What's New in Certificates
What's new in certificates?
Windows® 7 introduces HTTP enrollment protocols that enable policy-based certificate enrollment across Active Directory forest boundaries and over the Internet. These changes enable new certificate enrollment scenarios that allow organizations to expand the accessibility of existing public key infrastructure (PKI) deployments and reduce the number of certification authorities (CAs).
Improvements to the certificate selection user interface and filtering logic provide a simplified user experience when an application presents multiple certificates.
Who will want to use these new features?
Enterprises with a new or existing PKI can use HTTP enrollment in these new deployment scenarios:
In multiple-forest environments, client computers can enroll for certificates from CAs in a different forest.
In extranet deployments, mobile workers and business partners can request and renew certificates over the Internet.
Internet browsers and many other applications use the Certificate Selection dialog box to prompt users for certificate selection when multiple certificates are available. The Certificate Selection dialog box presents a list of certificates to choose from, but selecting the correct certificate can be a confusing task that often results in support calls and a poor user experience. Organizations encountering these issues can benefit from the improvements in certificate selection.
What are the benefits of the new and changed features?
Organizations that have multiple-forest environments and a per-forest PKI can use HTTP enrollment to allow certificate enrollment across forest boundaries and consolidate their PKI to use fewer CAs.
Organizations that issue certificates to mobile workers, business partners, or online customers can use HTTP enrollment to allow certificate enrollment over the Internet and simplify the enrollment process for remote users.
The new HTTP enrollment protocols are based on open Web services standards and can be implemented by organizations that want to provide online certificate services and registration authority services.
The certificate selection experience includes improvements in the filtering logic and the user interface. Improved filtering logic is intended to reduce the number of certificates that are presented to the user, ideally resulting in a single certificate that requires no user action. Filter criteria can be specified by the application and include certificate purpose, validity period, and certification path. If more than one certificate meets the filter criteria, the Certificate Selection dialog box displays details of each certificate such as subject, issuer, and validity period as well as a graphic that distinguishes between smart card certificates and certificates that are installed on the computer.
What's the impact of these changes on certificates?
HTTP enrollment requires deployment of the certificate enrollment Web services included in Windows Server 2008 R2. For more information, see What's New in Active Directory Certificate Services (AD CS) in Windows Server 2008 R2. Administrators use Group Policy to distribute the locations of the certificate enrollment Web services to domain members. Windows 7 also supports Lightweight Directory Access Protocol (LDAP) enrollment that is compatible with existing CAs running Windows Server 2003 or Windows Server 2008.
Applications that use the CryptUIDlgSelectCertificate function automatically use the new Certificate Selection dialog box and generally do not require changes. A new flag has been added to the API so that applications can use the legacy Certificate Selection dialog box; however, this requires that the application be modified and distributed to users. Additionally, optional parameters can be used to specify criteria for the CertSelectCertificateChains function, which is used to select certificates to be displayed by the CryptUIDlgSelectCertificate function. For more information, see CertSelectCertificateChains Function on MSDN.