Revoking Server Licensor Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An organization may need to revoke a server licensor certificate due to unforeseen circumstances that result in the RMS server being compromised. A private key that is not stored on a hardware security module is vulnerable to theft. A server licensor certificate and key could be compromised in an organization by an attacker who took control of the server, or a disgruntled employee could copy or remove the certificate or key. Revocation is one way to contain the damage and limit misuse by a malicious user.

By default, any license or certificate can be revoked by the principal that issued it. Because RMS servers issue the licenses and certificates that are associated with your protected content, you can always revoke them if necessary. If a server in a licensing-only cluster is compromised, you can revoke its server licensor certificate. When you revoke a server licensor certificate, all of the certificates and licenses that it has issued become invalid. Instructions for revoking licenses and certificates are provided in “Implementing Revocation” earlier in this subject.

The root cluster, however, is a special case. The server licensor certificate for the root cluster is issued by the Microsoft Enrollment Service and, by default, only the Microsoft Enrollment Service can revoke that server licensor certificate.

Microsoft can revoke the server licensor certificate of a root cluster only if you obtain a court order and provide the public key of the server to the court. After the court notifies Microsoft that a revocation order has been issued, Microsoft will specify the server licensor certificate by public key in its revocation list and make the list publicly available. You can request a revocation order from the court if one of the following conditions is true of the server whose license is to be revoked:

• You own the server and its private key has been compromised.

• You own the content that is being published by the server and that content is being published in violation of your copyright.

Follow the steps that are described in “Deploying Revocation Lists” earlier in this section to obtain and distribute revocation lists from Microsoft that include the revoked server licensor certificate of a root cluster.

When provisioning the first server in the root cluster, you can specify a public key that has the authority to revoke the server licensor certificate of the root cluster. That public key can either belong to the organization or to a third party. A revocation list that is signed by the corresponding private key can revoke the server licensor certificate.

To revoke the server licensor certificate of the root cluster, you can create a revocation list that specifies this server licensor certificate, sign it with the private key of your organization or the third party, and then distribute the revocation list to all users. For instructions, see “Deploying Organizational Revocation Lists” in “Deploying Revocation Lists” earlier in this subject.

You can revoke a server licensor certificate in a revocation list by using the following parameters:

• GUID. A server licensor certificate can be revoked by its globally unique identifier (GUID). For information about using this parameter in a revocation list, see “Revoking Certificates and Licenses Based on GUID” in "Creating Revocation Lists" earlier in this subject.

• Hash value. A server licensor certificate can be revoked based on a SHA-1 hash of the Unicode characters that are in the body of the certificate. For information about using this parameter in a revocation list, see “Revoking Certificates and Licenses Based on Hash Value” in "Creating Revocation Lists" earlier in this subject.

To obtain the server licensor certificate of an RMS installation, you need to query the RMS configuration database. The following steps describe how to obtain this information from a SQL configuration database and save it to a file that can be easily read by using a browser:

To obtain server licensor certificate

1. Log into a computer with SQL Query Analyzer installed and has read permissions to the configuration database of the server licensor certificate being retrieved.

2. Click Query, and then click Results in Text.

3. Click Tools, and then click Options.

4. In the Options dialog box, click the Results tab, and then set Maximum characters per column to 8192.

5. Run the following query:

   select DRMS_XrML_Certificate.s_certificate
   from DRMS_XrML_Certificate, DRMS_LicensorCertificate, DRMS_ClusterConfiguration
   where DRMS_ClusterConfiguration.CurrentLicensorCertID = DRMS_LicensorCertificate.i_CertID
   and DRMS_LicensorCertificate.i_CertificateID = DRMS_XrML_Certificate.i_CertificateID
   

6. Copy contents in Results window, paste them into a text editor, and save the file with an XML extension.

For more information about how to use this information in a revocation list, see “Creating Revocation Lists” earlier in this subject.

Once you have the server licensor certificate information saved as an XML file, you can extract the public key from it by using the following steps:

1. Open the server licensor certificate XML file in an XML or text file editor.

2. Under the <ISSUEDPRINCIPALS> section, copy the <PUBLICKEY> element.

3. Save this information to a file that you can submit to the court or place in an organizational revocation list.

After the server licensor certificate of the root cluster is revoked, all certificates and licenses that have been issued by your RMS installation become invalid for the content that requires a revocation list and the content will be inaccessible. This process is not affected by the type of license that the user has. To retain content that was published by the server whose license is being revoked, you must take one of the following actions before implementing the revocation list:

• Save the content without RMS protection.

• Republish the content without a revocation list requirement.

In both scenarios—revocation by Microsoft or revocation by a third party—the revocation list takes effect for all binding requests because it was signed by the private key of a principal in the chain of trust of the use license. Therefore, all binding requests that involve licenses that were issued by the RMS installation by using the revoked server licensor certificate will fail.