Windows 2000 Certificate Services

Figure 16.2 shows a functional block diagram of Windows 2000 Certificate Services.

Figure 16.2 Certificate Services Functional Diagram

The components of Windows 2000 Certificate Services work in conjunction with Microsoft CryptoAPI and cryptographic service providers (CSPs) to perform a variety of tasks, including the following:

• Process certificate requests (entry module).

• Verify whether requestors are qualified to receive certificates (policy module).

• Create and issue certificates for qualified requestors (Certificate Services engine).

• Generate a private key and distribute it to the requestor's protected store (CSPs and Microsoft CryptoAPI).

• Manage the private key for all cryptography operations (CSPs and Microsoft CryptoAPI).

• Distribute the certificates that are issued to qualified requestors and, optionally, publish certificates to Web pages, public folders, or Active Directory (exit module).

• Publish periodic certificate revocation lists to Active Directory and, optionally, to Web pages or public folders (exit module).

• Store all certificate transactions for the audit trail (certificate database).

Note

In Windows 2000, all cryptographic functions and private key management are performed by Microsoft CryptoAPI in conjunction with CSPs. Any system service or application can request cryptographic services by using Microsoft CryptoAPI.

Entry Module

The default entry module processes standard PKCS (public key cryptography standards)#160;10 certificate requests made through remote procedure calls (RPCs) or the Hypertext Transfer Protocol (HTTP). The entry module is a dynamic-link library (DLL) that cannot be customized. Windows 2000 services usually use RPCs to submit certificate requests to enterprise CAs. However, the Web Enrollment Support pages use Hypertext Transfer Protocol (HTTP) to submit certificate requests to CAs.

Certificate requests to Certificate Services are placed in a pending queue until they are approved or denied by the policy module.

Note

You can develop custom certificate enrollment applications that submit RPC or HTTP requests to Certificate Services. For more information about developing custom applications for Windows 2000 Certificate Services and about the required certificate request format, see the Microsoft Platform SDK link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources .

Policy Modules

The policy module determines whether a certificate request must be approved, denied, or queued (left pending) for a later decision by the administrator about whether or not to issue the certificate. Windows 2000 Certificate Services includes a default policy module that incorporates CA policy for both enterprise and stand-alone CAs. You can also build custom policy modules for special needs.

Enterprise CA Policy    Enterprise CA policy always issues a certificate or denies a request immediately. Enterprise CA policy uses Active Directory to determine the identity of the requester, and then automatically determines whether the requester has security permissions to receive a certificate of the type that is being requested.

Stand-alone CA Policy    By default, stand-alone CA policy sends certificate requests to a pending queue so that an administrator can approve or deny them. You have the option of setting stand-alone CA policy to automatically approve all certificate requests. However, because a stand-alone CA does not verify the identity of requesters who are using Active Directory, there is no way to verify the identity and validity of the certificate requester automatically. Therefore, setting a stand-alone CA to approve certificate requests automatically can pose a significant security risk.

Custom Policy Modules    The policy module is a fully customizable DLL. For more information about how to customize policy modules, see the Microsoft Platform SDK link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . You can change the installed policy module by using the Certification Authority console. You can also develop your own policy modules or acquire a third-party policy module when one is available.

Note

It is recommended that you use custom policy modules with stand-alone CAs only. Enterprise CAs require the enterprise policy module to ensure proper integration with Active Directory. Using a custom policy module with an enterprise CA can produce both problems and unpredictable results.

When Certificate Services determines whether to grant certificate requests, the policy module can check information in the request against various sources for verification, such as a directory service, an external legacy database, or credit information from an outside authority. The policy module also can send alerts to the appropriate administrator if manual (offline) approval of the request is required.

The policy module can insert additional certificate attributes or extensions that might be required by a client application. For example, information such as a job title and a signing limit into certificates can be inserted and used by an online purchasing form to determine whether the user can sign for the amount requested.

The policy module can use additional information included in the certificate request to incorporate requested attributes in the issued certificate. For example, certificate requests to stand-alone CAs must include all information about the requested certificate; so the policy module incorporates this information into each certificate that is issued. However, enterprise CAs use certificate templates to specify certificate attributes; so certificate requests to enterprise CAs require less information.

Certificate Templates

For enterprise CAs, certificate templates define the attributes for certificate types . You can configure enterprise CAs to issue specific certificate types to authorized users and computers. When a CA creates a certificate, the certificate template is used to specify its attributes, such as the authorized uses for the certificate, the cryptographic algorithms that are to be used with it, the public key length, and the certificate lifetime. Certificate templates are stored in Active Directory and provide information for each of the certificate types that are listed in Table 16.1.

Table   16.1 Certificate Types for Enterprise CAs

Many certificate templates are provided for online requests from enterprise CAs. Online certificate templates are used to issue certificates to requestors that have Windows 2000 accounts and that support obtaining certificates directly from an enterprise CA. Certificate templates for offline requests are used to issue certificates to requestors that do not have Windows 2000 accounts or that do not support obtaining certificates directly from an enterprise CA. When a certificate is issued for online requests, identification information about the requestor is obtained from the requestor's Windows 2000 user account for inclusion in the certificates that are issued. Offline requests must include the requestor's identification information in the certificate request when the request is submitted. When you use the Certificate Services Web Enrollment Support pages to request offline certificates from an enterprise CA, enter the identification information (name, e-mail address, department, and so forth), in the Web form before you submit the request to the CA.

For example, you might use the Web Enrollment Support pages to obtain a Web Server certificate for a third-party Web server, and then install the certificate on the appropriate server computer. Likewise, you might obtain an offline IPSec certificate, and then manually install the certificate on a non-Windows 2000 IPSec client. The Subordinate Certification Authority certificate template is an offline template because the identification information for the subordinate CA is entered during the installation process.

An enterprise CA only issues the certificate types that are specified by its certificate issuing policy. By default, Windows 2000 enterprise CAs are installed so that they are ready to issue several types of certificates. You can modify the default configuration by using the Certification Authority console in MMC to specify the types of certificates that are to be issued by each CA.

Stand-alone CAs do not use certificate templates. Therefore, certificate requests to them must include all of the information that is necessary to define the type of certificate that is to be issued. When Windows 2000 services submit certificate requests to stand-alone CAs, the requests include the information that is necessary to define the type of certificate that is being requested. You can use the Web Enrollment Support pages for stand-alone CAs to submit certificate requests to stand-alone CAs for a variety of types of certificates.

Certificate Database

The certificate database records all certificate transactions. It tracks all certificate requests and records whether they were granted or denied. It records information for the issued certificate, such as the serial number and expiration date. It provides a complete audit trail for each certificate from request to expiration. It also flags and tracks certificates that are revoked by CA administrators. You can use the Certification Authority console to manage the audit trail.

Because the certificate database is a transaction database, it includes certificate log files, which record all certificate transactions. By default, the certificate database and the certificate log files are installed at the following location:

< Drive :>\WINNT\System32\CertLog

where < Drive: > is the letter of the disk drive where the CA is installed.

At the time you install the CA, you have the option of choosing another location to install either the database or the logs, including storing the database and log files separately on different drives.

Exit Modules

The exit module packages the issued certificate in the appropriate transport mechanism or protocol and distributes it to the location specified in the request. Certificate requests can specify that the certificate be distributed to Lightweight Directory Access Protocol (LDAP) directory services, file systems, or URLs. An exit module also delivers certificate revocation lists (CRLs) to CRL distribution points.

The default enterprise exit module publishes certificates and CRLs to Active Directory, and the default stand-alone exit module publishes certificates and CRLs to the local file system. However, Windows 2000 Certificate Services supports multiple exit modules and you can use the Certification Authority console to install them for a CA. For example, you can install exit modules that send certificates and CRLs in e-mail messages or send them to public folders on the network. You can also install exit modules that post certificates to legacy open database connectivity (ODBC) databases or to third-party Lightweight Directory Access Protocol (LDAP) directory services.

Like the policy module, the exit module is a DLL and is fully customizable. For more information about customizing exit modules, see the Microsoft Platform SDK link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . You can change the installed exit module by using the Certification Authority console. You also can develop your own exit modules or acquire third-party exit modules.

Certification Authority Console

The Certification Authority console is an MMC snap-in that you can use to manage multiple CAs, performing a variety of administrative tasks that include the following:

• Starting and stopping the CA.

• Backing up and restoring the CA.

• Changing exit and policy modules.

• Viewing the CA certificate.

• Installing or reinstalling a CA certificate for the CA.

• Setting security permissions and delegating administrative control for the CA.

• Revoking certificates.

• Viewing or modifying certificate revocation list (CRL) distribution points.

• Scheduling and publishing CRLs.

• Configuring the types of certificates that are to be issued by the CA.

• Viewing information about certificates that have been issued.

• Viewing information about certificates that have been revoked.

• Viewing pending certificate requests.

• Approving or denying pending certificate requests.

• Viewing failed certificate requests.

• Renewing the CA's certificate.

For more information about how to use the Certification Authority console to manage a CA and perform specific administration tasks, see Certificate Services Help.

To add a Certification Authority console to MMC

1. Open MMC.

2. Click Console , and then click Add/Remove Snap-in or press CTRL+M. The Add/Remove Snap-in dialog box appears.

3. Click Add . The Add Standalone Snap-in dialog box appears.

4. Select Certification Authority from the list of snap-ins, and then click Add . The Certification Authority dialog box appears.

5. Choose one of the following:

   • To manage the CA that is running on the local computer, select the Local computer check box, and then click Finish .

   • To manage the CA that is running on another computer, select the Another computer check box, and then type the domain name of the computer that runs the CA or click Browse to select the computer from a list. Then click Finish .

   You can click Add in the Add Standalone Snap-in dialog box again to add more Certification Authority consoles. The Add/Remove Snap-in dialog box displays the snap-ins that you have added and that are to be installed in MMC.

6. When you have finished adding snap-ins, in the Add Standalone Snap-in dialog box, click Close.

7. In the Add/Remove Snap-in dialog box, click Close .

Figure 16.3 shows an example of a Certification Authority console that has been added to MMC. This console manages the CA on the local computer.

Figure 16.3 Certification Authority Console

The Certification Authority (Local) console node has been expanded to show all of the containers for an enterprise CA named Enterprise-Root-CA. These containers are used as follows:

Revoked Certificates    Click this container to show information about all revoked certificates for this CA. To manually publish CRLs, right-click the Local node. Click All Tasks , and then click Publish . To change the CRL publication schedule, right-click the Local node, and then click Properties . To view a certificate, double-click the certificate. Use the dialog boxes that appear to publish the CRL, change the CRL publication schedule, or view the certificate.

Issued Certificates    Click this container to show information about all certificates that have been issued by this CA. To revoke a certificate, right-click the certificate, and then click All Tasks . Then click Revoke Certificate . To view a certificate, double-click the certificate. Use the dialog boxes that appear to revoke or view certificates.

Pending Requests    Click this container to show information about all certificates that are pending for this CA. To approve a pending certificate request, click this container, and then right-click the certificate request. Click All Tasks , and then click Issue . To deny a pending certificate request, click this container and then right-click the certificate request. Click All Tasks , and then click Deny . Use the dialog box that appears to deny the certificate request.

Failed Requests    Click this container to show the information about all certificate requests that have failed. The information in the Request Disposition Message column explains why the request failed.

Policy Settings (Enterprise CAs Only)    Select this container to show the types of certificates that the enterprise CA can issue. To remove one of the types of certificates, select the type you want to delete, and then press DELETE. To add another type of certificate, right-click the container. Click New , and then click Certificate to Issue . Use the dialog box that appears to add the types of certificates that you want to issue.

When you click a container (such as the Failed Requests container), by default, many of the columns that can be displayed in the details pane of the console are hidden.

To change the columns that are displayed in the details pane for a container

1. Right-click the container, click View, and then click Choose Columns . The Modify Columns dialog box appears.

2. Use the Modify Columns dialog box to add, remove, or change the order in which columns appear, and then click OK . For more information about how to use the Modify Columns dialog box, see Certificate Services Help.