Chapter 15: Issuing Certificates 357 Scripting the Publishing of Certificate Templates Alternatively, you can use the certutil command to add or remove certificate templates to or from a CA. For example, to remove the User certificate template from a CA, you can run the following command at a command prompt or from a script: certutil -SetCAtemplates -User Likewise, you can also add certificate templates, such as the Key Recovery Agent certificate template, to the CA by using the following command: certutil -setCAtemplates +KeyRecoveryAgent The template name that you use is the object name, not the display name of the certificate template. Performing Manual Enrollment The sections that follow detail the procedures for requesting certificates from a Windows Server 2008 CA. If Certificate Services installation includes the Certificate Services Web Enrollment role service, IIS 7.0 is installed and configured as required for Web enrollment. Requesting Certificates by Running the Certificate Enrollment Wizard Another method of manually requesting a certificate is to use the Certificate Enrollment wizard. The Certificate Enrollment wizard can be used by Windows 2000, Windows XP, and Windows Server 2003 domain members when requesting certificates from an enterprise CA. Note The Certificate Enrollment wizard does not show the same certificates when run in different operating systems. A client computer running Windows 2000 shows only the available version 1 certificate templates. Windows XP and Windows Server 2003 clients show all the available version 1 and version 2 certificate templates, and Windows Vista and Windows Server 2008 clients show all version 1, version 2, and version 3 certificate templates. Preparing the Certificates Console The Certificate Enrollment wizard is launched from the Certificates MMC console focused on the current user, a service, or the local machine. The following procedure allows you to request a certificate by running the Certificate Enrollment wizard: 1. Open an empty MMC console. 2. On the File menu, click Add/Remove Snap-in. 358 Part II: Establishing a PKI Note If you are using Windows 2000, use the Console menu instead of the File menu. 3. In the Add/Remove Snap-in dialog box, click Add. 4. In the Add Standalone Snap-in dialog box, in the Available Standalone Snap-ins list, select Certificates, and then click Add. 5. In the Certificates Snap-in dialog box, click My User Account to request a user certificate, Service Account to request a certificate for a specific service, or Computer Account to request a computer certificate. Note Service Account and Computer Account are available only if you are a member of the local Administrators group. 6. Select one of the following options: ❑ Computer Account In the Select Computer dialog box, click Local Computer (The Computer This Console Is Running On), and then click Finish. ❑ Service Account In the Select Computer dialog box, click Local Computer (The Computer This Console Is Running On), click Next, select the service you wish to manage, and then click Finish. ❑ User Account Just click Finish. 7. In the Add Standalone Snap-in dialog box, click Close. 8. In the Add/Remove Snap-in dialog box, click OK. Tip If you are using Windows XP or later, you can run certmgr.msc to launch the Certificates console focused on the current user. Requesting a Certificate by Using the Certificates Console Once you load the Certificates console, you can request a certificate by using the Certificate Enrollment wizard. Use the following procedure to request a certificate: 1. In the console tree, expand Personal, and then click Certificates. If the Certificates node does not appear, this user, computer, or service does not currently have any certificates issued. 2. In the console tree, right-click the Personal or Certificates folder, point to All Tasks, and then click Request New Certificate. 3. In the Certificate Enrollment wizard, click Next. Chapter 15: Issuing Certificates 359 4. On the Request Certificates page (see Figure 15-2), a list of the certificate templates available for enrollment is displayed. The list is limited to the certificate templates for which either the current user or local machine have Read and Enroll permissions. On this page you can: ❑ Perform additional actions, such as providing the subject name, by clicking Details for the selected certificate template. ❑ Select to enroll more than one certificate template at one time by selecting multiple check boxes. ❑ Display all templates to determine why an expected certificate template is not available for enrollment. Figure 15-2 Choosing a certificate template Once you select the certificate template(s), click Enroll. 5. On the Certificate Installation Results page, ensure that the Status is Succeeded, and then click Finish. 6. If the certificate request is successful, the certificate appears in the details pane. Providing a Custom Subject If the request requires input of a custom subject, when you edit the properties of the request (see Figure 15-3), you can provide the Subject and Subject Alternative Names for the request. 360 Part II: Establishing a PKI Figure 15-3 Providing a custom subject name For each name, you can select the name attribute (such as common name or country), provide a value, and then click Add. In Figure 15-3, the subject was configured to be CN=Fabrikam Industries, O=Fabrikam Inc., C=US. Using Web Enrollment to Request a Certificate Use the following procedure to request a certificate from the Certificate Services Web Enrollment pages: 1. Open Windows Internet Explorer. 2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the Domain Name System (DNS) name of the Windows Server 2008 CA). Note The Certificate Server’s DNS name should be added to the Local intranet zone at all computers. If the Web site is not added to one of these zones, users are prompted for their user name and password. 3. On the Welcome page, click the Request A Certificate link. Chapter 15: Issuing Certificates 361 4. On the Advanced Certificate Request page (see Figure 15-4), click the Create And Submit A Request To This CA link. Figure 15-4 The Advanced Certificate Request page 5. On the Advanced Certificate Request page, you can choose the following options for the certificate request: ❑ Certificate Template Lists the certificate templates for which the user is assigned Read and Enroll permissions. ❑ Key Set Allows you to choose between generating a new key set or using the existing key set. ❑ CSP Allows you to select a CSP installed on the client computer to use for the certificate request. ❑ Key Size The length of the key pair generated for the certificate request. ❑ Container Name The key container where the certificate’s key pair is stored. ❑ Export Options Allows you to request that the certificate’s private key be exportable. ❑ Strong Key Protection Requires a password each time the certificate’s private key is accessed. ❑ Request Format You can choose between Certificate Management Protocol using Cryptographic Message Syntax (CMC) or Public Key Cryptography Standards (PKCS) #10 request formats. CMC is required for digitally signed requests and key archival requests. ❑ Friendly Name A logical name assigned to the certificate. This name is not part of the certificate. Rather, it is the logical display name when the certificate is viewed 362 Part II: Establishing a PKI with Microsoft tools; the friendly name can be changed without invalidating the signature applied to the certificate. Note The default values shown on the Advanced Certificate Request page are based on the values specified in the certificate template. 6. Once all options are set, click Submit on the Advanced Certificate Request page. 7. In the Web Access Confirmation dialog box, allow the Web site to request a certificate on your behalf by clicking Yes. 8. On the Certificate Issued page, click the Install This Certificate link. 9. In the Web Access Confirmation dialog box, accept that the Web site is adding a certificate to your computer by clicking Yes. 10. Ensure that the Certificate Installed page appears indicating that the certificate has installed successfully. 11. Close Internet Explorer. Important If you are attempting to request a certificate from a Windows Server 2003 enterprise CA from a Windows Vista client, you must update the Web Enrollment pages on the Windows Server 2003 CA. Windows Vista and Windows Server 2008 clients use CertEnroll for Web enrollment, not XEnroll. The deprecation of XEnroll in Windows Vista and Windows Server 2008 makes them unable to use the Web Enrollment pages on a Windows Server 2003 CA to request certificates unless the procedure described in Microsoft Knowledge Base article 922706: “How to Use Certificate Services Web Enrollment Pages Together with Windows Vista” is performed. Completing a Pending Certificate Request If CA Certificate Manager Approval in the certificate template is enabled on the Issuance Requirements tab, the certificate request becomes pending until a certificate manager performs requestor validation. Note To issue the certificate, the certificate manager must right-click the certificate request in the Pending Requests container of the Certification Authority container, point to All Tasks, and then click Issue. With Windows Vista, a pending enrollment request can be completed using either the Web Enrollment pages (if the request was initiated from the Web Enrollment pages) or from the Certificates console (no matter where the request was initiated). Chapter 15: Issuing Certificates 363 If the certificate was requested by using the Web Enrollment pages, the Web Enrollment pages maintain a cookie to track the request. The original requestor can complete the request as follows: 1. Open Internet Explorer at the same computer where the original request was submitted. 2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the DNS name of the Windows Server 2008 CA). 3. On the Welcome page, click the View The Status Of A Pending Certificate Request link. 4. On the View The Status Of A Pending Certificate Request page, click the link for the pending certificate. Note The computer where the certificate request is performed must have cookies enabled. If cookies are not enabled, the View The Status Of A Pending Certificate Request page does not show any entries. 5. On the Certificate Issued page, click the Install This Certificate link. 6. In the Potential Scripting Violation dialog box, accept that the Web site is adding a certificate to your computer by clicking Yes. 7. Ensure that the Certificate Installed page appears indicating that the certificate has installed successfully. 8. Close Internet Explorer. Note If cookies are disabled in Internet Explorer, you cannot retrieve a pending certificate request. If you wish to complete the request by using the Certificates console, the following process is required: 1. Open the Certificates console. 2. In the console tree, right-click Certificates, point to All Tasks, and then click Automatically Enroll And Retrieve Certificates. 3. On the Before You Begin page, click Next. 4. On the Request Certificates page (see Figure 15-5), ensure that the pending request is selected, and then click Enroll. 364 Part II: Establishing a PKI Figure 15-5 Processing a pending request 5. On the Certificate Installation Results page, ensure that the Status is Succeeded, and then click Finish. Submitting a Certificate Request from Network Devices and Other Platforms In some cases, the certificate request is generated at a network device or in another operating system, such as Linux. In these cases, the certificate request is commonly generated in a PKCS #10 format. Certificate Services Web Enrollment pages provide a facility to submit the PKCS #10 certificate request and issue a certificate based on the subject information and public key in the request. Use the following procedure to request a certificate with a PKCS #10 file created by a network device or alternate operating system: 1. Open Internet Explorer. 2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the DNS name of the Windows Server 2008 CA). 3. In the Welcome page, click the Request A Certificate link. 4. On the Request A Certificate page, click the Advanced Certificate Request link. 5. On the Advanced Certificate Request page, click the Submit A Certificate Request By Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File link. Chapter 15: Issuing Certificates 365 Reviewing the Certificate Request A certificate manager should not accept any PKCS #10 request file without first reviewing the certificate request’s contents. The certutil command allows you to review the contents by running certutil –dump request.req (where request.req is the name of the PKCS #10 request file). 402.203.0: 0x80070057 (WIN32: 87): CertCli Version PKCS10 Certificate Request: Version: 1 Subject: CN=Andy Ruth Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 1024 bits Public Key: UnusedBits = 0 0000 30 81 89 02 81 81 00 bc d6 cc 13 34 21 1e c9 dd 0010 48 84 92 5b bf 7b 4e 1b 87 f8 3a 8e 9e 23 6c ce 0020 5f 01 c5 3b 4a 01 5f b2 bb 67 3a 67 5f d7 76 15 0030 78 f4 d8 f1 ba 3a b3 ab 56 69 bd e3 0d 39 22 f7 0040 a4 18 96 61 c2 ee 12 b4 63 ba ee 04 cf ad fe d4 0050 08 5e 95 51 44 3d 76 38 5c 00 77 c6 0e 7d 7b dd 0060 96 58 70 8f 82 51 95 9b 75 be 45 a0 ea d3 a8 0a 0070 52 5c 97 8e a4 c4 48 1a 4f 0f bd f9 20 a2 70 de 0080 2f a9 22 6e a7 58 a5 02 03 01 00 01 Request Attributes: 4 4 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 5.1.2600.2 Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[1][0]: Unknown Attribute type Client Id: = 1 XECI_XENROLL 1 User: Machine: London.corp.microsoft.com Process: cscript Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[2][0]: Unknown Attribute type Certificate Extensions: 5 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0) 366 Part II: Establishing a PKI 1.2.840.113549.1.9.15: Flags = 0, Length = 37 SMIME Capabilities [1]SMIME Capability Object ID=1.2.840.113549.3.2 Parameters=02 02 00 80 [2]SMIME Capability Object ID=1.2.840.113549.3.4 Parameters=02 02 00 80 [3]SMIME Capability Object ID=1.3.14.3.2.7 [4]SMIME Capability Object ID=1.2.840.113549.3.7 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 7c 4e b0 7b ca b7 c1 66 a8 b5 c2 15 83 84 f2 7d a1 eb 43 ac 2.5.29.37: Flags = 0, Length = c Enhanced Key Usage Client Authentication (1.3.6.1.5.5.7.3.2) 1.3.6.1.4.1.311.20.2: Flags = 0, Length = 16 Certificate Template Name ClientAuth Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[3][0]: Unknown Attribute type CSP Provider Info KeySpec = 1 Provider = Microsoft Enhanced Cryptographic Provider v1.0 Signature: UnusedBits=0 0000 9f f8 46 13 93 4c a4 79 bb 10 82 53 70 12 b9 8f 0010 48 05 8b 76 07 c8 8c d1 db 78 71 e3 44 c3 a3 2b 0020 c5 43 01 6d 15 1b c2 d3 aa 29 3f f5 3c 43 8a fa 0030 e1 2d 6a 71 da 26 ff 97 a7 58 59 73 d8 db 8d 53 0040 e7 25 3a bf 21 16 d5 1b 1c bc f7 1e 83 de 3e 92 0050 0a f0 70 d0 b5 9a 11 79 44 7f d6 aa 4d 70 4d cd 0060 25 83 9f 3a 3c 59 30 03 d0 05 24 1b 19 74 5e 24 0070 76 7e 76 8f cb 39 14 48 66 19 84 45 d8 08 b0 0d 0080 00 00 00 00 00 00 00 00 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 31 84 ff 5d e4 0f 32 69 27 ca e4 fb 6a 34 f9 9c 0010 53 6e ac d0 80 98 19 ba d6 55 8f 9f 7b dd 2c 0e 0020 32 a6 cc 18 0e 34 2f a3 dc 11 49 e3 54 69 08 ad 0030 fa 15 8e 52 7b 16 b4 ad 98 bc 4f 0d 00 7a 20 29 0040 a8 ac e2 c6 48 d6 c7 e7 dd 77 9a 0b 37 f9 ef 77 0050 09 b1 28 01 f6 a1 40 12 2e a8 98 9d 16 b9 99 ff 0060 8b b3 59 0d ac 50 ca 8a 1f d5 8c 38 ac 92 a8 71 0070 28 f0 34 07 dc fb d2 68 4e ee d7 fc 5a 34 9b 11 [...]... (GPO), or link and edit an existing GPO 4 In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Automatic Certificate Request Settings 5 In the console tree, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request 6 In the Automatic Certificate. .. the Windows Server 2008 schema installed ■ Windows XP and Windows Server 2003 clients must apply the security update KB 907247: “Description of the Credential Roaming Service Update for Windows Server 2003 and for Windows. ” ■ Group Policy must be configured to enable Credential Roaming ■ Credential Roaming settings must be configured in Group Policy Important Rather than applying the Windows Server 2008. .. expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Enterprise Trust 4 On the Action menu, point to New, and then click Certificate Trust List 5 On the Welcome To The Certificate Trust List Wizard page, click Next Chapter 16: Creating Trust Between Organizations 385 6 On the Certificate Trust List Purpose page (see Figure 16- 1),... for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 clients: ■ DPAPI Master keys ■ The DPAPI Preferred file (designating the current DPAPI master key) ■ All certificates issued to the user ■ Any current certificate requests for pending certificates ■ Rivest Shamir Adleman (RSA) or Digital Signature Algorithm (DSA) keys In Windows Vista and Windows Server 2008, additional items... the deployment of IPsec certificates to computers running Windows Server 2008 at the corporate office? 9 What must be done to the IPsec certificate template and the Automatic Certificate Request Settings Group Policy setting to enable automatic enrollment of the IPsec certificates by computers running Windows Server 2008? 10 What must be done to the IPsec certificate template and the Autoenrollment... 377 4 In the New GPO dialog box, type PKI- Credential Roaming, and then click OK 5 Right-click PKI- Credential Roaming, and then click Edit 6 In the console tree, under User Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies 7 In the details pane, double-click Certificate Services Client – Credential Roaming 8 In the Certificate Services Client – Credential... and Administering Certificate Templates” (http://www .microsoft. com/ downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&displaylang=en) ■ Certificate Autoenrollment in Windows Server 2003” (http://www .microsoft. com/ technet/prodtechnol/windowsserver2003/technologies /security/ autoenro.mspx) ■ Windows Data Protection” (http://msdn .microsoft. com/library/en-us/dnsecure/html/ windataprotection-dpapi.asp)... Control’ Message When You Try to Use a Certificate Server ■ 907247: “Description of the Credential Roaming Service Update for Windows Server 2003 and for Windows ■ 9227 06: “How to Use Certificate Services Web Enrollment Pages Together with Windows Vista” Note The seven articles above can be accessed through the Microsoft Knowledge Base Go to http://support .microsoft. com, and type the article number in the... computer running Windows XP or later to enroll user or computer certificates automatically Chapter 15: Issuing Certificates 369 Note Autoenrollment Settings is not supported for a user with a client computer running Microsoft Windows 2000 Professional or Microsoft Windows 2000 Server Only Windows XP and later domain members recognize the Autoenrollment Settings Group Policy setting Configuring Certificate. .. Reference” (http://msdn .microsoft. com/library/en-us /security/ Security/ capicom_reference.asp) ■ “The Cryptography API, or How to Keep a Secret” (http://msdn .microsoft. com/library/ en-us/dncapi/html/msdn_cryptapi.asp) ■ Certificate Enrollment Control” (http://msdn .microsoft. com/library/en-us /security/ security /certificate_ enrollment_control.asp) Chapter 15: Issuing Certificates 381 ■ “Creating Certificate Requests . the Windows Server 2003 CA. Windows Vista and Windows Server 2008 clients use CertEnroll for Web enrollment, not XEnroll. The deprecation of XEnroll in Windows Vista and Windows Server 2008. Windows 2000 shows only the available version 1 certificate templates. Windows XP and Windows Server 2003 clients show all the available version 1 and version 2 certificate templates, and Windows. Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Automatic Certificate Request Settings. 5.