Working with certificates in Windows 2000
Since the release of Windows 2000, you've probably heard a lot about public key encryption. I've written articles that deal with the ins and outs of this new security mechanism ( Understand the differences between public key and symmetric key encryption , Windows 2000 security-enabled protocols ). However, before you can truly understand the Windows 2000 implementation of public key encryption, you need to know how certificates work. In this article, I'll discuss the basics of what a certificate is in Windows 2000 and how to manage certificates.
What's a certificate?
I've often found that the best way to describe an abstract concept in computing is to compare it to something from the tangible world. We've all been to car dealerships and seen the lock box that they use to store the keys to the cars. This box is similar to the certificate server, with the car keys representing individual certificates.
As you might have guessed by this little analogy, a certificate server is a secure server that's responsible for storing and distributing certificates. And a certificate is essentially the key that makes public key encryption possible. As I've explained in other articles, public key certificates are the Windows 2000 mechanism that makes secure communications possible between machines on a Windows 2000 network. These certificates are used in everything from network protocols to network authentication to the encryptable file system.
As with most things in Windows 2000, the primary interface for working with certificates is the Microsoft Management Console (MMC). You can access the management console by clicking Start|Run. At the Run prompt, enter the MMC command. Windows 2000 will now load an empty management console. Now, follow these steps:
- Once MMC has loaded, you'll have to load the Certificates snap-in. To do so, select the Add / Remove Snap In command from the Console menu. When you do, you'll see the Add / Remove Snap In properties sheet.
- Select the property sheet's General tab and click Add.
- You'll see a list of available snap-ins. Select Certificates from the list and click Add.
- You'll see a dialog box asking whether you want to manage certificates for your user account, a service account, or a computer account. Naturally, the answer that you give will depend on the task that you're trying to accomplish. For the purpose of this example, select the My User Account radio button and click Finish. A standard user can manage the certificates for their account, but only an administrator may manage service or computer related certificates.
- Click Close to close the list of available certificates. Click OK to close any remaining windows.
When the snap-in loads, you'll see an entry in the left column for Certificates Current User. If you expand this entry, you'll see five entries below it. These entries provide a storage place for the various types of certificates. The available certificate types are Personal, Trusted Root Certification Authorities, Enterprise Trust, Intermediate Certification Authorities, and Active Directory User Object. By default, each of these categories can be expanded. If certificates exist in any given category, there will be a Certificates entry below the category. The Certificates entry contains the actual certificates. You can see an example of this layout in Figure 1.
Each certificate contains an extensive amount of information. To see more detail on any given certificate, simply double-click on it. When you do, you'll see the certificate's properties sheet. The properties sheet's General tab contains a basic summary of the certificates purpose. It details such information as who the certificate is from and what its intended purpose is. You can see an example of the General tab in Figure 2.
If you require more extensive information, the Details tab is where you want to be. The Details tab contains just about any information that you could ever want to know about a certificate, such as the serial number, issuer, and valid dates. You can even look at the actual public key that the certificate contains, as shown in Figure 3.
Importing and Exporting Certificates
The Certificates snap-in is more than just a handy way to view the certificates installed on your machine. You can use this interface to manipulate certificates, as well. For example, suppose that you have a user who likes to encrypt files on their local machine by using the encryptable file system. Now suppose that the user gets a new machine. However, the encryptable file system uses certificates for the encryption and decryption process. This means that if you copy the user's files to the new machine, the files will remain encrypted through the copy process. Once on the new machine, the user will be unable to decrypt the files because the machine lacks the proper certificate. This means that you'll have to either permanently decrypt the files before attempting to copy them, or you'll have to copy the associated certificate to the new machine. As you might have guessed, copying the certificate is the preferred method. However, copying the certificate is only part of the process. As a security-conscious administrator, you'll want to remove the certificate from the user's old machine to keep the certificate from falling into the wrong hands.
The process of moving the certificate between machines involves using the import and export features. To export the certificate from the old machine, you must begin by locating the certificate in the Certificates snap-in. Doing so can be a little difficult, because a machine may contain hundreds of certificates. To make this process easier, right-click on Certificates Current User and select the Find Certificates command from the resulting context menu. Doing so will launch the Find Certificates utility, which allows you to search by particular aspects of the certificate.
Once you've found the certificate, right-click on it and select the All Tasks | Export commands from the resulting context menu. At this point, Windows will load the Certificate Export Wizard. Click Next to get started. When you're exporting a certificate for purposes such as the one that I discussed earlier, you'll almost always be exporting private key certificates. As you may already know, private key certificates are password protected for security. If you are trying to export a private key certificate, the wizard will display a warning screen that indicates that it may be necessary to enter a password later on. If you receive this warning, and you know the associated password, select the Yes, Export The Private Key radio button and click Next.
The next screen that you'll see deserves a little explanation. It asks what format to export the certificate in. DER and Base-64 are intended for single certificates, while PKCS #12 is capable of exporting an entire certificate chain. My recommendation is that unless you know what format to use, go with the default selection. As you can see in Figure 4, you have some options under PKCS #12. You may do things like include all certificates in the path, enable strong protection, and delete the original key if the export is successful.
At this point, you may be asked for a password if you're exporting a private key. Enter and confirm the password and click Next. Finally, you'll be asked for the path and filename to export the certificate to. Enter this information and click Next. The following screen will display a summary of the options that you've chosen. If this information appears to be correct, click Finish to complete the export process.
Before I tell you how to import a certificate, I should give you a word of caution. Be very careful when importing root certificates. Root certificates are the basis for most certification operations. Therefore, check out root certificates thoroughly before importing them.
With that said, you can import a certificate into any of the five categories I mentioned earlier. To do so, right-click on the category into which you want to import the certificate and select the All Tasks | Import command from the resulting context menu. Doing so launches the Certificate Import Wizard. This wizard isn't nearly as complicated as the export wizard. It will ask you for the name and location of the certificate and possibly for a password. If you are prompted to enter a password, note that on the password screen there's an option to make the certificate exportable. If you may ever need to move the certificate to another machine, be sure to check this option. Now, simply complete the wizard and your certificate will be imported. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the Director of Information Systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.