کد:
http://www.windowsnetworking.com/articles_tutorials/Vista-Windows-Server-2008-Advanced-Certificate-Request-Wizard.html
Of all the issues that face the Microsoft security and enterprise admin today, one of the most difficult to understand and manage is that of a Public Key Infrastructure. It seems that anytime the subject of certificates comes up in a deployment plan, there is bound to be some confusion regarding the type of certificate required, what information needs to be included in the certificate, and how the certificate should be installed. Unfortunately, Windows Server 2008 doesn’t make this task any easier, and in fact, makes the chore of obtaining a computer certificate harder than ever because of changes in the Web enrollment site.
However, if you are interested in certificates and generating certificate requests. And if you’re interested in getting fine-grained control over the certificate request as well as being able to use certificate templates, then you’ll be very pleased with the new Advanced Certificate Request Wizard available with the Windows Server 2008 and Windows Vista Certificates MMCs. These new wizards allow you to control almost every aspect the certificate request with a simple point and click interface.
The new wizard provides a solution to a common scenario where you need to request certificates for non-domain member machines. This isn’t a problem for domain member machines, because when a machine is domain joined, it can easily request a computer certificate from an online CA. Another option for domain joined machines is to configure them to use autoenrollment in order to obtain a computer certificate. However, non-domain machines don’t have this option.
In previous versions of the Web enrollment site, you could easily obtain a computer certificate for non-domain machines by using the Computer template. With the Windows Server 2008 version of the Web enrollment site, this option is taken away for Windows Vista and Windows Server 2008 machines. Therefore, we need an alternate method of requesting a computer certificate from the CA’s Web enrollment site.
This is where the new Certificates snap-in Advanced Operations option comes in. Using the new certificate request wizard included with Windows Server 2008 or Windows Vista, you can easily create a text file based on installed templates that will allow you to create just about any kind of certificate you want. Not only that, but you’ll have fine-tuned control over the configuration of the certificate, so that you can extend the configuration past what a particular template offers you.
The figure below shows how to access the new certificate request wizard. In this example I created a Certificates MMC on a Windows Server 2008 domain controller that has a standalone CA installed on it. In the Certificates console, right click on the
Certificates store in any of the node, point to
All Tasks and point to
Advanced Operations. Then click
Create custom request. This will allow you to create a text file that you can submit to the Web enrollment site to obtain the certificate.
Figure 1
The certificate wizard starts with the
Before You Begin page. Click
Next on this page.
Figure 2
On the
Custom request page, you have the options to select the certificate
Template that you want to use and the request format type.
Figure 3
When you click the down arrow for the
Template drop down list, you’ll see a list of templates available that can be used to automatically configure the certificate. Note that after selecting the template, you still have the option to customize the settings. In this example we’re going to select the
Computer certificate.
Figure 4
On the
Certificate Information page, you can see the
Key usage,
Application policies and
Validity period for the certificate that will be generated. However, we might want to customize some aspects of this certificate. We can do this by clicking the
Properties button.
Figure 5
This brings up the
Certificate Properties dialog box. On the
General tab, you have the options to create a friendly name that you can use to identify the purpose of the certificate, and also an optional description. In this example, we’ll end a
Friendly name of
ComputerCert.
Figure 6
On the
Subject tab, you have the option to assign a subnet name to the certificate. The subject of a certificate is a user or computer (as in this case for the computer certificate we’re requesting) to which the certificate is issued. This name is used to identify the user or computer to a computer or applications that requests this information. In this example, we’ll enter a common name of
nyc-cl1.woodgrovebank.com in the
Value text box that sits until the
Subject name section. Then click
Add and it appears in the right side. We’ll also enter the same name for the
Alternative name and enter the DNS name, which is
cl1.woodgrovebank.com.
Note in a production environment that you would likely use a different name for the subject alternate name. Certain servers, such as Exchange 2007 and Office Communications Server 2007 make use of subject alternative names contained in installed certificates.
Figure 7
You have many options on the
Extensions tab. The first option
Key usage. Notice that the template has already selected the
Digital signature and
Key encipherment options to you. However, if you want to select more key usage settings, you have that option here.
Figure 8
In the
Extended Key Usage (application polices) section, you can see that the template has selected the
Server Authentication and
Client Authentication options for you. Again, if you would like to enable additional extended key usage options, you can select them from the
Available options list.
Figure 9
The
Basic constraints option allows you to enable basic constraints extension. This is not configured because the template does not have this option enabled.
Figure 10
In the
Include Symmetric algorithm section, you can enable this extension which gives information about the system capabilities of certificates issued by this template. Again, the template doesn’t enable this option, but you can if your require it.
Figure 11
In the
Custom extension definition section, you can enter your own custom Object Identifiers and values. This is useful if you have an application or gateway that expects to receive certain OIDs and filters certificate authentication access using that specific OID. The Computer Certificate template doesn’t use any custom OIDs, so none are entered here.
Figure 12
On the
Private Key tab, you can configure various aspect of the private key. In the
Cryptographic Service Programs (CSP) section, you can select the CSP of your choice if the template you select supports that CSP. In this example using the Computer Certificates template, only the
Microsoft RSA SChannel Cryptographic Provider (Encryption) option is available. If you put a checkmark in the
Show all CSPs checkbox. You can see that in this case, the rest of the CSPs are not valid for this certificate template.
Figure 13
In the
Key options section, you can select the
Key size. In addition, you can enable or disable the
Make private key exportable,
Allow private key to be archived and
Strong private key protection options. The
Make private key exportable option is not enabled by the template, but I enabled it in this example because I want the private key to be exportable.
Figure 14
The
Key type section defines the allowed uses for a private key associated with the certificate. The Computer Template automatically selected the
Exchange option, which is what you want when the intended usage for the certificate is client and server authentication.
Figure 15
In the
Key permissions section you can set who has access to the private key. I’d like to tell you what the purpose of this option is, but there is no documentation on this option and I can’t think of a scenario where I’d want to enable this option.
Figure 16
After making your selection, you can see the
Key usage,
Application policies and
Validity period. I have to assume that the
Validity period is determined by the template, since there is no option that allows use to confirm the validity period.
Figure 17
The next step is to give the certificate request text file a name. In this example I’ll name it
c:\NYC-CL1-CERT. I’ll also save it as a
Base 64 encoded text file, which the Windows Server 2008 Certificate Server will accept.
Figure 18
After saving the file, open it up in notepad. Select all the text in the file by using the
Select All option from the
Edit menu. Then click
Copy from the
Edit menu to copy this information to the clipboard. We’ll paste this information into the Web enrollment site form to obtain the certificate.
Figure 19
In this example we’re using a standalone CA. Why? Because if we were using an enterprise CA, we would be forced to use a certificate template. We don’t want to use a certificate template on the CA, because we’ve already created a request using a certificate template that we wanted to use. If you use an enterprise CA and subject your request using one of the available certificate templates, the settings on the CA’s certificate template will overwrite the settings we configured in the certificate request wizard, which is something we do not want.
To connect to the standalone CA’s Web enrollment site, enter
http://servername/certsrv. That takes you to the
Welcome page. On the
Welcome page, click the
Request a certificate link.
Figure 20
On the
Request a Certificate page, click the
advanced certificate request link.
Figure 21
On the
Advanced Certificate Request page, click the
Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file link.
Figure 22
On the
Submit a Certificate Request or Renewal Request page, paste the contents of the certificate request file in the
Saved Request text box. Notice that you are not forced to use a certificate template. In contrast, if this had been an enterprise CA, you would have been forced to use a certificate template and you would have lost the settings that you had originally configured when using the certificate request wizard. Click
Submit.
Figure 23
On the
Certificate Pending page, you’ll see that the request is assigned a
Request Id. Notice that the certificate isn’t immediately issued. This is the default setting for standalone CAs. With standalone CAs, the certificate request has to be approved before the certificate is issued. In contrast, with an enterprise CA, the certificate is immediately issued.
Figure 24
Now let’s return to the home page for the Web enrollment site. Click the
View the status of a pending certificate request link.
Figure 25
On the
View the Status of a Pending Certificate Request page, you can see a link for the saved certificate request. Click that link.
Figure 26
This takes you to the
Certificate Pending page, you see that your certificate request is still pending. To fix this, we need to go to the
Certificate Authority console and issue the certificate.
Figure 27
In the
Certification Authority console, expand the name of the CA and click on the
Pending Requests node in the left pane of the console. In the right pane of the console you’ll see the list of certificate requests in order of their
Request IDs. Our certificate request had a Request ID of 3, so we right click on that, point to
All Tasks and click
Issue.
Figure 28
Now that the certificate has been issued, you can retrieve it using the Web enrollment site. Return to the Web enrollment site home page and click the
View the status of a pending certificate request link.
Figure 29
On the
View the Status of a Pending Certificate Request page, click the
Save-Request link.
Figure 30
On the
Certificate Issued page, you have the choice to download the certificate as either a
DER encoded or
Base 64 encoded file. In general, it doesn’t matter which file type you select. When you click the
Download certificate link, you only get the computer certificate with it’s private key. If you select the
Download certificate chain link, you get the computer certificate with its private key and you get CA certificates from all CAs in the certificate chain. This link is useful if you’re installing the computer certificate on a non-domain member, since you need the CA certificate installed in the machine’s
Trusted Root Certification Authorities machine certificate store so that the machine will trust the computer certificate.
In this example we’ll just download the certificate so that we can take a look at it.
Figure 31
Click
Save in the
File Download dialog box.
Figure 32
I’ll save the certificate to my desktop.
Figure 33
Double click on the certificate. On the
General tab you can see that the certificate was issued to the common name we configured the certificate to use.
Figure 34
Click the
Details tab. Here you can see all the options that were configured in the certificate request wizard.
Figure 35
Summary
In this article we took a look at the new advanced certificate request wizard that is included with Windows Server 2008 and Windows Vista. This new wizard allows us to create a certificate request text file that we can submit to a CA that can issue us a certificate. The Certificates MMC certificate request wizard enables you to use built-in certificate templates when you run the wizard from a certificate authority computer. In addition, you can get fine-grained control over many of the settings in your certificate by using customizable options. The new certificate request wizard is very helpful in a Vista and Windows Server 2008 environment, where there is no ability to make an online request for a computer certificate any longer
LinkBack URL
About LinkBacks
