Introduction to Certificate Server
Certificates features in more and more Server 2003 locations; smart card login, EFS, and IPSec, to name but three. In fact certificates are just part of a larger PKI (Public Key Infrastructure) topic.
Topics for Windows Server 2003 Certificates
- Certificate Principles
- View your certificates
- Certificate Models
- Certificate Configuration
- Types of Certificates
When you receive data you want to be sure that the sender is who they say they are. You also want to be reassured that the packets have not been read or tampered with on route. Certificate Services are designed for this scenario where you need secure authentication and encryption.
The principle of encryption is to change plain text into cipher text during transport and then decode back to readable text at the other end. Unlike Kerberos, where only one key is involved, Certificate Services encrypt and decrypt using a public and private key pair.
The private key is kept with your user profile, but you can easily check the certificate corresponding to your public key by:
1) Viewing your Active Directory certificates by adding a snap-in to your MMC. Start, Run MMC, File (Menu) Add Snap-in, Add, Certificates.
2) Alternatively you can check your Internet Explorer, Tools, Internet Options, Content, Certificates.
Also, once you have installed certificate services on the Windows Server 2003, clients can apply for certificates through their browsers, for example http://dealer/certsrv ; substitute your server name for dealer, but type certsrv as shown. Troubleshooting: check IIS has started. I once found the port had been set to port 90 instead of 80.
Think of certificate authorities like you would regard driving licences authorities. You can get a government driving licence with a picture and issue number, or you go to the fairground and get a ‘Mickey mouse’ licence.
To decide which model is best for you, consider these two questions,
- Will you authorize your own root server, or will you be a subordinate of a respected certificate authority like Verisign?
- Will you use Active Directory, or is your certificate server so important that it should be secured offline in a locked office?
Here are the four certificate models:
- Active Directory Root
- Active Directory subordinate
- Stand Alone Root
- Stand Alone subordinate
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Certificates Service is installed through the Add or Remove Programs \ Windows Components; and just like other services such as DHCP or IAS you configure Certificate Service through the Administrative Tools.
Personally, I prefer the to add a Snap-In to the MMC, using this technique you can also add a snap-in to examine the User and Computer Certificates.
Check out the Templates to gauge the breadth of purposes that you can deploy certificates.
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
- Server authentication – so ecommerce clients will trust a server before buying
- Client authentication – smart card logon
- Code signing – Active X controls have been tested and authenticated
- Secure email – Stop snoopers reading your correspondence
- EFS – Encrypting the files system, especially on laptops
- IPSec – Securing VPN or other network traffic
If you like this page then please share it with your friends