Security Advisor

A Long-Overdue Facelift

Microsoft's Certificate Services has a new name and new functionality. Here's an overview.

• By Joern Wettern
• 06/01/2008

Microsoft added the term Active Directory to its Certificate Services to indicate that it's part of a complete identity-management solution, held together by Active Directory. Despite the name change, AD CS still performs the same basic security functions, like issuing and revoking digital certificates.

If you've used Certificate Services in Windows Server 2003, you'll find the new user interface looks similar to the old one. You perform most tasks the same way as before. Once you've added the AD CS role to the server, you can start using the Certification Authority Microsoft Management Console (MMC) to manage certificates.

The console also includes a link to the Enterprise PKI snap-in, which you can add to any MMC console. This snap-in (see Figure 1) is actually an updated version of the PKIView tool, previously offered as a separate download. PKIView, one of the most useful PKI troubleshooting tools available, analyzes your enterprise-wide PKI configuration and alerts you to any problems that may exist.

[Click on image for larger view.]

Figure 1. Windows Server 2008 helps you pinpoint problems in your certificate authority configuration.

Old and New, Side by Side
Windows certificate authorities (CAs) issue certificates based on templates, either the ones that ship with Windows or custom templates you create. If you integrate a CA with your Active Directory infrastructure by making it an Enterprise CA, it can use templates stored in AD, which lets you centrally manage templates. You can then configure one or more Enterprise CAs to create and issue certificates based on centrally managed templates.

Windows Server 2008 CAs can issue certificates based on templates you've created with an earlier version of Windows Server. These certificates contain exactly the same settings, regardless of the operating system version the CAs are running on.

However, Windows Server 2008 can add some additional settings when it runs the CA templates; these won't be recognized by CAs running on Windows Server 2003. If you create a template that needs to be used by older CAs, be sure to select the option to make the template backwards-compatible.

Certificate enrollment is the process of requesting and receiving a certificate. You may be familiar with the CA Web page that you can use to do this manually. You can also configure automatic enrollment in Active Directory, which lets your users and computers get the required certificates without any manual steps. These are only some of the enrollment methods available.

In Windows Server 2008, Microsoft continues to offer a number of enrollment methods. It has also added a brand-new one, the Simple Certificate Enrollment Protocol (SCEP). Many routers and other network devices use this protocol to request certificates from a CA. If you use any such devices, you should check out this new capability. It will simplify managing certificates on many types of network devices.

Sometimes Microsoft gives you something new, while at the same time it takes away something to which you've grown accustomed. In this case, Microsoft removed the ability to use Web enrollment for certain types of certificates, including smartcard certificates.

The issue here is that Web-based control doesn't work correctly in Internet Explorer under Windows Vista or Windows Server 2008. Instead, use the Certificates MMC console to enroll for these types of certificates.

Revocations and Reversals
When you issue a certificate, you vouch for the identity of a person, computer or network device. There are times when you need to reverse this decision. Someone may no longer work for your company, someone may have stolen the private key of your Web server certificate or you may have issued a replacement for a certificate. To prevent further use of a previously issued certificate, you'll need to revoke it and set up a method for others to check whether a certificate that's presented to them has been revoked.

In Microsoft environments, Certificate Revocation Lists (CRLs) always handle revocation. CRLs contain all revoked certificates for a CA. If CRL checking is enabled, a computer presented with a certificate attempts to download the CRL from a location specified in the certificate. After the CRL is downloaded, it's cached and subsequent revocation checks use the cached CRL until it expires.

There are typically delays between certificate revocation and the time the CRL is published. As a result, certificates may still be accepted as valid for days or even months after they're revoked. Another problem with this scheme is the network traffic caused by downloading large CRLs. All this makes CRLs a rather clunky method of checking whether or not a certificate is still valid.

Windows Server 2008 deals with this problem by supporting a newer method of certificate revocation checking: the Online Certification Status Protocol (OCSP). OCSP, which has been available from other PKI vendors for several years, helps your clients get more current revocation information while reducing the network traffic generated by these checks. If you rely on accurate revocation information or have large CRLs, you should consider implementing OCSP for your infrastructure.

The Bad and the Ugly
Among the unfortunate aspects of AD CS is that it can still be difficult to start designing and creating a full-fledged certificate infrastructure. Microsoft provides documentation and guidance, but some of this material has large holes in it and occasionally contains wrong information.

You can find a lot of PKI-related guidance for Windows Server 2003, but it's up to you to figure out how much of it applies to the current version. Fortunately, Microsoft Press just published "Windows Server 2008 PKI and Certificate Security" (2008), by Brian Komar. This book extends and updates the previous version that covered

Windows 2003. Despite these shortcomings, AD CS is an important step up. If you're currently using a Microsoft-based PKI, you should consider moving it to Windows Server 2008.