Certificate Services Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

  • Certificate Services Management Tools

  • Certificate Services Registry Settings

  • Certificate Services Group Policy Settings

Certificate Services Management Tools

The following tools are associated with Certificate Services.

Certreq.exe: Certreq

Category

Certreq ships with the Windows Server 2003 operating system tools and with the Windows Server 2003 Adminpak.

Version Compatibility

Certreq is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to manage the certificate containers for users, computers, and services on computers running Windows 2000, Windows XP, and Windows Server 2003.Certreq enables you to submit, retrieve, create, and accept certificate requests that are sent to a Windows Server 2003 CA. You can also use Certreq to create and sign cross-certificate requests. You can also place the Certreq command syntax in a batch file to script certificate requests.

To find more information about Certreq, see “Command Line References” in Tools and Settings Collection.

Certutil.exe: Certutil

Category

Certutil is a command-line program that is installed as part of Certificate Services.

Version Compatibility

Certutil can be used on Windows 2000 Server CAs and Windows Server 2003 CAs.

You can use Certutil to extract and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

To find more information about Certutil, see “Command Line References” in Tools and Settings Collection.

Certsrv.msc: Certification Authority Snap-in

Category

The Certification Authority snap-in ships with Windows 2000 Server and Windows Server 2003.

Version Compatibility

The Certification Authority snap-in is compatible with Windows Server 2003 and Windows 2000 Server.

The Certification Authority snap-in can be used to manage multiple CAs. It allows you to perform a variety of administrative tasks including:

  • Starting and stopping the CA.

  • Backing up and restoring the CA.

  • Changing exit and policy modules.

  • Viewing the CA certificate.

  • Installing or reinstalling a CA certificate for the CA.

  • Setting security permissions and delegating administrative control for the CA.

  • Revoking certificates.

  • Viewing or modifying certificate revocation list (CRL) distribution points.

  • Publishing CRLs and scheduling CRL publication.

  • Configuring the types of certificates that are to be issued by the CA.

  • Viewing information about certificates that have been issued.

  • Viewing information about certificates that have been revoked.

  • Viewing pending certificate requests.

  • Approving or denying pending certificate requests.

  • Viewing failed certificate requests.

  • Renewing the CA’s certificate.

To find more information about the Certification Authority snap-in, see “Use the Certification Authority snap-in” on Microsoft TechNet.

Certificate Services Registry Entries

Registry settings in the following hive are associated with Certificate Services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

The Certificate Services-related registry entries correlate to CA and certificate configuration information that can be configured and viewed using the Certificates and Certification Authority snap-ins, as well as the Certutil command-line tool. In addition, other Certificate Services-related registry settings correlate to configuration data that can be viewed directly in certificates issued by the CA.

In addition, user root store trust options can be set on client computers in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as MMC, to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

CertSvc

The registry settings in this hive are all created automatically as part of Certificate Services.

Description
Registry Path

\CertSvc\Description

Version

Windows Server 2003 and Windows 2000 Server

This setting provides a reader-friendly description of Certificate Services. The default description reads:

“Creates, manages, and removes X.509 certificates for applications such as S/MIME and SSL. If this service is stopped, certificates will not be created. If this service is disabled, any services that explicitly depend on it will fail to start.”

DisplayName
Registry Path

\CertSvc\DisplayName

Version

Windows Server 2003 and Windows 2000 Server

This setting provides the display name for Certificate Services.

ImagePath
Registry Path

\CertSvc\ImagePath

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies where Certserv.exe has been installed on the computer running Windows Server 2003.

ObjectName
Registry Path

\CertSvc\ObjectName

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies the security context used by Certificate Services. The default is the security context of the Local System account.

Start
Registry Path

\CertSvc\Start

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies whether Certificate Services is started automatically when Windows Server is started.

CertSvc\Configuration

The registry settings in this hive contain information relating to the configuration of the Certificate Services service on the server.

Active
Registry Path

\CertSvc\Configuration\Active

Version

Windows Server 2003 and Windows 2000 Server

This setting records the sanitized name of the active CA on the server. The process of sanitizing the CA name is necessary to remove characters that are not valid for file names, registry key names, or distinguished name values, or that are not valid for technology-specific reasons.

ConfigurationDirectory
Registry Path

\CertSvc\Configuration\ConfigurationDirectory

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies the location of the CA configuration file.

DBDirectory
Registry Path

\CertSvc\Configuration\DBDirectory

Version

Windows Server 2003 and Windows 2000 Server

This setting defines where the CA database is located in the root CA’s file system. The CA must be able to get the appropriate path from the registry when the CA starts up.

DBFlags
Registry Path

\CertSvc\Configuration\DBFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting contains options that control the logging behavior of the certificates database and the size of the database log.

DBLastIncrementalBackup
Registry Path

\CertSvc\Configuration\DBLastIncrementalBackup

Version

Windows Server 2003 and Windows 2000 Server

This setting records the time of the last incremental backup of the database.

DBLastFullBackup
Registry Path

\CertSvc\Configuration\DBLastFullBackup

Version

Windows Server 2003 and Windows 2000 Server

This setting records the time of the last full backup of the database.

DBLogDirectory
Registry Path

\CertSvc\Configuration\DBLogDiretory

Version

Windows Server 2003 and Windows 2000 Server

This setting defines where the CA’s transaction log files are located in the root CA’s file system. The CA must be able to get the path from the registry when the CA starts up.

DBSessionCount
Registry Path

\CertSvc\Configuration\DBSessionCount

Version

Windows Server 2003 and Windows 2000 Server

This setting controls the number of concurrent sessions to the certificates database that can be made. By default, the Windows Server 2003 CA allows only 20 concurrent sessions to the certificates database, which is sufficient for most operations. The CA itself can use several connections, and client enrollment requests or management tools used to view the database can account for additional sessions.

DBSystemDirectory
Registry Path

\CertSvc\Configuration\DBSystemDirectory

Version

Windows Server 2003 and Windows 2000 Server

This setting defines where the CA database is located in the root CA’s file system. The CA must be able to get the appropriate path from the registry when the CA starts up.

DBTempDirectory
Registry Path

\CertSvc\Configuration\DBTempDirectory

Version

Windows Server 2003 and Windows 2000 Server

This setting defines where the temp directory for the CA database is located in the root CA’s file system. The CA must be able to get the appropriate path from the registry when the CA starts up.

LDAPFlags
Registry Path

\CertSvc\Configuration\LDAPFlags

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to control the security of Lightweight Directory Access Protocol (LDAP) connections. The default value is to sign all LDAP traffic and to not use SSL to secure LDAP connections. The alternative setting is to disable LDAP signing and to use SSL to secure LDAP connections.

SetupStatus
Registry Path

\CertSvc\Configuration\SetupStatus

Version

Windows Server 2003 and Windows 2000 Server

This setting documents the Certificate Services configuration options that have been installed.

Version
Registry Path

\CertSvc\Configuration\Version

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies the version of Certificate Services installed on the system.

CertSvc\Configuration\CAName

The registry settings in this hive contain information relating to the configuration of the certification authority (CA) installed on the server.

CACertFileName
Registry Path

\CertSvc\Configuration\CAName\CACertFileName

Version

Windows Server 2003 and Windows 2000 Server

On subordinate CAs, this setting identifies the name and location of the root certificate.

CACertHash
Registry Path

\CertSvc\Configuration\CAName\CACertHash

Version

Windows Server 2003 and Windows 2000 Server

On subordinate CAs, this setting identifies the SHA-1 hashes used for all CA certificates.

CACertPublicationURLs
Registry Path

\CertSvc\Configuration\CAName\CACertPublicationURLs

Version

Windows Server 2003 only

This setting identifies the URL of the authority information access point where a client can find a CA certificate. Because the authority information access point is the location of the certificate that was used to sign the certificate, and because a root CA issues the CA certificate to itself, you should leave this setting blank for the root CA.

CAServerName
Registry Path

\CertSvc\Configuration\CAName\CAServerName

Version

Windows Server 2003 and Windows 2000 Server

This setting records the DNS name of the server on which the CA is running.

CAType
Registry Path

\CertSvc\Configuration\CAName\CAType

Version

Windows Server 2003 and Windows 2000 Server

This setting records whether the CA is a root, enterprise, or stand-alone CA.

CAXchgCertHash
Registry Path

\CertSvc\Configuration\CAName\CAXchgCertHash

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies the hash used for the encryption certificates.

CAXchgOverlapPeriod
Registry Path

\CertSvc\Configuration\CAName\CAXchgOverlapPeriod

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to specify whether the overlap period for encryption certificates will be defined in days, weeks, months, or years.

CAXchgOverlapPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\CAXchgOverlapPeriodUnits

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to specify the number of days, weeks, months, or years that encryption certificates will overlap.

CAXchgValidityPeriod
Registry Path

\CertSvc\Configuration\CAName\CAXchgValidityPeriod

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to specify whether the validity period for encryption certificates will be defined in days, weeks, months, or years.

CAXchgValidityPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\CAXchgValidityPeriodUnits

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to specify the number of days, weeks, months, or years that encryption certificates will be valid.

CertEnrollCompatible
Registry Path

\CertSvc\Configuration\CAName\CertEnrollCompatible

Version

Windows Server 2003 and Windows 2000 Server

This setting enables certificate compatibility with a legacy ActiveX control.

ClockSkewMinutes
Registry Path

\CertSvc\Configuration\CAName\ClockSkewMinutes

Version

Windows Server 2003 and Windows 2000 Server

This setting controls the time variance allowed for certificate issuance, certificates, and CRLs. If the times on the clocks on two computers are further apart than this registry setting, a newly enrolled certificate would not be immediately valid and the client would have to wait several minutes before being able to use the new certificate. The default setting is 10 minutes. If you expect the clocks of two computers to be more than 10 minutes apart, you can increase this setting.

CommonName
Registry Path

\CertSvc\Configuration\CAName\CommonName

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the sanitized name of the server on which the CA is running. The process of sanitizing the CA name is necessary to remove characters that are not valid for file names, registry key names, or distinguished name values, or that are not valid for technology-specific reasons. The CommonName setting is used by several variables that you use to set the CRL and authority information access.

CRLDeltaOverlapPeriod
Registry Path

\CertSvc\Configuration\CAName\CRLDeltaOverlapPeriod

Version

Windows Server 2003 only

You use this setting to specify whether the overlap period for delta CRLs will be defined in days, weeks, months, or years.

CRLDeltaOverlapPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\CLRDeltaOverlapPeriodUnits

Version

Windows Server 2003 only

You use this setting to specify the number of days, weeks, months, or years that delta CRLs can overlap.

CRLDeltaPeriod
Registry Path

\CertSvc\Configuration\CAName\CRLDeltaPeriod

Version

Windows Server 2003 only

You use this setting to specify whether delta CRL lifetimes will be defined in days, weeks, months, or years. The delta CRL publication interval setting is similar to the CRL publication interval setting. If a CA is to be offline, you should disable delta CRL publication.

CRLDeltaPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\CRLDeltaPeriodUnits

Version

Windows Server 2003 only

You use this setting to specify the number of days, weeks, months, or years that delta CRLs can be valid for. If a CA is to be offline, you should disable delta CRL publication.

CRLEditFlags
Registry Path

\CertSvc\Configuration\CAName\CRLEditFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting enables or disables each field of the Authority Key Identifier (AKI) extension that is automatically generated by the CA for every new certificate.

CRLFlags
Registry Path

\CertSvc\Configuration\CAName\CRLFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the oldest unexpired base CRL and includes details about critical and non-critical extensions associated with CRLs.

CRLNextPublish
Registry Path

\CertSvc\Configuration\CAName\CRLNextPublish

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the next time the CA expects to publish a CRL.

CRLOverlapPeriod
Registry Path

\CertSvc\Configuration\CAName\CRLOverlapPeriod

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies whether the overlap period for CRLs will be defined in days, weeks, months, or years.

CRLOverlapUnits
Registry Path

\CertSvc\Configuration\CAName\CRLOverlapUnits

Version

Windows Server 2003 and Windows 2000 Server

You use this setting to specify the number of days, weeks, months, or years that CRLs can overlap. When a large number of certificates are revoked, such as during an employee layoff, the delta CRL size might increase significantly because of the large number of entries, and almost all clients will refer to the older base CRL. You can reduce the size of the overlap period to speed the propagation process for the new base CRL and help minimize the size of delta CRLs.

CRLPeriod
Registry Path

\CertSvc\Configuration\CAName\CRLPeriod

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify whether the validity period of a CRL will be defined in days, weeks, months, or years.

CRLPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\CRLPeriodUnits

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify the number of days, weeks, months, or years, that a CRL will be valid.

CRLPublicationURLs
Registry Path

\CertSvc\Configuration\CAName\CRLPublicationURLs

Version

Windows Server 2003 only

This setting identifies CRL distribution points where a client can find the CRL that is related to a certificate. The CRL distribution point of a root CA should be empty. For intermediate and issuing CAs, you use the Certification Authority snap-in to define CRL distribution points. These values are then stored in the registry.

A Windows Server 2003 CA maintains all distribution points in this registry key, regardless how the distribution point is accessed. In comparison, Windows 2000 CAs store CRL distribution point data in three different registry keys depending on the publication protocol that is being used: RevocationCRLURL, LDAPRevocationCRLURL, or FileRevocationCRLURL.

DSConfigDN
Registry Path

\CertSvc\Configuration\CAName\DSConfigDN

Version

Windows Server 2003 and Windows 2000 Server

This setting records the fully qualified domain name of the domain namespace that the CA belongs to. The fully qualified distinguished name becomes part of the certificate issuer name and is also used by several variables that are used to set the CRL and authority information access. On an enterprise CA, this is set automatically. On an offline CA that is not a domain member, you must manually set the value of DSConfigDN so that the fully qualified distinguished name appears in certificates and CRLs.

DSDomainDN
Registry Path

\CertSvc\Configuration\CAName\DSDomainDN

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies the domain that is a parent to the configuration container used by the CA.

Enabled
Registry Path

\CertSvc\Configuration\CAName\Enabled

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies whether the CA is enabled.

EnforceX500NameLengths
Registry Path

\CertSvc\Configuration\CAName\EnforceX500NameLengths

Version

Windows Server 2003 and Windows 2000 Server

This setting makes it possible for certificates issued by the CA to bypass X.500 naming restrictions. Windows Server 2003 CAs enforce X.500 naming standards by default. It is possible that deep OU paths might exceed normal length restrictions. If your organization’s PKI does not need to be compatible with a non-Microsoft PKI, you can configure this registry setting to bypass the X.500 name length restriction.

ForceTeletex
Registry Path

\CertSvc\Configuration\CAName\ForceTeletex

Version

Windows Server 2003 and Windows 2000 Server

This setting enables the ability to automatically change subject relative distinguished names between printable string, teletex, UTF-8, and Unicode representations.

HighSerial
Registry Path

\CertSvc\Configuration\CAName\HighSerial

Version

Windows Server 2003 only

This setting enables you to choose between three different algorithms for generating fixed-length certificate serial numbers. These serial numbers can be from 10 bytes long up to 19 bytes long. This setting also allows you to generate new certificate serial numbers based on a new set of random numbers after each restart or to use the same set of random data for each certificate, even after the computer hosting the CA is restarted.

InterfaceFlags
Registry Path

\CertSvc\Configuration\CAName\InterfaceFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting controls whether network interfaces are enabled for performing CA database backups, processing certificate requests, and other administrative operations.

KRACertCount
Registry Path

\CertSvc\Configuration\CAName\KRACertCount

Version

Windows Server 2003 only

This setting records the number of times a key recovery certificate has been issued from the CA.

KRACertHash
Registry Path

\CertSvc\Configuration\CAName\KRACertHash

Version

Windows Server 2003 only

This setting defines the hash used to create key recovery certificates.

KRAFlags
Registry Path

\CertSvc\Configuration\CAName\KRAFlags

Version

Windows Server 2003 only

This setting specifies the extensions that control the key recovery behavior of the CA.

LogLevel
Registry Path

\CertSvc\Configuration\CAName\LogLevel

Version

Windows Server 2003 and Windows 2000 Server

This setting defines how much data to store in the CA log.

MaxIncomingAllocSize
Registry Path

\CertSvc\Configuration\CAName\MaxIncomingAllocSize

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to limit the amount of allocated memory associated with any parameter of a certificate request.

MaxIncomingMessageSize
Registry Path

\CertSvc\Configuration\CAName\MaxIncomingMessageSize

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to set a maximum limit on the size of a certificate request.

PolicyFlags
Registry Path

\CertSvc\Configuration\CAName\PolicyFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies whether an optional policy module is being used.

Note

  • This setting is seldom used. However, there is a separate setting in CertSvc/Configuration/CAName/PolicyModules that should be used instead to enable the use of a custom policy module.
RoleSeparationEnabled
Registry Path

\CertSvc\Configuration\CAName\RoleSeparationEnabled

Version

Windows Server 2003 and Windows 2000 Server

This setting determines whether role separation is enabled on the CA.

The separation of CA administrative roles enables you to assign only a single role to a user. This feature is valuable for large enterprises, because the separation of roles ensures that the compromise of a user’s account does not compromise the entire CA administered by the user. Role separation is an important operating principle in Common Criteria environments. If this setting is enabled, the CA will not permit an administrator to perform multiple CA roles, such as CA administrator or certificate operator, which are defined in CA security configurations.

Note

  • Roles defined as operating system privileges — including Backup Operator and Auditor — are not affected by the RoleSeparationEnabled setting.
Security
Registry Path

\CertSvc\Configuration\CAName\Security

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify the security descriptor that controls access to the CA.

SetupStatus
Registry Path

\CertSvc\Configuration\CAName\SetupStatus

Version

Windows Server 2003 and Windows 2000 Server

This setting documents the configuration options that have been installed for this CA.

SignedAttributes
Registry Path

\CertSvc\Configuration\CAName\SignedAttributes

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify the certificate request attributes that must be signed in order for a certificate request to be approved.

SubjectTemplate
Registry Path

\CertSvc\Configuration\CAName\SubjectTemplate

Version

Windows Server 2003 and Windows 2000 Server

This setting contains an ordered list of the subject relative distinguished name elements that are allowed in the Subject field of certificates issued by the CA.

This setting can only be set to a small, fixed list of relative distinguished name elements supported by the CA. If during request processing a listed relative distinguished name field is empty, or if the field is not populated by the request Subject field or by the policy module, the element will not be included. If the registry value is completely empty, the binary subject encoding from the request is passed through to the issued certificate unmodified.

UseDS
Registry Path

\CertSvc\Configuration\CAName\UseDS

Version

Windows Server 2003 and Windows 2000 Server

This setting specifies whether the directory service is to be used for CRL publication.

ValidityPeriod
Registry Path

\CertSvc\Configuration\CAName\ValidityPeriod

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify whether the validity period of certificates issued by the CA will be defined in days, weeks, months, or years. The default value depends on the type of certificate.

ValidityPeriodUnits
Registry Path

\CertSvc\Configuration\CAName\ValidityPeriodUnits

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to define the number of days, weeks, months, or years that a certificate issued by the CA will be valid. The validity period for a certificate cannot be greater than the validity period of the CA that issued the certificate. The default value depends on the type of certificate.

ViewAgeMinutes
Registry Path

\CertSvc\Configuration\CAName\ViewAgeMinutes

Version

Windows Server 2003 and Windows 2000 Server

This setting controls the refresh rate for the transaction view of the CA database. The default is 10 minutes.

ViewIdleMinutes
Registry Path

\CertSvc\Configuration\CAName\ViewIdleMinutes

Version

Windows Server 2003 and Windows 2000 Server

This setting controls the refresh rate for the transaction view of the CA database when the transaction view is idle. The default is eight minutes.

CertSvc\Configuration\CAName\CSP

The registry settings in this hive contain information relating to the configuration of the cryptographic service provider (CSP) for the CA.

HashAlgorithm
Registry Path

\CertSvc\Configuration\CAName\CSP\HashAlgorithm

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the hash algorithm that is used for hashing and signing certificate contents. This value, which is set when the CA is installed, is also recorded in the CA certificate.

MachineKeyset
Registry Path

\CertSvc\Configuration\CAName\CSP\MachineKeyset

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the key sets that are stored on the computer.

Provider
Registry Path

\CertSvc\Configuration\CAName\CSP\Provider

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the CSP used to generate the CA certificate and the key associated with the certificate. This value is set when the CA is installed.

ProviderType
Registry Path

\CertSvc\Configuration\CAName\CSP\ProviderType

Version

Windows Server 2003 and Windows 2000 Server

This setting indicates the CSP family associated with the provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions operates by default in a way prescribed by the family that corresponds to that CSP type.

CertSvc\Configuration\CAName\EncryptionCSP

The registry settings in this hive contain information relating to the configuration of the encryption CSP for the CA.

EncryptionAlgorithm
Registry Path

\CertSvc\Configuration\CAName\EncryptionCSP\EncryptionAlgorithm

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the hash algorithm that is used by the CA for encryption.

KeySize
Registry Path

\CertSvc\Configuration\CAName\EncryptionCSP\KeySize

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the size of the secret key used by the encryption hash algorithm.

MachineKeyset
Registry Path

\CertSvc\Configuration\CAName\EncryptionCSP\MachineKeyset

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the encryption key sets that are stored on the computer.

Provider
Registry Path

\CertSvc\Configuration\CAName\EncryptionCSP\Provider

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the CSP used by the CA for encryption.

ProviderType
Registry Path

\CertSvc\Configuration\CAName\EncryptionCSP\ProviderType

Version

Windows Server 2003 and Windows 2000 Server

This setting indicates the CSP family associated with the provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions operates by default in a way prescribed by the family that corresponds to that CSP type.

CertSvc\Configuration\CAName\ExitModules

The registry settings in this hive contain information relating to the configuration of the exit modules for the CA.

Active
Registry Path

\CertSvc\Configuration\CAName\ExitModules\Active

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the active exit modules.

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit

PublishCertFlags
Registry Path

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\PublishCertFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies whether certificates are published to a virtual root directory for use by Internet Information Services (IIS).

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\SMTP

EventFilter
Registry Path

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\SMTP\EventFilter

Version

Windows Server 2003 and Windows 2000 Server

This setting identifies whether Simple Mail Transfer Protocol (SMTP) e-mail notifications are being sent out. For example, notification messages can be sent out when certificates are issued, when certificate requests are pending, when certificates are revoked, and so on.

SMTPAuthenticate
Registry Path

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\SMTP\SMTPAuthenticate

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to enable a Windows Server 2003 CA to communicate with an Exchange Server by way of SSL.

SMTPServer
Registry Path

CertSvc\Configuration\CAName\ExitModules\CertificateAuthority_MicrosoftDefault.Exit\SMTP\SMTPServer

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the SMTP server being used to send out CA-related messages. The SMTP registry hive also includes the following sub-hives, which can be used to issue programmatically-defined SMTP messages for each type of event:

  • CRLIssued

  • Denied

  • Issued

  • Pending

  • Revoked

  • Shutdown

  • Startup

Each of the above sub-hives includes the following:

  • BodyArg. Programmatically defined contents of the message body.

  • BodyFormat. Programmatically defined format of the contents of the message body.

  • TitleArg. Programmatically defined title of the SMTP message.

  • TitleFormat. Programmatically defined format of the title of the SMTP message.

CertSvc\Configuration\CAName\PolicyModules

The registry settings in this hive contain information relating to the configuration policy modules for the CA.

Active
Registry Path

CertSvc\Configuration\CAName\PolicyModules\Active

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the active policy modules.

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy

CAPathLength
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\CAPathLength

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the maximum number of levels of subordinate CAs that can be added underneath this CA. Path length constraints can be applied to CAs at any level in a hierarchy. If a path length constraint is being applied to a root CA, it needs to be configured using the CAPolicy.inf file as part of the CA’s installation or renewal. If the path length constraint is being applied to a subordinate CA, the constraint must be configured in the registry of the parent CA.

DefaultSMIME
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\DefaultSMIME

Version

Windows Server 2003 and Windows 2000 Server

This setting lists — by object identifier (OID) — the supported hash algorithms, along with the bit length supported for each algorithm.

DisableExtensionList
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\DisableExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting disables the adding of a certificate extension to a certificate that is included by default in certificates issued by an enterprise CA. An example of such a certificate extension could be the S/MIME capabilities extension.

EditFlags
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags

Version

Windows Server 2003 and Windows 2000 Server

This setting enables you to identify the critical and non-critical extensions associated with policy modules, such as enabling basic constraints. The flags that can be configured include:

  • EDITF_ATTRIBUTEENDDATE. Controls certificate validity time by certificate request. This feature is disabled by default for enterprise CAs, and enabled by default for stand-alone CAs.

    Note

    • Although the validity period of a certificate is normally set by the CA, the CA can be configured in a way that allows the request to specify the validity period. This CA configuration option can only reduce the validity period of certificates to be issued by a request.
  • EDITF_ENABLEAKIISSUERNAME. Used to enable or disable the Issuer name and Issuer serial number.

    Note

    • You should disable the issuer name and issuer serial number if you renew CA keys when you renew CA certificates or plan to use cross-certificates.
EnableEnrolleeRequestExtensionList
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EnableEnrolleeRequestExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the OIDs of the rules extensions defined by the organization that must appear in the issued certificate. These settings apply to all requests submitted to a stand-alone CA, and to requests submitted to an enterprise CA that use a template which specifies that the request must supply the subject information.

EnableRequestExtensionList
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList

Version

Windows Server 2003 and Windows 2000 Server

This setting lists the OIDs of the rules extensions defined by the organization that must appear in the issued certificate. By default, extensions that are in the submitted request are added to the CA’s database, but are marked as disabled, so they will not appear in the issued certificate.

RequestDisposition
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RequestDisposition

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify what the policy module should do with incoming and resubmitted requests. Options include:

  • Process all certificate requests that meet applicable policy and template processing requirements.

  • Place all initial certificate requests in a pending queue, and process all certificate requests that are resubmitted by an administrator, assuming the requests meet applicable policy and template processing requirements.

RevocationType
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationType

Version

Windows Server 2003 and Windows 2000 Server

You can use this setting to specify an alternative certificate revocation service to function with a Windows Server 2003 CA. This setting enables CRL URLs from the following: LDAP, FTP, and file locations; CDP extensions; and ASP-based revocation.

RevocationURL
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationURL

Version

Windows Server 2003 and Windows 2000 Server

This setting defines the URL for an alternative certificate revocation service that has been configured to function with a Windows Server 2003 CA.

Note

  • In order for a revocation service to work with a Windows Server 2003 CA, the application, service, or account connecting to this URL must have Read permissions in the Certification Authority snap-in.

The replacement variables that can be used in the revocation URL are listed in the following table.

Registry Variables for Alternative Revocation Services

Alternative Revocation Service Registry Variable

SERVERDNSNAME

1

SERVERSHORTNAME

2

SANITIZEDCANAME

3

CERTFILENAMESUFFIX

4

DOMAINDN

5

CONFIGDN

6

SANITIZEDCANAMEHASH

7

CRLFILENAMESUFFIX

8

CRLDELTAFILENAMESUFFIX

9

DSCRLATTRIBUTE

10

DSCACERTATTRIBUTE

11

DSUSERCERTATTRIBUTE

12

DSKRACERTATTRIBUTE

13

DSCROSSCERTPAIRATTRIBUTE

14

In order for the revocation service to function, the application, service, or account connecting to this URL must have Read permissions in the Certification Authority snap-in. If IIS is using a local account, follow the steps for enabling anonymous access in IIS and allowing Anonymous Read access to the CA.

Note

  • Enabling Anonymous Read access to the CA might expose privacy or security risks.
SubjectAltName
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\SubjectAltName

Version

Windows Server 2003 and Windows 2000 Server

This setting uses an OID for the SubjAltName extension of an issued certificate. This setting is almost never used.

SubjectAltName2
Registry Path

CertSvc\Configuration\CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\SubjectAltName2

Version

Windows Server 2003 and Windows 2000 Server

This setting makes it possible for a stand-alone CA to place in the SubjAltName extension of an issued certificate the e-mail address of the authenticated user making the certificate request. This setting is rarely used.

CryptoAPI Policy

ProtectedRoots
Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots

Version

Windows Server 2003

This setting is used to disable or enable:

  • CryptoAPI applications to use the user root store in building trusted certificate chains.

  • Users to add root CAs to the user trusted root store.

    Note

    • In Windows Server 2003, this value can also be set through Group Policy.
  • Users to remove root CAs from the user trusted store that are also the local computer trusted root store.

  • The requirement for NTAuth policy processing.

    Note

    • In Windows Server 2003, this value can also be set through Group Policy.
  • Name constraint enforcement for undefined name types. By default, Windows Server 2003 rejects undefined name types in a name constraint validation. Setting this value will accept all name forms that are not explicitly defined.

For information about managing these registry settings through Group Policy, see “Trusted Root Certification Authorities” later in this document.

Certificate Services Group Policy Settings

Most features of a public key infrastructure and Certificate Services work without your having to configure Public Key Group Policy settings. However, you must configure Public Key Group Policy if you want to configure:

  • Automatic Certificate Request Settings for configuring autoenrollment for computer certificates.

  • Trusted Root Certification Authorities for adding trusted root CA certificates to the Trusted Root Certification Authorities store.

  • Enterprise Trust for configuring CTLs.

  • Encrypted Data Recovery Agents for configuring Encrypting File System (EFS) recovery agents. (This is the only container that appears for Local Computer policy.)

Automatic Certificate Enrollment

Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. This combination enables the Windows XP Professional or Windows Server 2003 client to enroll users when they log on to their domain or to a computer when it starts, and to periodically update enrollments between these events.

Autoenrollment Group Policy is an element of Public Key Policies in the Security Settings of the Group Policy object for a user or computer in a domain, site, or OU. You can configure autoenrollment policy on the Properties page of the Autoenrollment Settings item. Options that you can configure are:

  • Do not enroll certificate automatically. Blocks attempts to configure autoenrollment for the user or computer.

  • Enroll certificates automatically. Enables certificate autoenrollment.

  • Renew expired certificates, update pending certificates, and remove revoked certificates. Enables automatic certificate renewal, and cleans up expired certificates.

  • Updates certificates that use certificate templates. Updates certificates as needed to conform to the associated certificate templates.

Trusted Root Certification Authorities

When you install an enterprise root CA or a stand-alone root CA, the certificate of the CA is added automatically to the Trusted Root Certification Authorities Group Policy for the domain. You also can add certificates for other root CAs to Trusted Root Certification Authorities Group Policy. The root CA certificates that you add become trusted root CAs for computers within the scope of the Group Policy object. For example, if you want to use a non-Microsoft CA as a root CA in a certification hierarchy, you must add the certificate for the non-Microsoft CA to the Trusted Root Certification Authorities Group Policy.

To add a certificate for the root CA to the Trusted Root Certification Authorities Group Policy, in the Public Key Policies node, right-click Trusted Root Certification Authorities, and then click All Tasks and Import. When the Certificate Import Wizard appears, use the wizard to import a certificate file for the certificate of the root CA and add it to Group Policy. The certificate is added to the Trusted Root Certification Authorities store of all computers within the scope of Group Policy the next time it is refreshed on each computer.

You can also use Trusted Root Certification Authorities Group Policy to control the changes users can make to trusted root CA options.

To modify these settings, right-click Trusted Root Certification Authorities, and then select Properties.

To prevent users making any changes to the trusted root CA store, you can clear Allow users to select new root Certification Authorities (CAs) to trust.

To limit client trust of alternative certificate stores, under Client computers can trust the following certificate stores select one of the following options:

  • Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

  • Enterprise Root Certification Authorities

In addition, the following settings under To perform certificate-based authentication of users and computers, CAs must meet the following criteria: can be used to manage certificate-based authentication by certificate holders:

  • Registered in Active Directory only

  • Registered in Active Directory and compliant with name constraints requirements for user principal names (UPNs)

The Trusted Root Certification Authorities Group Policy settings are the counterparts to the CryptoAPI Policy\ProtectedRoots registry settings described earlier in this document.

Certificate Trust Lists

You can create certificate trust lists (CTLs) to trust specific CAs and to restrict the uses of certificates issued by the CAs. For example, you might use a CTL to trust certificates that are issued by a commercial CA and restrict the permitted uses for those certificates. You might also use CTLs to control trust on an extranet for certificates that are issued by CAs that are managed by your business partners. You can configure CTLs for computers and for users.

Before administrators can create CTLs, they must have a valid trust list signing certificate — such as the Administrator certificate or the Trust List Signing certificate that is issued by enterprise CAs. The trust list signing private key for the administrator is used to sign the CTL for integrity. If the trust list signing certificate for an administrator is invalid, all CTLs that have been created and signed by that administrator also are invalid.

Certificate Trust List Group Policy is configured as part of Public Key Policies\Enterprise Trust in the Security Settings of the Group Policy object for a user or computer in a domain, site, or OU.

You use the Certificate Trust Wizard to configure Certificate Trust List Group policy.

To activate the wizard, you right-click the Enterprise Trust node, and then click New and Certificate Trust List. The wizard enables you to configure the following options:

  • Valid duration. An optional lifetime for the CTL. If you do not specify a lifetime, the CTL expires when the trust list signing certificate expires.

  • Designate Purposes. The CTL establishes trust only for certificates that are valid for the selected purposes. A certificate might support all of the listed purposes, but you can restrict the purposes for which certificates are trusted.

  • Add Purpose. Enables you to add purposes to the Designate Purposes box. This also requires you to enter an OID for the new purpose.

  • Current CTL Certificates. Displays the certificates of the root CAs that are to be trusted by this CTL. Certificates with certification paths to the root CA are trusted for all designated purposes specified by the CTL.

  • Add from Store. Adds a root certificate from the Trusted Root Certification Authorities store.

  • Add from File. Adds a root CA’s certificate from a file.

  • Remove. Deletes the certificate that is selected in the Current CTL Certificates box.

  • View Certificate. Enables you to view the certificates that are selected in the Current CTL Certificates box.

  • Use this certificate. Displays the trust list signing certificate for the private key that is to be used to sign the CTL.

  • Select from Store. Adds a trust list signing certificate from the Personal store for the administrator.

  • Select from File. Adds the trust list signing certificate from a file.

  • View Certificate. Enables you to view the certificate listed in the Use this certificate box.

  • Add a timestamp to the data. Adds a timestamp to the CTL. The timestamp is used to determine the valid lifetime of the CTL. If a timestamp is not used, the computer clock is used instead.

  • Timestamp service URL. Identifies the location of the timestamp service that is to be used for the timestamp.

  • Friendly Name. The optional name that appears in MMC when the CTL is displayed.

  • Description. An optional description to describe this CTL.

EFS Recovery Agents

A recovery agent is an individual authorized to decrypt data that was encrypted by another user. Recovery agents do not need any other permissions to function in this role. Recovery agents are useful, for example, when employees leave the company and their remaining data needs to be decrypted.

By default, the local Administrator users account for the first domain controller that is installed in the domain is the EFS recovery account for that domain. You can specify alternative recovery agents for EFS. Before you can add a recovery agent for a domain, you must ensure that each recovery agent has been issued a recovery agent certificate.

To add recovery agents for a domain, their certificates need to be added to the existing recovery policy. There are two ways to accomplish this. You can:

  • Add recovery agent certificates that are published in Active Directory to the recovery policy.

  • Add recovery agent certificates from a file that is located on a disk or in a shared folder that is available from the computer where you are configuring Public Key settings.

Encrypted Data Recovery Agent Group Policy is configured as part of Public Key Policies\Encrypting File System in the Security Settings of the Group Policy object for a user or computer in a domain, site, or OU.

You configure Encrypted Data Recovery Agent Group Policy by using the Add Recovery Agent Wizard. To activate the wizard, right-click the Encrypted Data Recovery Agents node and then click Add.

You can use the wizard to configure the following:

  • Recovery agents. Displays the certificates you choose for recovery agents.

  • Browse Directory. Locate and add a recovery agent certificate for a user account by browsing in Active Directory. Use this option when the certificate is published in Active Directory.

  • Browse Folders. Locate and add a recovery agent certificate for a user account by browsing folders and files.

When you select Encrypted Data Recovery Agents, the EFS recovery agent certificates that are applied by Group Policy appear in the details pane of the console. These are the recovery agent certificates that are used by EFS within the scope of Group Policy.

Note

  • Encrypted Data Recovery Agents is the only Certificate Services–related container that appears in local computer Group Policy.