handling certificates. For example, you can use the role services in Active Directory® Certificate Services (AD CS) to establish a trusted public key infrastructure with one or more CAs inside your organization. Another AD CS role service that can enhance the flexibility and manageability of a PKI is the AD CS Online Responder service, which can respond to individual client requests for information about whether certificates have been revoked.

Two AD CS role services were introduced in Windows Server 2008 R2: the Certificate Enrollment Policy Web Service and the Certificate Enrollment Web Service. They enable certificate policy retrieval and certificate enrollment over HTTPS to give you sophisticated control over certificate enrollment and enrollment-related Internet communications. For more information, see Certificate Enrollment Web Services in Windows Server 2008 R2.

When implementing public key infrastructure, we recommend that you also learn about Group Policy settings that apply to certificates. For more information about Group Policy and the role services that are available in the AD CS server role, see Additional references later in this section.

When you configure a CA inside your organization, the certificates it issues can specify a location of your choice for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this document to provide full details about working with CAs, root certificates, certificate revocation, and other aspects of PKIs, the following list provides conceptual information about certificates, and Additional references later in this section, provides a list of links.

Some of the concepts to study when learning about certificates include:

  • Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates), and the public key infrastructure for X.509 (PKIX).

    For more information, see the following Web sites:

  • Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME), including the following:

    • Encryption keys and how they are generated

    • Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority

    • Certificate revocation

In a medium to large organization, for the greatest control of Internet communication, you can manage the list of CAs by using Group Policy to turn off the Update Root Certificates feature on Windows 7 and Windows Server 2008 R2 and to configure public key policies.

How Update Root Certificates communicates with Internet sites

This subsection focuses on how the Update Root Certificates feature communicates with Internet sites.

If the Update Root Certificates feature has not been turned off through Group Policy, and the application on your server is presented with a certificate issued by a root CA that is not directly trusted, the Update Root Certificates feature communicates across the Internet as follows:

  • Specific information sent or received: The Update Root Certificates feature sends a request to the Windows Update Web site, asking for the current list of root CAs in the Microsoft Root Certificate Program. If the root CA that is not directly trusted is on the list, Update Root Certificates obtains the certificate for that root CA and places it in the trusted certificate store on the server. No authentication or unique identification of the administrator or user is used in this exchange.

  • Default setting and ability to disable: Update Root Certificates is turned on by default in Windows 7 and Windows Server 2008 R2. You can turn off this feature by using Group Policy. For more information, see Procedures for viewing or changing Group Policy settings that affect certificates in Windows 7 and Windows Server 2008 R2 later in this section.

  • Trigger and user notification: Update Root Certificates is triggered when the administrator or user at the computer is presented with a certificate issued by a root CA that is not directly trusted. There is no user notification.

  • Logging: Events are logged in Event Viewer. To locate the events, click Windows Logs, click Application, and the Source is CAPI2. Events containing information such as the following are logged:

    For Event ID 4100:

    Description: Successful auto update retrieval of a non-Microsoft root list sequence number from: URL_for_Windows_Update_Web_Site

    For Event ID 4101:

    Description: Failed auto update retrieval of a non-Microsoft root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value

  • Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted CAs that it maintains on the Windows Update Web site.

  • Transmission protocol and port: The transmission protocol is HTTP and the port is 80.

Controlling the Update Root Certificates feature to prevent the flow of information to and from the Internet

If you want to prevent the Update Root Certificates feature in Windows 7 and Windows Server 2008 R2 from communicating automatically with the Windows Update Web site, you can turn off this feature by using Group Policy. For more information, see To turn off the Update Root Certificates feature by using Group Policy later in this section.

How turning off Update Root Certificates on a computer can affect users and applications

If the user at the server is presented with a certificate issued by a root CA that is not directly trusted, and the Update Root Certificates feature is turned off through Group Policy, the user can be prevented from completing the action that required authentication. For example, the user can be prevented from installing software, viewing an encrypted or digitally-signed e-mail message, or using a browser to engage in an SSL session.

Procedures for viewing or changing Group Policy settings that affect certificates in Windows 7 and Windows Server 2008 R2

The procedures in this section describe:

  • How to use Group Policy to turn off the Update Root Certificates feature for computers running Windows 7 and Windows Server 2008 R2.

  • How to view Group Policy for controlling public key policies for computers running Windows 7 and Windows Server 2008 R2.

To turn off the Update Root Certificates feature by using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy object (GPO).

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication Group Policy setting. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings, and then select the Restrict Internet communication Group Policy setting.
For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows 7 and Windows Server 2008 R2.

To view Group Policy for controlling public key policies for Windows 7 and Windows Server 2008 R2

  1. For information about using Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2. Using an account with domain administrative credentials, log on to a computer that is running Windows Server 2008 R2 (with the Group Policy Management feature installed) or Windows 7. Then open Group Policy Management Console (GPMC) by running gpmc.msc and edit an appropriate Group Policy object (GPO).

  2. Expand Computer Configuration, expand Policies (if present), expand Windows Settings, expand Security Settings, and then click Public Key Policies.

  3. View the settings that are available.

  4. Expand User Configuration, expand Policies (if present), expand Windows Settings, expand Security Settings, and then click Public Key Policies.

  5. View the settings that are available.

For more information, see AD CS: Policy Settings.

Additional references

The following list of resources on the Microsoft TechNet Web site can help you as you plan or modify your implementation of certificates and public key infrastructure:

For information about Active Directory Federation Services (AD FS) or Active Directory Rights Management Services (AD RMS), see Active Directory-Related Services and Resulting Internet Communication in Windows Server 2008 R2 in this document.