Client Certificates Overview

Veröffentlicht: Februar 2012

Letzte Aktualisierung: Februar 2012

Betrifft: Windows Server 2012

A public key certificate (usually called a certificate) is a digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. One of the main benefits of certificates is that hosts no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certificate issuer.

This technical overview for the IT professional provides a description of certificates and can help you decide if you can benefit from deploying this feature.

Did you mean…

Most certificates in common use are based on the X.509 v3 certificate standard. Typically, certificates contain the following information:

  • The subject's public key value.

  • The subject's identifier information, such as the name and email address.

  • The validity period (the length of time that the certificate is considered valid).

  • Issuer identifier information.

The digital signature of the issuer, which attests to the validity of the binding between the subject's public key and the subject's identifier information.

A certificate is valid only for the period of time specified within it. Every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. When a certificate's validity period has passed, a new certificate must be requested by the subject of the expired certificate.

Certificates form the basis for secure communication and client and server authentication on the web. You can use certificates to do the following:

  • Verify the identity of clients and servers on the Internet or on a corporate network.

  • Encrypt channels to provide secure communication between clients and servers.

  • Encrypt messages for secure communication.

  • Verify the sender's identity in a particular message.

  • Put your digital signature on executable code that users can download.

  • Verify the source and integrity of signed executable code that users can download.

The following features were added to the Certificates feature in Windows Server 2012:

  • Group-protected PKCS#12 standard (PFX) format

  • Certificate life cycle notifications

Previously, a PKCS#12 standard (also known as PFX) format was only protected by a password that had the following limitations:

  • Difficult to automate

  • Not very secure, because usually an administrator used a weak password

  • Difficult to share among multiple users

Windows Server 2012 protects certificates and associated private keys by combining an existing PFX format with a new data protection feature. This allows encrypting the contents of the PFX file with a key that belongs to a group or to an individual, instead of protecting it with a password.

To implement this feature, at least one domain controller must be running Windows Server 2012.

What value does this change add?

By using this feature, administrators will be able to:

  • Deploy, manage, and troubleshoot certificates remotely and across server farms by using Windows PowerShell.

  • Share certificates and keys securely across server farms running Windows Server 2012 by using Windows APIs.

Earlier versions of Windows can consume this PFX because internally the operating system assigns a strong random password. The password is included in the PFX, and it is protected by a set of security identifiers (SIDs) with data protection APIs. Any user that has access to the PFX can see that password and share it with previous Windows versions.

In Windows Server 2012, certificates provide life cycle notifications in “my” store from the certificate enrollment API and Windows PowerShell levels. The notifications include expiration, deletion, new, renewal, replacement, close to expiration, archive, and export. Administrators and developers can manage (view, install, copy, request, and delete) certificates and their associated private keys remotely by using Windows PowerShell. This feature allows a script or an executable to launch in response to a certificate life-cycle notification.

The expiration notification is supported by stores in addition to MY store.

What value does this change add?

For an application and server-workload developers who use certificates in their product, integrating with the certificate life cycle in Windows Server 2012 is easy and reliable, and it can be done remotely. Developers can develop applications that reconfigure themselves any time a certificate is renewed or replaced with another certificate—by autoenrollment or by a manual or scripted action by an administrator. The investment needed to integrate with the certificate management interfaces is very small.

Practical scenario

For an administrator who manages applications that use certificates, Windows Server 2012 certificates are used by those applications automatically. This occurs because applications integrate with Windows Server 2012 certificate notifications or when the administrator’s script is triggered by a certificate event.