AD

Please take a moment and help support this site by visiting our AD. Thank you for your support.

Sunday, May 01, 2011

Windows 2000 Certificate Services

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

Microsoft® Windows® 2000 Certificate Services offers customers an integrated public key infrastructure (PKI) that enables the secure exchange of information across the Internet, extranets, and intranets. Certificate Services verifies and authenticates the validity of each party involved in an electronic transaction and lets domain users log on to a domain using the additional security provided by smart cards. This paper introduces Windows 2000 Certificate Services and describes PKI deployment in a Windows 2000 network.

Introduction

As security becomes more and more important in a network environment, client workstations and servers need some way to securely pass data. The most common way to do this is through the use of digital certificates. Although you can use third-party certificate issuers to create and issue digital certificates, you can, instead, use Certificate Services on your Windows 2000 server. Using Certificate Services introduces a whole new level of complexity to your Windows  server, along with some new terms and concepts.

A certificate is a digitally signed document that works as a part of public key infrastructure (PKI). The certificate contains a public key and the name of the subject, such as a directory name, e-mail name, and/or domain name service (DNS) name. By signing the certificate, the Certification Authority verifies that the private key associated with the public key in the certificate is in the possession of the subject named in the certificate. You can create your own Certification Authorities within your enterprise, or you can use third-party companies such as Versign that provide commercial Certification Services.

Contents of a typical digital certificate
                                                                       
Serial Number: Used to uniquely identify the certificate.
Subject: The person, or entity identified.
Signature Algorithm: The algorithm used to create the signature.
Issuer: The entity that verified the information and issued the certificate.
Valid-From: The date the certificate is first valid from.
Valid-To: The expiration date.
Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...).
Public Key: the purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone's been willing to invest time and money into proving the authenticity and ownership of their domain.
Thumbprint Algorithm: The algorithm used to hash the certificate.
Thumbprint: The hash itself to ensure that the certificate has not been tampered with.



Certificate Templates and Purposes





Certificate template name
Certificate purposes
Issued to
AdministratorCode signing, Microsoft trust list signing, EFS, secure e-mail, client authenticationPeople
Certification authorityAllComputers
ClientAuthClient authentication (authenticated session)People
CodeSigningCode signingPeople
CTLSigningMicrosoft trust list signingPeople
Domain ControllerClient authentication, server authenticationComputers
EFSEncrypting File SystemPeople
EFSRecoveryFile recoveryPeople
EnrollmentAgentCertificate request agentPeople
IPSECIntermediateOfflineIP SecurityComputers
IPSECIntermediateOnlineIP SecurityComputers
MachineEnrollmentAgentCertificate request agentComputers
MachineClient authentication, server authenticationComputers
OfflineRouterClient authenticationComputers/routers
SmartcardLogonClient authenticationPeople
SmartcardUserClient authentication, secure e-mailPeople
SubCAAllComputers
UserEncrypting File System, secure e-mail, client authenticationPeople
UserSignatureSecure e-mail, client authenticationPeople
WebServerServer authenticationComputers
CEP EncryptionCertificate request agentRouters
Exchange Enrollment Agent (Offline Request)Certificate request agentPeople
Exchange UserSecure e-mail, client authenticationPeople
Exchange User Signature






Certificate Authority (CA) certificates

A Certificate Authority certificate is a digital credential that validates the identity of the Certificate Authority (CA) that owns the certificate. The Certificate Authority's certificate contains identifying information about the Certificate Authority, as well as its public key. Others can use the CA certificate's public key to verify the authenticity of the certificates that the CA issues and signs. A Certificate Authority certificate can be signed by another CA, such as VeriSign, or can be self-signed if it is an independent entity. The local CA that you create and operate with Digital Certificate Manager is an independent entity. Others can use the CA certificate's public key to verify the authenticity of the certificates that the CA issues and signs. To use a certificate for SSL, signing objects, or verifying object signatures, you must also have a copy of the issuing CAs certificate.


Server or client certificates

A server or client certificate is a digital credential that identifies the server or client application that uses the certificate for secure communications. Server or client certificates contain identifying information about the organization that owns the application, such as the system's distinguished name. The certificate also contains the system's public key. A server must have a digital certificate to use the Secure Sockets Layer (SSL) for secure communications. Applications that support digital certificates can examine a server's certificate to verify the identity of the server when the client accesses the server. The application can then use the authentication of the certificate as the basis for initiating an SSL-encrypted session between the client and the server. You can manage these types of certificates from the *SYSTEM certificate store only.

Object signing certificates

An object signing certificate is a certificate that you use to digitally "sign" an object. By signing the object, you provide a means by which you can verify both the object's integrity and the origination or ownership of the object. You can use the certificate to sign a variety of objects, including most objects in the Integrated File System and *CMD objects. You can find a complete list of signable objects in the Object signing and signature verification topic. When you use an object signing certificate's private key to sign an object, the receiver of the object must have access to a copy of the corresponding signature verification certificate in order to properly authenticate the object signature. You can manage these types of certificates from the *OBJECTSIGNING certificate store only.

Signature verification certificates

A signature verification certificate is a copy of an object signing certificate without that certificate's private key. You use the signature verification certificate's public key to authenticate the digital signature created with an object signing certificate. Verifying the signature allows you to determine the origin of the object and whether it has been altered since it was signed. You can manage these types of certificates from the *SIGNATUREVERIFICATION certificate store only.


User certificates

A user certificate is a digital credential that validates the identity of the client or user that owns the certificate. Many applications now provide support that allows you to use certificates to authenticate users to resources instead of user names and passwords. Digital Certificate Manager (DCM) automatically associates user certificates that your private CA issues with the user's System i™ user profile. You can also use DCM to associate user certificates that other Certificate Authorities issue with the user's System i user profile.

Microsoft® Windows® 2000 Certificate Services lets you create a certification authority (CA) for managing the Windows 2000 public key infrastructure (PKI). A certification authority (CA) issues certificates that affirm the identity and other attributes of the certificate subject to other entities. PKI refers to a system of digital certificates (also called public key certificates) and CAs that verify and authenticate the validity of each party involved in an electronic transaction, allowing the secure exchange of information on open networks, such as the Internet, extranets, and intranets.

Certificate Services

Windows 2000 Certificate Services provides customizable services for managing certificates. You can use Windows 2000 Certificate Services to create a CA that receives certificate requests, verifies both the information in the request and the identity of the requester, issues and revokes certificates, and publishes a Certificate Revocation List (CRL). When using Windows 2000 Certificate Services, you manage certificates using the Certificates snap-in.


Windows 2000 Certificate Services:
·         Windows 2000 CA policies
·         Enterprise CA
·         Stand-alone CA
·         Certificate revocation lists
·         Where CA information is published in Active Directory
·         Web-based enrollment
·         CA certificate distribution
·         CA renewal


Windows 2000 CA Policies


When you install Windows 2000 Certificate Services, you have the choice of using one of two different CA policies, each having different characteristics when processing certificate requests, issuing certificates, revoking certificates, and publishing CRLs. (CA policies are unrelated to Windows 2000 group policy. However, group policy does play a role in the Windows 2000 PKI
The two Certificate Services CA policies included with Windows 2000 are enterprise policy and stand-alone policy. You select the policy a CA uses when you install Certificate Services. Alternatively, you can set up a stand-alone CA and then replace the stand-alone policy with your own custom policy module.
The enterprise and stand-alone policies differ in how they handle interaction with Active Directory, how they handle authentication, and whether they use certificate templates:



·         Enterprise policy. A CA using the enterprise policy is referred to as an enterprise CA:
·                         Active Directory. Enterprise CAs are integrated with Active Directory and are dependent on the presence of Active Directory.
·                         Authentication. Enterprise CAs use impersonation for authenticating a certificate requestor and compare the client token against a discretionary access control list (DACL)1 set on the certificate template and on the service.
·                         Certificate Templates. Enterprise CAs use certificate templates to craft certificates fitting a particular purpose and as a means of defining enrollment policy for the forest.
·         Stand-alone policy. A CA using the stand-alone policy is called a stand-alone CA:
·                         Active Directory. Stand-alone CAs are typically not integrated with Active Directory; however, they can (optionally) take advantage of Active Directory's presence. Often, a stand-alone CA is operated offline to provide high security. (The alternative case, integration with Active Directory, occurs when a stand-alone CA is installed by a domain administrator of the root domain or by an enterprise administrator.)
·                         Authentication. Stand-alone CAs rely on administrative action to verify the requestor's identity and to issue the requested certificate.
·                         Certificate Templates. Stand-alone CAs do not use certificate templates.



Enterprise CA


To install an enterprise CA, you choose the enterprise CA policy during installation of Windows 2000 Certificate Services. A Windows 2000 enterprise CA has the simplest administration model with the lowest overhead per certificate. It works with the following two Windows 2000 services to minimize the administrative burden of issuing certificates while providing an integrated single point of management:


·         Active Directory. An enterprise CA uses Active Directory as a registration database. Creating a user on a Windows 2000 domain automatically registers the user to all enterprise CAs in the forest. This lets users who have appropriate permissions request a certificate from any enterprise CA. Enterprise CAs use the information published in Active Directory for the subject contents in the certificate.
·         Windows 2000 security model. An enterprise CA uses the Windows 2000 security services to identify the user requesting a certificate and verifies the user's eligibility based on the user's Windows 2000 group membership.

Features of enterprise CAs:
·         Enterprise CA certificate templates
·         Enterprise CA enrollment
·         Enterprise CA security model

Stand-alone CA

To install a stand-alone CA, you choose the stand-alone CA policy during installation of Windows 2000 Certificate Services. A Windows 2000 stand-alone CA, as the name implies, can function independently of Active Directory and other components in the Windows 2000 forest. You can install a stand-alone CA on a Windows 2000 server in a Windows NT® 4.0 domain as well as in a Windows 2000 forest.

When submitting a certificate request to a stand-alone CA, certificate requestors must explicitly supply all identifying information about themselves and the type of certificate desired (unlike a request to an enterprise CA, in which case the user's information is already in Active Directory and the certificate type is described by a certificate template). By default, all requests sent to stand-alone CAs are set to pending until the administrator of the stand-alone CA (using the CA snap-in) verifies the identity of the requestor and allows the request. In addition, the administrator (or the user) has to explicitly distribute the stand-alone CA's certificate to the domain user's local trust root store.

A stand-alone CA cannot issue certificates for logging on to a Windows 2000 domain using smart cards; however, other types of certificates can be issued and stored on a smart card.

A stand-alone CA is not always unintegrated with Active Directory. If a domain administrator of the root domain installs a stand-alone CA in a Windows 2000 forest, then the stand-alone CA will take advantage of Active Directory and publish CA and CRL objects.

1 comment:

  1. Very informative article.In the above article you mentioned details on Active directory certificate services, ADCS , certificate authority. You explained so well all the detail .In your article you explained Enterprise CA, Stand alone CA also.You did a good job.Keep going.Thanks a lot.
    electronic signatures

    ReplyDelete