Of all the issues that face the Microsoft security and enterprise admin today, one of the most difficult to understand and manage is that of a Public Key Infrastructure. It seems that anytime the subject of certificates comes up in a deployment plan, there is bound to be some confusion regarding the type of certificate required, what information needs to be included in the certificate, and how the certificate should be installed. Unfortunately, Windows Server 2008 doesn’t make this task any easier, and in fact, makes the chore of obtaining a computer certificate harder than ever because of changes in the Web enrollment site.
However, if you are interested in certificates and generating certificate requests. And if you’re interested in getting fine-grained control over the certificate request as well as being able to use certificate templates, then you’ll be very pleased with the new Advanced Certificate Request Wizard available with the Windows Server 2008 and Windows Vista Certificates MMCs. These new wizards allow you to control almost every aspect the certificate request with a simple point and click interface.
The new wizard provides a solution to a common scenario where you need to request certificates for non-domain member machines. This isn’t a problem for domain member machines, because when a machine is domain joined, it can easily request a computer certificate from an online CA. Another option for domain joined machines is to configure them to use autoenrollment in order to obtain a computer certificate. However, non-domain machines don’t have this option.
In previous versions of the Web enrollment site, you could easily obtain a computer certificate for non-domain machines by using the Computer template. With the Windows Server 2008 version of the Web enrollment site, this option is taken away for Windows Vista and Windows Server 2008 machines. Therefore, we need an alternate method of requesting a computer certificate from the CA’s Web enrollment site.
This is where the new Certificates snap-in Advanced Operations option comes in. Using the new certificate request wizard included with Windows Server 2008 or Windows Vista, you can easily create a text file based on installed templates that will allow you to create just about any kind of certificate you want. Not only that, but you’ll have fine-tuned control over the configuration of the certificate, so that you can extend the configuration past what a particular template offers you.
The figure below shows how to access the new certificate request wizard. In this example I created a Certificates MMC on a Windows Server 2008 domain controller that has a standalone CA installed on it. In the Certificates console, right click on the Certificates store in any of the node, point to All Tasks and point to Advanced Operations. Then click Create custom request. This will allow you to create a text file that you can submit to the Web enrollment site to obtain the certificate.
The certificate wizard starts with the Before You Begin page. Click Next on this page.
On the Custom request page, you have the options to select the certificate Template that you want to use and the request format type.
When you click the down arrow for the Template drop down list, you’ll see a list of templates available that can be used to automatically configure the certificate. Note that after selecting the template, you still have the option to customize the settings. In this example we’re going to select the Computer certificate.
On the Certificate Information page, you can see the Key usage, Application policies and Validity period for the certificate that will be generated. However, we might want to customize some aspects of this certificate. We can do this by clicking the Properties button.
This brings up the Certificate Properties dialog box. On the General tab, you have the options to create a friendly name that you can use to identify the purpose of the certificate, and also an optional description. In this example, we’ll end a Friendly name of ComputerCert.
On the Subject tab, you have the option to assign a subnet name to the certificate. The subject of a certificate is a user or computer (as in this case for the computer certificate we’re requesting) to which the certificate is issued. This name is used to identify the user or computer to a computer or applications that requests this information. In this example, we’ll enter a common name of nyc-cl1.woodgrovebank.com in the Value text box that sits until the Subject name section. Then click Add and it appears in the right side. We’ll also enter the same name for the Alternative name and enter the DNS name, which is cl1.woodgrovebank.com.
Note in a production environment that you would likely use a different name for the subject alternate name. Certain servers, such as Exchange 2007 and Office Communications Server 2007 make use of subject alternative names contained in installed certificates.
You have many options on the Extensions tab. The first option Key usage. Notice that the template has already selected the Digital signature and Key encipherment options to you. However, if you want to select more key usage settings, you have that option here.
In the Extended Key Usage (application polices) section, you can see that the template has selected the Server Authentication and Client Authentication options for you. Again, if you would like to enable additional extended key usage options, you can select them from the Available options list.
The Basic constraints option allows you to enable basic constraints extension. This is not configured because the template does not have this option enabled.
In the Include Symmetric algorithm section, you can enable this extension which gives information about the system capabilities of certificates issued by this template. Again, the template doesn’t enable this option, but you can if your require it.
In the Custom extension definition section, you can enter your own custom Object Identifiers and values. This is useful if you have an application or gateway that expects to receive certain OIDs and filters certificate authentication access using that specific OID. The Computer Certificate template doesn’t use any custom OIDs, so none are entered here.
On the Private Key tab, you can configure various aspect of the private key. In the Cryptographic Service Programs (CSP) section, you can select the CSP of your choice if the template you select supports that CSP. In this example using the Computer Certificates template, only the Microsoft RSA SChannel Cryptographic Provider (Encryption) option is available. If you put a checkmark in the Show all CSPs checkbox. You can see that in this case, the rest of the CSPs are not valid for this certificate template.
In the Key options section, you can select the Key size. In addition, you can enable or disable the Make private key exportable, Allow private key to be archived and Strong private key protection options. The Make private key exportable option is not enabled by the template, but I enabled it in this example because I want the private key to be exportable.
The Key type section defines the allowed uses for a private key associated with the certificate. The Computer Template automatically selected the Exchange option, which is what you want when the intended usage for the certificate is client and server authentication.
In the Key permissions section you can set who has access to the private key. I’d like to tell you what the purpose of this option is, but there is no documentation on this option and I can’t think of a scenario where I’d want to enable this option.
After making your selection, you can see the Key usage, Application policies and Validity period. I have to assume that the Validity period is determined by the template, since there is no option that allows use to confirm the validity period.
The next step is to give the certificate request text file a name. In this example I’ll name it c:\NYC-CL1-CERT. I’ll also save it as a Base 64 encoded text file, which the Windows Server 2008 Certificate Server will accept.
After saving the file, open it up in notepad. Select all the text in the file by using the Select All option from the Edit menu. Then click Copy from the Edit menu to copy this information to the clipboard. We’ll paste this information into the Web enrollment site form to obtain the certificate.
In this example we’re using a standalone CA. Why? Because if we were using an enterprise CA, we would be forced to use a certificate template. We don’t want to use a certificate template on the CA, because we’ve already created a request using a certificate template that we wanted to use. If you use an enterprise CA and subject your request using one of the available certificate templates, the settings on the CA’s certificate template will overwrite the settings we configured in the certificate request wizard, which is something we do not want.
To connect to the standalone CA’s Web enrollment site, enter http://servername/certsrv. That takes you to the Welcome page. On the Welcome page, click the Request a certificate link.
On the Request a Certificate page, click the advanced certificate request link.
On the Advanced Certificate Request page, click the Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file link.
On the Submit a Certificate Request or Renewal Request page, paste the contents of the certificate request file in the Saved Request text box. Notice that you are not forced to use a certificate template. In contrast, if this had been an enterprise CA, you would have been forced to use a certificate template and you would have lost the settings that you had originally configured when using the certificate request wizard. Click Submit.
On the Certificate Pending page, you’ll see that the request is assigned a Request Id. Notice that the certificate isn’t immediately issued. This is the default setting for standalone CAs. With standalone CAs, the certificate request has to be approved before the certificate is issued. In contrast, with an enterprise CA, the certificate is immediately issued.
Now let’s return to the home page for the Web enrollment site. Click the View the status of a pending certificate request link.
On the View the Status of a Pending Certificate Request page, you can see a link for the saved certificate request. Click that link.
This takes you to the Certificate Pending page, you see that your certificate request is still pending. To fix this, we need to go to the Certificate Authority console and issue the certificate.
In the Certification Authority console, expand the name of the CA and click on the Pending Requests node in the left pane of the console. In the right pane of the console you’ll see the list of certificate requests in order of their Request IDs. Our certificate request had a Request ID of 3, so we right click on that, point to All Tasks and click Issue.
Now that the certificate has been issued, you can retrieve it using the Web enrollment site. Return to the Web enrollment site home page and click the View the status of a pending certificate request link.
On the View the Status of a Pending Certificate Request page, click the Save-Request link.
On the Certificate Issued page, you have the choice to download the certificate as either a DER encoded or Base 64 encoded file. In general, it doesn’t matter which file type you select. When you click the Download certificate link, you only get the computer certificate with it’s private key. If you select the Download certificate chain link, you get the computer certificate with its private key and you get CA certificates from all CAs in the certificate chain. This link is useful if you’re installing the computer certificate on a non-domain member, since you need the CA certificate installed in the machine’s Trusted Root Certification Authorities machine certificate store so that the machine will trust the computer certificate.
In this example we’ll just download the certificate so that we can take a look at it.
Click Save in the File Download dialog box.
I’ll save the certificate to my desktop.
Double click on the certificate. On the General tab you can see that the certificate was issued to the common name we configured the certificate to use.
Click the Details tab. Here you can see all the options that were configured in the certificate request wizard.
In this article we took a look at the new advanced certificate request wizard that is included with Windows Server 2008 and Windows Vista. This new wizard allows us to create a certificate request text file that we can submit to a CA that can issue us a certificate. The Certificates MMC certificate request wizard enables you to use built-in certificate templates when you run the wizard from a certificate authority computer. In addition, you can get fine-grained control over many of the settings in your certificate by using customizable options. The new certificate request wizard is very helpful in a Vista and Windows Server 2008 environment, where there is no ability to make an online request for a computer certificate any longer.