• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Networking Articles
• Understanding the OSI Model
• Understanding Department of Defense Network Model
• Understanding TCP/IP
• Understanding the Microsoft Model
• Consideration in Planning Network Infrastructure
• Analyzing Organizational Requirements for Network Infrastructure Planning
• Developing a Test Network
• Implementing Internet Connections
• Implementing NWLINK
• Implementing Public Key Infrastructure
• The Certificate Enrollment Process
• Implementing Smart Card Authentication
• Installing and Configuring NAT
• Installing and Configuring TCT/IP
• Installing IPv6
• LAN Switching and Switch Types
• Monitoring and Troubleshooting Internet Connectivity
• Monitoring Network Activity
• Network Load Balancing
• Routing Protocols
• The Windows Routing Table
• Understanding SSL
• SSL Applications
• Understanding VPN Tunneling
• The VPN Gateway
• Troubleshooting VPNs
• Understanding Ethernet LAN Segmentation
• Understanding Internet Connections
• Understanding IP Addressing
• Understanding IPv6
• Understanding NAT
• Understanding Network Protocols
• Understanding Routing
• Understanding Subnet Masking
• Understanding Subnetting
• Understanding Variable Length Subnet Masking
• Understanding Wireless Connections
• Understanding APIPA
• Understanding NetBIOS Name Resolution
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

The Certificate Enrollment Process

An Overview on the Public Key Infrastructure (PKI) and Digital Certificates

While encryption can be a robust security technology, you have to implement a public key infrastructure (PKI) to make it beneficial and trusted within an organization. The Windows 2000 and Windows Server 2003 implementation of the PKI resides in Certificate Services. A public key infrastructure is the collection of technology, protocols, services, standards and policies that control the issuing of, and management of public and private keys using digital certificates. Certificates are the core of the PKI. Encryption is used to protect data messages as it is transmitted over the network, and digital signatures verify the identities of the senders of these messages. Public key encryption is used for the encryption of data. In public key encryption, each user has a private key that is kept secret and is never sent over the network; and public key that can be publicly distributed. The public and private key pair is used to encrypt and decrypt data. The public key encrypts the data into an unreadable or scrambled format. Only the private key in the key pair can be used to decrypt the data to a readable format.

Digital certificates are used to distribute the public key. A digital certificate associates a public key with an entity such as an individual or organization because it contains the public key for the user or organization, additional information on the user or organization, and information on the entity that issued the certificate. The entities that issue and manage digital certificates are called certificate authorities (CAs). You cannot forge certificates because the CA digitally signs the certificates, and the signature is applied to a hash of the certificate. In Windows 2000, Windows XP, and Windows Server 2003, the Data Protection API deals with certificates. The X.509 standard, Public-key and Attribute Certificate Frameworks, specifies the format of certificates for PKI implementations. A digital certificate usually contains a version number that identifies the X.509 standard version used for the certificate; the serial number of the certificate; the CA that issued the certificate; the signature algorithm identifier which defines the CA’s algorithm used for the digital signature of the certificate; the validity period of the certificate; the entity to which the certificate was issued; the intended uses of the certificate; the public key of the user, and the location of the certificate revocation list (CRL).

To make certificates useful or trusted, you have to obtain a certificate from a trusted entity, called a certification authority (CA). A CA is the trusted entity that issues and manages the use of certificate within the PKI. A CA can be an external third party CA such as VeriSign, or you can deploy your own internal CAs. You can also use a combination of internal and external CAs. You can consider the process of designing and deploying CAs as the initial step in implementing a PKI solution within the organization. Once the CAs are created, you can obtain a certificate from a CA manually, or automatically. Manually requesting certificates from the CA occurs when the user explicitly requests the CA to issue a certificate. Certificates are automatically requested when an application requests and obtains a certificate as a background process, with no user intervention.

An Overview on the Certificate Enrollment Process

The terminology used to describe the process whereby which users request certificates is referred to as certificate enrollment. A user has to summit the request for a certificate in a special format. The format should be able to specify the identity of the user requesting the certificates. Only after the requestor of the certificate is verified, does the CA issue the certificate. The PKCS #10 standard, Certification Request Syntax Standard; is usually the format used to submit certificate enrollment requests to the CA. The information included in a PKCS #10 certificate enrollment request is listed below:

• The public key of the requestor, which the CA should sign.
• The distinguished name of the requestor.
• The digital signature, which is the hash of the request encrypted with the private key of the requestor.
• The hashing algorithm used for the creation of the digital signature.

When a user submits a request for a certificate to a CA, the request is first sent to the Cryptographic Service Provider (CSP) which is installed on the computer of the user. The CSP creates the private key and public key pair for the request. The public key is added to the other certificate request information and is then passed on to the CA.

Once the CA receives the enrollment request, the CA performs the following tasks:

• Decrypts the digital signature in the certificate request using the public key in the particular request.
• Performs a hash on the request using the hash algorithm utilized by the requestor. The identity of the requestor or user that submitted the certificate enrollment request is validated when the hash calculated by the CA corresponds to the hash in the decrypted signature.
• The CA then digitally signs the public key of the user.
• It next adds this to a X.509 certificate.
• The certificate is submitted to the user that requested certificate enrollment.
• The user publicizes copies of its X.509 certificate to entities that can use it to encrypt data which will be transmitted to the user.
• These entities authenticate the user’s X.509 certificate by verifying the digital signature added to the certificate by the CA.

Windows Server 2003 certificate services provide the following certificate enrollment methods:

• Automatic Enrollment
• Web Enrollment
• Manual Enrollment

Before looking at the factors which influence the certificate enrollment method that you choose, lets first look at the types of CAs that you can configure.

• Enterprise CAs: Enterprise CAs are integrated in Active Directory, and publish certificates and CRLs to Active Directory. Enterprise CAs can only issue certificates to users and computers within Active Directory. Enterprise CAs utilizes the information in the Active Directory database to automatically approve or deny certificate enrollment requests.
• Stand-alone CAs: Stand-alone CAs are not dependent on Active Directory to issue certificates to users. Therefore, if you request a certificate from a stand-alone CA, the request has to contain all the information on the user which the CA will need, to process the certificate request. By default, stand-alone CAs do not automatically respond to certificate enrollment requests. You can however configure stand-alone CAs to issue automated certificates.

The certificate enrollment method which you choose would depend on the following factors:

• The type of CA from which the certificate is being requested from.
• Whether the CA and user requesting the certificate can communicate over the network.

Computers that are not connected to the network cannot use the auto-enrollment method. A requirement of the auto-enrollment method is that the requestor of the certificate can directly communicate with the enterprise CA.

If you are requesting certificates from a standalone CA, you can use one of the following tools or utilities:

• The Certificates snap-in: To use the Certificates snap-in to submit certificate requests to the CA, users need to have permissions to install and configure the Microsoft Management Console (MMC) snap-in.
• The Certreq.exe command- line utility: This command-line tool is not ideal for usage by end users to request certificates. The tool should be used to perform certificate administrative tasks which cannot be performed using Group Policy settings.
• The Web enrollment process: This is the simplest method which end users can use to request certificates from the CA.

If you are requesting certificates from an enterprise CA, you can use one of the following tools or utilities:

• The Certificates snap-in
• The Certreq.exe command- line utility
• The Web enrollment process
  When using one of the above methods, you can specify whether certificates must be manually approved, or whether they can be auto-enrolled. To enable auto-enrollment, you would need to grant the Autoenroll permission on the certificate template for those users and groups that should receive a certificate.
• Group Policy: If you are running Windows XP and Windows Server 2003, you can use Group Policy to automatically enroll users and computers without any user intervention. The requirement though is that Version 2 certificate templates are used for issuing certificates. The Auto-enrollment Settings policies are used to configure auto-enrollment using Group Policy.

The Automatic Enrollment Method

Auto-enrollment makes it possible for an organization to configure the CA to automatically issue certificates to users and computers. Auto-enrollment can be defined as the process by which certificates can be obtained, updated and stored for users and computers, with no administrator and end user intervention.

The auto-enrollment feature also enables the centralized management of certificates, including:

• Certificate enrollment
• Certificate renewal
• Modifying certificates
• Superseding certificates

In a Windows Server 2003 PKI implementation, you can enable the auto-enrollment feature through:

• Automatic Certificate Request Settings: This is a Group Policy setting located under the Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Automatic Certificate Request Settings node in the Group Policy Object (GPO) Editor snap-in. You would use Automatic Certificate Request Settings to issue certificates based on Version 1 certificate templates to computers running Windows 2000, Windows XP or Windows Server 2003.
• Autoenrollment Settings: Autoenrollment Settings utilizes a grouping of Version 2 certificate templates and Group Policy settings to enable client computers running Windows XP and Windows Server 2003 to enroll user certificates or computer certificates automatically at user log on. The Group Policy setting for computer certificates is located under the Computer Configuration/Windows Settings/Security Settings/ Public Key Policies node, and the Group Policy setting for user certificates is located under the User Configuration/Windows Settings/Security Settings/Public Key Policies node. The default configuration is that user auto-enrollment and computer auto-enrollment is enabled. While the primary option of this policy is Enroll Certificates Automatically, you can choose to renew and revoke certificates automatically as well. You can also select to update certificate template types automatically.

The Web Enrollment Method

In order for the Web enrollment method to be used, the Internet Information Server (IIS) service must be running on the CA server and the web request feature must be installed and enabled. The Web enrollment interface enables users to perform the following tasks:

• Request a certificate from the CA
• Request the certificate revocation list (CRL) of the CA
• Request the certificate of the CA
• Check the status of a pending certificate request
• The Web enrollment interface can also be used for smart card certificate enrollment

The Web enrollment feature utilizes the CertSrv directory that points at Windows\System32\CertSrv, which contains the ASP pages and other files used for obtaining a certificate. In addition to this directory the Web enrollment feature utilizes the CertEnroll directory which contains the Certificate Revocation List (CRL) issued by the CA, and the CertControl directory which contains the ActiveX controls utilized for Web enrollment.

The Manual Enrollment Method

If your environment includes client computers running operating systems prior to Windows 2000, you have to manually enroll these clients for certificates. This is because these older client operating systems do not include support for Group Policy, and therefore do not support the automatic enrollment method. Manual certificate enrollment can occur using the Certificates snap-in, the Certreq.exe command-line utility, or the Web based interface.

When using the Web based interface for the manual enrollment method, IIS has to be running on the CA server. When you install Certificate Services, the Web Enrollment application is automatically installed. You can use the Certificates snap-in to manually request certificates from a computer that is configured as an enterprise CA. The snap-in includes the Certificate Request Wizard which guides you through the certificate enrollment process.

If you use the Certificates snap-in to request and obtain an Administrator certificate, you would be able to perform the following administrative tasks:

• Encrypt data and e-mail messages
• Digitally sign the certificate trust list and messages

The Certreq.exe command-line utility enables you to script the certificate enrollment process. You can also retrieve and accept certificate requests using this utility.

How to request a certificate using the Web enrollment method

1. Connect to the CA server using Internet Explorer 5.0 or above, and the Administrator account.
2. You can use the following URL: http:// <servername>/certsrv.
3. Enter the appropriate user name and password if you are not automatically authenticated.
4. The Web based interface for manually requesting certificates opens, and the Welcome page is displayed.
5. Click the Request A Certificate option.
6. On the following page, click Advanced Certificate Request.
7. Click the Create And Submit A Request To This CA option.
8. On the Advanced Certificate Request page, in the Certificate Template list, choose Basic EFS.
9. Check the Enable Strong Private Key Protection checkbox.
10. Click Submit.
11. When the Potential Scripting Violation warning dialog box appears, click Yes.
12. When the Creating A New RSA Exchange Key dialog box opens, click Set Security Level.
13. Click High, and then click Next.
14. Enter a strong password in the Password and Confirm text boxes.
15. Click Finish.
16. Click OK
17. When the Certificate Issued page appears, click Install This Certificate.
18. On the Potential Scripting Violation warning dialog box, click Yes.

How to request a certificate using the Certificates snap-in (manual enrollment)

1. Click Start, Run and enter mmc in the Run dialog box. Click OK.
2. From the File menu, click Add/Remove Snap-In.
3. Click Add.
4. When the Add/Remove Snap-In dialog box opens, click Certificates. Click Add.
5. Click My User Account.
6. Click Finish, click Close, and click OK.
7. In the Certificates snap-in, expand Certificates, and then Personal.
8. Right-click Certificates, and on the shortcut menu, click All Tasks, and then click Request New Certificate.
9. The Certificate Request Wizard starts.
10. On the Welcome page, click Next.
11. When the Certificate Types page appears, click User.
12. Enable the Advanced checkbox. Click Next.
13. When the Cryptographic Service Provider page opens, check the Enable Strong Key Protection checkbox. Click Next.
14. On the Certificate Authority page, you can click Next.
15. Enter a name in the Friendly Name text box. Click Next.
16. On the Completing The Certificate Request Wizard page, click Finish.
17. Click OK to install the issued certificate.

How to configure auto-enrollment

Before you can configure auto-enrollment, you need to configure the domain controller as an enterprise root CA or as an enterprise subordinate CA.

Use the steps below to configure the domain controller as an enterprise CA:

1. Place the Windows Server 2003 CD-ROM in the CD-ROM drive.
2. Click Install optional Windows components.
3. Select Certificate Services in the Wizard Components page.
4. When a message appears warning that the name of the CA server cannot be modified, click Yes to acknowledge the warning message. Click Next.
5. In the CA Type page, select Enterprise Root CA. Click Next.
6. Specify a common name for the CA.
7. Specify a validity period for which certificates issued by the CA are valid. Click Next.
8. You can accept the default location settings for the database file and database log. Click Next.
9. Click Yes if an ASP warning message is displayed, to acknowledge the message.
10. Click Finish.

Use the steps below to configure the CA for auto-enrollment:

1. Open the Certification Authority console by clicking Start, Administrative Tools, and then Certification Authority.
2. Proceed to right-click Certificate Templates and click Manage from the shortcut menu.
3. This opens the certificate templates management tool.
4. To create a certificate template for auto-enrolled users, right-click User Template, and select Duplicate Template from the shortcut menu.
5. When the Properties of the New Template dialog box opens, enter a name for the template in the Template Display Name field.
6. Click the Security tab.
7. Specify the users and groups that should be able to auto-enroll. Assign the users/groups the Enroll permission and the Autoenroll permission.
8. Click OK. Close the certificate templates management tool.
9. In the Certification Authority console, right-click Certificate Templates, and click New, and then Certificate Template to Issue from the shortcut menu.
10. Select the User Autoenrollment certificate template.
11. Click OK.
12. Open the Active Directory Users and Computers console by clicking Start, Administrative Tools and then Active Directory Users and Computers.
13. Right-click the particular domain and select Properties from the shortcut menu.
14. Select the Group Policy tab. Click Edit.
15. Expand User Configuration, Windows Settings, Security Settings and then Public Key Policies.
16. Double-click Autoenrollment Settings.
17. When the Autoenrollment Settings Properties dialog box opens, ensure that the Enroll Certificates Automatically option is selected.
18. Enable the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox, and enable the Update certificates that use certificate templates checkbox.
19. Click OK to complete the configuration of certificate auto-enrollment.

Bookmark The Certificate Enrollment Process

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum