Configure Public Key Group Policy
You can use the Group Policy console to configure Public Key Group Policy for sites, domains, and organizational units or local computer policy. Most features of the public key infrastructure and certificate services work without your having to configure Public Key Group Policy settings. However, you must configure Public Key Group Policy if you want to do any of the following:
Use automatic enrollment for computer certificates.
Add trusted root certificates for groups of computers.
Create CTLs for computers and users.
Designate EFS recovery agent accounts.
To add a Group Policy console to MMC
Open MMC.
Click Console , and then click Add/Remove Snap-in , or press CTRL+M.
The Add/Remove Snap-in dialog box appears.Click Add .
The Add Standalone Snap-in dialog box appears.Select Group Policy from the list of snap-ins, and then click Add .
The Select Group Policy Object dialog box appears, with Local Computer listed in the Group Policy Object box.Click Finish to manage local computer policy.
– Or –
Click Browse to select another Group Policy (or to create and select a new Group Policy), and then click Finish to manage the selected Group Policy.
The Add Standalone Snap-in dialog box appears. Click Add again to add multiple Group Policy snap-ins.When you are finished adding snap-ins, on the Add Standalone Snap-in dialog box, click Close .
The Add/Remove Snap-in dialog box appears and displays the snap-ins that are to be installed in MMC.In the Add/Remove Snap-in dialog box, click Close .
For Group Policy for sites, domains, and organizational units, there is a Public Key Policy container for both computers and users. Figure 16.12 shows an example of the Public Key Policies container for computers in the Default Domain Policy. To display the Public Key Policies containers for computers, expand the Computer Configuration node, expand the Security Settings node, and then click Public Key Policies .
.gif "Cc962057.DSCJ16(en-us,TechNet.10).gif")
Figure 16.12 Public Key Policies for Computers
Figure 16.13 shows the Public Key Policies container for users in the Default Domain Policy. To display the Public Key Policies containers for users, expand the Computer Configuration node, expand the Security Settings node, and then click Public Key Policies .
.gif "Cc962057.DSCJ18(en-us,TechNet.10).gif")
Figure 16.13 Public Key Policies for Users
The Public Key Policies containers are used for the following tasks:
Automatic Certificate Request Settings for configuring autoenrollment for computer certificates.
Trusted Root Certification Authorities for adding trusted root CA certificates to the Trusted Root Certification Authorities store.
Enterprise Trust for configuring CTLs. (This is the only container that appears for users.)
Encrypted Data Recovery Agents for configuring EFS recovery agents. (This is the only container that appears for Local Computer policy.)
For users, you can configure CTLs only. For Local Computer policy, you can configure EFS Recovery Agents Policy only. For more information about how to configure Public Key Group Policy, see Certificate Services Help and Group Policy Reference.
.gif "note-icon")
Note
Changes to Group Policy do not take effect immediately. User and computer Group Policy is refreshed periodically (every 90 minutes, by default), when users log on, and when computers are started. You also can use the Secedit /refreshPolicy command-line option to refresh policy settings manually from the command prompt at each local computer.
Automatic Certificate Enrollment
You can specify automatic enrollment and renewal for computer certificates. When autoenrollment is configured, the specified certificate types are issued automatically to all computers within the scope of the Public Key Group Policy. Computer certificates that are issued by autoenrollment are renewed automatically from the issuing CA. Autoenrollment does not function unless at least one enterprise CA is online to process certificate requests.
To configure autoenrollment, in the Public Key Policies node, right-click the Automatic Certificate Request Settings node, and then click New and Automatic Certificate Request . When the Automatic Certificate Request wizard appears, configure autoenrollment by using the options that are described in Table 16.13.
Table 16.13 Automatic Certificate Request Wizard
Option |
Description |
|---|---|
Certificate Template page |
Select a certificate template in the Certificate templates box, and then click Next . All computers that are within the scope of the autoenrollment policy with Enroll permissions for this certificate template are issued that certificate type the next time the computer restarts and logs on to the domain. |
Certification Authority page |
Select the check box next to one or more CAs that are listed in the Certification authorities box. If you select multiple CAs, certificate requests for autoenrollment are processed by the first CA that is available. After selecting the CAs, click Next and complete the wizard. |
Root Certificate Trust
When you install an enterprise root CA or a stand-alone Root CA, the certificate of the CA is added automatically to the Trusted Root Certification Authorities Group Policy for the domain. You also can add certificates for other root CAs to Trusted Root Certification Authorities Group Policy. The root CA certificates that you add become trusted root CAs for computers within the scope of the Group Policy. For example, if you want to use a third-party CA as a root CA in a certification hierarchy, you must add the certificate for the third-party CA to the Trusted Root Certification Authorities Group Policy.
To add a certificate for the root CA to the Trusted Root Certification Authorities Group Policy, in the Public Key Policies node, right-click Trusted Root Certification Authorities , and then click All Tasks and Import . When the Certificate Import wizard appears, use the wizard to import a certificate file for the certificate of the root CA and add it to Group Policy. The certificate is added to the Trusted Root Certification Authorities store of all computers within the scope of Group Policy the next time it is refreshed on each computer.
Certificate Trust Lists
You can create CTLs to trust specific CAs and to restrict the uses of certificates issued by the CAs. For example, you might use a CTL to trust certificates that are issued by a commercial CA and restrict the permitted uses for those certificates. You might also use CTLs to control trust on an extranet for certificates that are issued by CAs that are managed by your business partners. You can configure CTLs for computers and for users.
Before administrators can create CTLs, they must have a valid trust list signing certificate, such as the Administrator certificate or the Trust List Signing certificate that are issued by enterprise CAs. The trust list signing private key for the administrator is used to sign the CTL for integrity. If the trust list signing certificate for an administrator is invalid, all CTLs that have been created and signed by that administrator also are invalid.
To create a CTL for computers or for users, in the Public Key Policies node (for the Computer Configuration node or for the User Configuration node), right-click the Enterprise Trust node, and then click New and Certificate Trust List . When the Certificate Trust wizard appears, configure the CTL by using the options that are described in Tables 16.14 through 16.18.
Table 16.14 Certificate Trust List Purpose Page
Option |
Description |
|---|---|
Type a prefix that identifies this CTL (optional) |
Enter an option prefix for the CTL. This prefix is used to identify the CTL. |
Valid duration (optional) |
Specify an optional lifetime for the CTL. Enter the number of months in the Months box and the number of days in the Valid duration(optional) box. If you do not specify a lifetime, the CTL expires when the trust list signing certificate expires. |
Designate Purposes |
Select a check box next to one or more of the listed purposes in the Designate purposes box. The CTL establishes trust only for certificates that are valid for the selected purposes. A certificate might support all of the listed purposes, but you can restrict the purposes for which certificates are trusted. |
Add Purpose |
Click to add purposes to the Designate purposes box. When the User Defined Purpose dialog box appears, enter an object identifier for the new purpose in the Object ID text box. |
Table 16.15 Certificates in the CTL Page
Option |
Description |
|---|---|
Current CTL Certificates |
Displays the certificates of the root CAs that are to be trusted by this CTL. Certificates with certification paths to this root CA are trusted for all designated purposes specified by the CTL. |
Add from Store |
Adds a root certificate from the Trusted Root Certification Authorities store. When the Select Certificate dialog box appears, select all of the certificates that you want to add, and then click OK . |
Add from File |
Adds a root CA's certificate from a file. |
Remove |
Deletes the certificate that is selected in the Current CTL Certificates box. |
View Certificate |
Select this option to view the certificates that are selected in the Current CTL Certificates box. |
Table 16.16 Signature Certificate Page
Option |
Description |
|---|---|
Use this certificate |
Displays the trust list signing certificate for the private key that is to be used to sign the CTL. |
Select from Store |
Adds a trust list signing certificate from the Personal store for the administrator. When the Select Certificate dialog box appears, select the certificates you want to use, and then click OK . |
Select from File |
Adds the trust list signing certificate from a file. |
View Certificate |
Select this option to view the certificate listed in the Use this certificate box. |
Table 16.17 Timestamping Page
Option |
Description |
|---|---|
Add a timestamp to the data |
Adds a timestamp to the CTL. The timestamp is used to determine the valid lifetime of the CTL. If a timestamp is not used, the computer clock is used instead. |
Timestamp service URL |
Type the URL for a timestamp service that is to be used for the timestamp. |
Table 16.18 Name and Description Page
Option |
Description |
|---|---|
Friendly Name |
Type the optional name that is to appear in MMC when the CTL is displayed. To help you distinguish between CTLs, choose unique friendly names for all of the CTLs that you create. |
Description |
Type an optional description to describe this CTL. This description can let others know the purpose of the CTL. |
EFS Recovery Agents
By default, the local Administrator users account for the first domain controller that is installed in the domain is the EFS recovery account for that domain. You can specify alternative recovery agents for EFS. Use the Group Policy console to designate alternative EFS recovery agents by adding the EFS Recovery Agent certificates into Public Key Group Policy, which means you must first issue EFS Recovery Agent certificates to designated recovery agent user accounts on local computers.
When you are configuring the EFS recovery settings, you have two choices: you can add recovery agent certificates that are published in Active Directory, or you can add recovery agent certificates from a file that is located on a disk or in a shared folder that is available from the computer where you are configuring Public Key settings. If you add recovery agent certificates from files, you must first export the appropriate certificates to the disk or shared folder that is to be used to add the files during the EFS recovery Group Policy configuration process.
To add an EFS recovery agent, in the Public Key Policies node, right-click Encrypted Data Recovery Agents , and then click Add . When the Add Recovery Agent wizard appears, add the appropriate recovery agent certificates by using the options described in Table 16.19.
Table 16.19 Add Recovery Agent Wizard
Option |
Description |
|---|---|
Recovery agents |
Displays the certificates you choose for recovery agents. |
Browse Directory |
Browses Active Directory and adds a recovery agent certificate for a user account. Use this option when the certificate is published in Active Directory. |
Browse Folders |
Adds a recovery agent certificate from a file. |
When you select Encrypted Data Recovery Agents , the EFS recovery agent certificates that are applied by Group Policy appear in the details pane of the console. These are the recovery agent certificates that are used by EFS within the scope of Group Policy. To delete an recovery agent certificate from the Group Policy settings, select the certificate. Next, either press DELETE, or right-click the certificate template, and then click Delete .