Certificate Server in Windows  2003

Introduction to Certificate Server

Certificates features in more and more Server 2003 locations; smart card login, EFS, and IPSec, to name but three.  In fact certificates are just part of a larger PKI (Public Key Infrastructure) topic.

Topics for Windows Server 2003 Certificates


Certificate Principles

When you receive data you want to be sure that the sender is who they say they are.  You also want to be reassured that the packets have not been read or tampered with on route.  Certificate Services are designed for this scenario where you need secure authentication and encryption.

The principle of encryption is to change plain text into cipher text during transport and then decode back to readable text at the other end.  Unlike Kerberos, where only one key is involved, Certificate Services encrypt and decrypt using a public and private key pair.

Viewing your certificates

The private key is kept with your user profile, but you can easily check the certificate corresponding to your public key by:

1) Viewing your Active Directory certificates by adding a snap-in to your MMC.  Start, Run MMC, File (Menu) Add Snap-in, Add, Certificates.

2) Alternatively you can check your Internet Explorer, Tools, Internet Options, Content, Certificates.

Also, once you have installed certificate services on the Windows Server 2003, clients can apply for certificates through their browsers, for example http://dealer/certsrv  ; substitute your server name for dealer, but type certsrv as shown.  Troubleshooting: check IIS has started.  I once found the port had been set to port 90 instead of 80.

Certificate Models

Think of certificate authorities like you would regard driving licences authorities.  You can get a government driving licence with a picture and issue number, or you go to the fairground and get a ‘Mickey mouse’ licence.

To decide which model is best for you, consider these two questions,

  1. Will you authorize your own root server, or will you be a subordinate of a respected certificate authority like Verisign?
  2. Will you use Active Directory, or is your certificate server so important that it should be secured offline in a locked office?

Here are the four certificate models:

  • Active Directory Root
  • Active Directory subordinate
  • Stand Alone Root
  • Stand Alone subordinate

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Certificate ConfigurationCertificate Server Windows Server 2003

Certificates Service is installed through the Add or Remove Programs \ Windows Components; and just like other services such as DHCP or IAS you configure Certificate Service through the Administrative Tools.

Personally, I prefer the to add a Snap-In to the MMC, using this technique you can also add a snap-in to examine the User and Computer Certificates.

Check out the Templates to gauge the breadth of purposes that you can deploy certificates.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

Types of Certificates

  • Server authentication – so ecommerce clients will trust a server before buying
  • Client authentication – smart card logon
  • Code signing – Active X controls have been tested and authenticated
  • Secure email – Stop snoopers reading your correspondence
  • EFS – Encrypting the files system, especially on laptops
  • IPSec – Securing VPN or other network traffic

If you like this page then please share it with your friends


Related topics

Accounts   • Auditing  • IPSec  • Kerberos Tickets  • Windows RIS Server

LT2P and Certificates   • Security Snap-in  • Remote Shutdown