• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Networking Articles
• Understanding the OSI Model
• Understanding Department of Defense Network Model
• Understanding TCP/IP
• Understanding the Microsoft Model
• Consideration in Planning Network Infrastructure
• Analyzing Organizational Requirements for Network Infrastructure Planning
• Developing a Test Network
• Implementing Internet Connections
• Implementing NWLINK
• Implementing Public Key Infrastructure
• The Certificate Enrollment Process
• Implementing Smart Card Authentication
• Installing and Configuring NAT
• Installing and Configuring TCT/IP
• Installing IPv6
• LAN Switching and Switch Types
• Monitoring and Troubleshooting Internet Connectivity
• Monitoring Network Activity
• Network Load Balancing
• Routing Protocols
• The Windows Routing Table
• Understanding SSL
• SSL Applications
• Understanding VPN Tunneling
• The VPN Gateway
• Troubleshooting VPNs
• Understanding Ethernet LAN Segmentation
• Understanding Internet Connections
• Understanding IP Addressing
• Understanding IPv6
• Understanding NAT
• Understanding Network Protocols
• Understanding Routing
• Understanding Subnet Masking
• Understanding Subnetting
• Understanding Variable Length Subnet Masking
• Understanding Wireless Connections
• Understanding APIPA
• Understanding NetBIOS Name Resolution
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Implementing Public Key Infrastructure

An Overview on the Public Key Infrastructure (PKI)

A set of components, standards, and protocols make up the Public Key Infrastructure (PKI), which protects data as it is transmitted over the network. The PKI is an integral aspect of security within a network. Digital certificates form the basis of the PKI because these certificates use cryptographic algorithms and key lengths to protect data as it is transmitted over the network.

The more important components of the PKI are summarized below:

• Cryptographic components are the encryption and hashing algorithms that are used to provide data confidentiality, and integrity; and to authenticate the identity of the senders of data.
• Public key components: A number of methods are available to create public and private keys, and Windows Server 2003 supports the majority of these methods.
• Digital certificates: Certificates are the foundation of the PKI. The certificate contains the public key of the user. The public key can be used to encrypt and sign data before it is transmitted over the network. The digital certificate contains information such as the certificate version, serial number, signature, issuer, and validity period, among other information.
• Certification Authorities (CAs): A CA is a trusted entity that issues certificates to users, computers, applications, and services. An organization can contain multiple CAs, arrange them in a CA hierarchical structure, and define a CA trust model. In the CA hierarchy, you would define root CAs, intermediate CAs and leaf CAs. Users that trust the root CA would automatically trust all subordinate CAs beneath the root CA, which received certificates from the particular root CA.
• Certificate repositories: After certificates are issued by CAs, they have to be located in the certificate repository or store. The preferred location to store issued certificates, is Active Directory.
• Certificate enrollment and revocation: Certificate enrollment is the process whereby which users request certificates from CAs. The lifetime of the certificate is defined when the CA issues the certificate. However, when certificate become untrusted, outdated, or compromised; the CA can reduce the lifetime of the certificate through a process called certificate revocation. This is done by the CA issuing and distributing a certificate revocation list (CRL) that details the serial number of the certificates which have been revoked.
• Key archival and recovery: Because a user can lose their keys, key recovery agents (KRAs) can be used for the retrieval of a private key, public key and original certificate, if they were archived.

While you can use third party entity CAs for the PKI implementation within your organization, the management of certificates through such entities could become complicated, and take quite some time. This is especially true for organizations which are quite large in size. With a Windows PKI implementation, you can create and manage your own internal PKI structure in the organization. This would enable you to create, manage, and audit digital certificates in your environment. Tools are available for creating and managing digital certificates in Active Directory. You can monitor certificates, and revoke them as the need arises. The strategy that you would use for your PKI implementation is ultimately determined by the security requirements of the organization, and the location of its users.

The Windows Server 2003 Public Key Infrastructure (PKI) is based on the following standards:

• Public key infrastructure X.509 (PKIX) standard.
• Internet Engineering Task Force (IETF) standards: IETF recommends that the security standards listed below interoperate with the PKI design to further enhance the security in enterprise applications.
  • Transport Layer Security (TLS)
  • Secure Multipurpose Internet Mail Extensions (S/MIME)
  • Internet Protocol Security (IPSec)

The remainder of this Article focuses on implementing and configuring a PKI in your organization, using the available graphical interface tools. There are command-line utilities which you can use to manage certificates and CAs. The Certification Authority management console is however considered the best tool for managing the CAs within your PKI implementation. The command-line utilities which you can use are listed below:

• CERTUTIL: You can use this utility to view and manage certificates, the CA database and CRLs.
• DSSTORE: This utility provides finer control when administering the CA database.

How to install Windows Server 2003 certificate services (enterprise root CA)

1. Place the Windows 2003 CD-ROM into the CD-ROM drive.
2. Select Install optional Windows components.
3. This action launches the Windows Components Wizard.
4. On the Wizard Components page, select Certificate Services.
5. Click Yes in the message dialog box that warns that you would not be able to modify the name of the server.
6. In the CA Type page, select Enterprise Root CA. Click Next.
7. In the CA Identifying Information page, set the common name for the CA. This name will be used in Active Directory, and in the enterprise.
8. In the Validity Period boxes, enter the lifetime for the CA. Click Next.
9. On the Certificate Database Settings page, verify that the locations specified for the database file and log files are correct.
10. At this stage IIS services are stopped, and the certificate service is installed and the CA database started. IIS is restarted after this.
11. Click OK when a message dialog box appears, warning that ASP must be enabled for Web enrollment.
12. Click Finish.

How to use Web enrollment to request a certificate

1. Use Internet Explorer 5.0 or later to connect to the CA.
2. In the Web browser’s Address windows, enter http:// <servername>/certsrv, and press Enter.
3. On the Certification Services Welcome page, click Request a Certificate.
4. The following page presents the User certificate option with an Advanced Certificate Request option for acquiring a smart card certificate.
5. Click the Advanced Certificate Request option.
6. When the Advanced Certificate Request page appears, click Create And Submit A Request To This CA.
7. Select Web Server from the Certificate Template list box.
8. Proceed to provide the necessary information in the Identifying Information For Offline Template section of the page.
9. Click Submit.
10. Click Yes if a message is displayed on a potential scripting violation.
11. After the server processes the certificate, you are presented with a Certificate Issued page that allows you to install the certificate on the Web server.
12. Click Install This Certificate to complete the process.

How to install a stand-alone root CA

1. Click Start, Control Panel, and click Add Or Remove Programs.
2. Select Add/Remove Windows Components in the Add Or Remove Programs dialog box.
3. When the Windows Components Wizard starts, click Certificate Services, and click Details.
4. In the Certificate Services dialog box, enable the Certificate Services CA checkbox, and enable the Certificate Services Web Enrollment Support checkbox.
5. Click Yes to the message warning that the name of the CA cannot be changed.
6. Click OK to close the Certificate Services dialog box.
7. Click Next in the Windows Components Wizard.
8. When the CA Types page appears, select Stand-alone Root CA. Click Next.
9. On the CA Identifying Information page, enter a name for the CA in the Common Name For This CA box. Click Next.
10. You can accept or change the default settings in the Certificate Database Settings page. Click Next.
11. The certificate service is installed and the CA database started. IIS is restarted after this.
12. Click OK if a message dialog box appears, warning that ASP must be enabled for Web enrollment.
13. Click Finish.

An Overview on Certificate Templates

With a Windows PKI implementation, certificate templates are used to assign certificates, according to the purpose for which they are to be used. Certificate templates can be defined as a set of rules and settings which specify the content and format of certificates that are issued, based on intended use. You configure certificate templates on the CAs within your PKI implementation. The certificate template is applied when a user requests a certificate from the CA. When a user requests a certificate, the user basically selects types of certificates as specified by certificate templates. You should customize the default certificate templates according to its intended use before you deploy them within your environment. The security requirements of your organization, ultimately determines which types of security templates should be deployed within your organization. Default certificates are provided for users, computers, code signing, and Encrypting File System (EFS).

The certificate templates also stipulate how a valid certificate request should be submitted to the CA. From this short discussion, you can conclude that certificate templates ease the management process of certificates, because it can be used to automate the process of issuing certificates, based on the requirements set by the Administrator. Windows Server 2003 includes the new auto-enrollment feature which allows for the issuing of User certificates when the user logs on to a Windows Server 2003 client.

Certificate templates are also used to manage whether security principals are allowed to enroll, auto-enroll, or read certificates, according to the particular certificate template. Each certificate template has an access control list (ACL) which specifies permissions for security principals for the particular certificate template. The Certificate Templates snap-in is used to define permissions for certificate templates.

Because different certificate templates can be used for different users, and they can be used by an assortment of applications; you can define application policies. An application policy allows you to specify the manner in which a certificate template can be used, and with what applications. In order to use a certificate template, the certificate template's definition has to be published in Active Directory, so that it is available to all CAs in your Active Directory forest. To enable this, certificate template information should be stored in Active Directory. Active Directory replication would distribute the certificate template's definition to each CA within your PKI implementation.

Windows Server 2003 supports the following certificate template types:

• Version 1 Certificate Templates: With Version 1 certificate templates, all information within the certificate template is hard-coded. What this basically means is that you cannot modify the properties of these certificate templates. In addition to this, you cannot remove Version 1 certificate templates either. You can however duplicate these certificate templates. Support for Version 1 certificate templates is included in Windows Server 2003 for backward compatibility for servers running Windows 2000 operating systems. Version 1 certificate templates can be used by Windows 2000 and Windows XP clients.
• Version 2 Certificate Templates: This certificate template type improves on the shortcoming of Version 1 certificate templates, which prevented Administrators from modifying existing certificate templates’ properties. By default, when the initial CA is installed in a forest, Version 1 certificate templates are created. Version 2 certificate templates are created when you duplicate Version 1 certificate templates. Computers running Windows 2000 and Windows XP are unable to issue certificates using Version 2 certificate templates. Computers running Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition can issue certificates which are based on Version 2 certificate templates.

The methods which can be used to modify an existing version 2 certificate template are listed below:

• You can directly modify the original Version 2 certificate template: You can use the new Windows Server 2003 capability, and change the properties of Version 2 certificate templates. After the modifications are done, new enrollees would be issued certificates, based on the new settings. The Certificate Templates snap-in can be used to re-issue the particular certificate to users that have formerly been issued the certificate, based on the prior Version 2 certificate template.
• You can supersede Version 2 certificate templates: When you supersede a Version 2 certificate template, you replace the certificate template with a new one. This method is also used when changes need to be made to version 1 certificate template. You basically have to supersede the certificate template with a version 2 certificate template.

As mentioned preciously, Windows Server 2003 includes default user certificate templates. These certificate templates are Version 1 certificate templates, and are listed below:

• Administrator; used for user authentication, secure e-mail, EFS encryption, and certificate trust list signing.
• Authenticated Session; used to authenticate users to a Web server.
• Basic EFS; used for encrypting and decrypting data through EFS encryption.
• Code Signing; used to digitally sign software code.
• EFS Recovery Agent;for decrypting files which were encrypted with EFS encryption.
• Enrollment Agent; for requesting certificates for other users.
• Exchange Enrollment Agent (Offline request); for requesting certificates for other users â€" the name of the user is provided in the request.
• Exchange Signature Only; used by the Exchange Key Management Service to issue certificates to Exchange Server users, for the purpose of digitally signing e-mail.
• Exchange User; used by the Exchange Key Management Service to issue certificates to Exchange Server users, for the purpose of encrypting e-mail.
• Smartcard Logon; used for the authentication of users through smart card logon.
• Smartcard User; used for the authentication of users through smart card logon, and for the encryption of e-mail. Also used to digitally sign e-mail.
• Trust List Signing; used to digitally sign a trust list.
• User; used by users for client authentication, EFS, and e-mail.
• User Signature Only; used by users to digitally sign data.

Windows Server 2003 also includes default computer certificate templates. Some of these certificate templates are Version 1 certificate templates, while others are Version 2 certificate templates:

• CA Exchange (Version 2); for storing those keys used for private key archival.
• CEP Encryption (Version 1; enables the computer to serve as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests.
• Computer (Version 1); enables client and server authentication abilities for the computer.
• Domain Controller Authentication (Version 2); for the authentication of Active Directory computers and users.
• IPSEC (Version 1); enables authentication for computers through the use of IP Security (IPSec).
• IPSEC (Offline request) (Version 1); used by IPSec to encrypt and decrypt, and digitally sign messages.
• RAS and IAS Server (Version 2); provides Remote Access Services and Authentication Services servers with the ability to authenticate with other computers.
• Router (Offline request) (Version 1); utilized by routers when requested via SCEP from a CA owning a Certificate Enrollment Protocol (CEP) Encryption certificate.
• Web Server (Version 1); used to authenticate the Web server to clients.
• Workstation Authentication (Version 2); allows client computers to authenticate to servers.

A few other default templates are also available in Windows Server 2003:

• Cross-Certification Authority; used for cross-certification, and also for qualified subordination.
• Directory E-mail Replication; used for the replication of e-mail within Active Directory.
• Domain Controller; enables client and server authentication abilities for the computer.
• Key Recovery Agent; used to recover archived private keys on the CA.
• Root Certification Authority and Subordinate Certification Authority; used to verify the identities of these CAs.

As mentioned previously, the permissions defined on certificate templates determine what actions security principals can perform on the certificates.

• Full Control; enables the security principal to change all the proprieties and permissions of the certificate template.
• Write; enables the security principal to change all the proprieties of the certificate template. The security principal is not allowed to change the permissions of the certificate template.
• Read; enables the security principal to locate the certificate template in Active Directory for the enrollment of certificates.
• Enroll; enables the security principal to enroll for a certificate. The security principal also needs the Read permission for the certificate template.
• Autoenroll; enables the security principal to use auto-enrollment to obtain a certificate. The security principal also needs the Read permission and Enroll permission.

How to configure certificate templates for auto-enrollment requests

The requirements listed below have to be met, before you can use the auto-enrollment feature included with Windows Server 2003.

• Windows Server 2003 Enterprise Edition, or Windows Server 2003 Enterprise Edition.
• The Windows Server 2003 domain controller has to be configured as either a root CA or as an enterprise subordinate CA.

To configure auto-enrollment:

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click Certificate Templates and then click Manage to open the management tool for certificate templates.
3. To create a certificate template for auto-enrolled users, you can choose to create a new certificate template, or you can alternatively modify an existing certificate template.
4. Right-click User Template, and then click Duplicate Template on the shortcut menu.
5. When the Properties of New Template dialog box appears, enter a suitable name in the Template Display Name box.
6. Click the Security tab, choose the users, or groups that should be allowed to auto-enroll; and set the appropriate permissions (Autoenroll, Enroll, Read).
7. Click OK.
8. Exit the certificate templates management tool.
9. The following step is to configure the CA to issue auto-enrollment certificates to the users/groups that you specified.
10. In the Certification Authority management tool, right-click Certificate Templates, and click New, and then Certificate Template to Issue on the shortcut menu.
11. Select User Autoenrollment from the list of available certificate templates.
12. Click OK.
13. The following step is to enable users in the Group Policy Object (GPO) to auto-enroll.
14. Click Start, Administrative Tools, and open the Active Directory Users and Computers console.
15. Proceed to locate and right-click the appropriate domain, and then click Properties on the shortcut menu.
16. When the Properties dialog box for the domain opens, click the Group Policy tab, and click Edit.
17. In the console tree, open Public Key Policies by clicking User Configuration, Windows Settings, Security Settings, and then clicking Public Key Policies.
18. Double-click Autoenrollment Settings in the details pane.
19. When the Autoenrollment Settings Properties dialog box opens, verify that the Enroll Certificates Automatically option is selected.
20. Proceed to enable the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox, and also enable the Update certificates that use certificate templates checkbox.
21. Click OK.
22. Exit the Active Directory Users and Computers console.

How to supersede existing certificate templates

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click Certificate Templates and then click Manage to open the management tool for certificate templates.
3. Right-click User Template, and then click Duplicate Template on the shortcut menu.
4. When the Properties of New Template dialog box appears, enter a name in the Template Display Name box.
5. Set the validity period.
6. Click the Extensions tab.
7. Click Application Policies. Click Edit.
8. When the Edit Application Policies Extension dialog box opens, click Add.
9. When the Add Application Policy dialog box opens, under Application Policies, choose the appropriate application policy. Click OK.
10. The application policy which you chose should now be displayed in the Edit Application Policies Extension dialog box.
11. Click the Superseded Templates tab, and click Add.
12. When the Add Superseded Template dialog box opens, click the appropriate application policies, including the one you have previously selected, and then click OK.
13. Click the Security tab, click Add, choose the appropriate group and then set the appropriate permissions (Read, Enroll, and Autoenroll). Click OK.
14. Open the Certification Authority console.
15. Right-click Certificate Templates, and click New, and then select Certificate Template To Issue on the shortcut menu.
16. Select the group you previously selected in the Enable Certificate Templates dialog box.
17. Click OK.

How to revoke a certificate

• The private key of the CA has been compromised
• The user is no longer employed at the organization
• The private key of the certificate owner has been compromised
• The computer needs to be decommissioned

The following methods can be used to revoke a certificate:

1. The Certification Authority snap-in
2. The Certutil.exe command-line utility

To revoke a certificate:

• Click Start, Administrative Tools, and then click Certification Authority.
• Click Issued Certificates.
• In the details pane, right-click the certificate that you want to revoke, click All Tasks, and then click Revoke Certificate on the shortcut menu.
• When the Certificate Revocation dialog box appears, use the Reason Code list box to select a reason for the certificate revocation. The reason code that you choose will be included in the CRL. The available reason codes are:
  • CA Compromise
  • Change Of Affiliation
  • Cease Of Operation
  • Certificate Hold
  • Key Compromise
  • Superseded
  • Unspecified
  Click Yes.
• The particular certificate is now revoked.

How to publish revoked certificates through CRLs

The CRL has to be published so that your users are aware that the certificate has been revoked. Windows Server 2003 includes two methods for the publishing a CRL.

• Manual publication: A CRL is usually manually published when a vital certificate has been compromised.
• Scheduled publication: Each CA automatically publishes an updated CRL, based on the setting of the CRL publish period.

The default configuration with regard to the scheduled publication of revoked certificates is as follows:

• Delta CRLs are published each day.
• Full CRLs are published once a week.

To change these default settings

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click Revoked Certificates, and click Properties on the shortcut tab.
3. Click the CRL Publishing parameters tab.
4. Change the settings to suit your requirements.
5. Click OK.

Working with Public Key Group Policy

While it is not a requirement to use PKI Group Policy settings within an organization, there are some features available when using it. These are briefly discussed below:

• Automatic Certificate Enrollment (computers): This feature works much like the user auto-enrollment feature. Through automatic certificate enrollment, you can enable computers in a Group Policy object (GPO) to automatically request and install certificates from a CA specified in the Group Policy.
• Define common trusted root CAs: In cases where internal and external CAs exist in the PKI implementation within your organization, you can through Group Policy, notify users/computers of common root CAs which do not reside in the domain.
• Create and distribute a certificate trust list (CTL): A certificate trust list (CTL) is a list of trusted root CA certificates. You can add and remove items from this list, and then distribute it.

How to Configure Key Archival and Recovery

If key archival is enabled for a Version 2 certificate template, the associated CA can store the private key of the certificate in the CA database. Because the key pair is created by the client, it has to be returned to the CA for it to be stored in the CA database. Before the private key is transmitted to the CA for archival, it is encrypted with the public key of the CA. When the CA receives the private key, it decrypts the key. Before the CA stores the private key in its CA database, it encrypts it by using a random 3DES symmetric key. Once the key is encrypted, it is archived in the CA database.

A key recovery agent (KRA) is used to recover a key that is lost. The encrypted file which contains the certificate and private key is obtained from the CA database. The KRA decrypts the private key, and then submits the private key and certificate to the user.

The following requirements exist for implementing key archival and recovery:

• The CAs issuing certificates must be running Windows Server 2003.
• The CAs must be enterprise CAs.
• The certificates that need to have their private keys archived must be based on Version 2 certificate templates.
• The Windows Server 2003 schema extensions must be applied to the forest, so that Version 2 certificate templates can be used.
• The certificates have to be configured for key archival.
• Clients must be using Windows XP or Windows Server 2003.

The steps that need to be performed to enable key recovery and archival are listed below:

• Create a key recovery agent.
• Configure a CA to archive private keys, and allow key recovery.
• Define a Version 2 certificate template that would create certificates that can be archived.

How to create a key recovery agent (KRA):

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click Certificate Templates, and click New, and then Certificate Template To Issue from the shortcut menu.
3. When the Enable Certificate Templates dialog box opens, click Key Recovery Agent, and then click OK.
4. The template should now be displayed in the right pane.
5. Access the workstation for the key recovery agent.
6. Open the Certificates snap-in, and expand the Personal node, and then expand the Certificates node.
7. Right-click Certificates, and select New, and then Request New Certificate from the shortcut menu.
8. When the Certificate Request Wizard starts, click Next.
9. On the Certificate Types page, choose Key Recovery Agent. Click Next.
10. On the Certificate Friendly Name and Description page, enter the appropriate information, and click Next.
11. When the summary page is displayed, click Next.
12. Click Finish.
13. In the Certification Authority console, choose Pending Requests.
14. Right-click the certificate request, and click All Tasks, and then Issue from the shortcut menu.
15. The certificate should now be displayed under Issued Certificates.

How to configure a CA to archive certificates

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click the server and then select Properties from the shortcut menu.
3. Click the Recovery Agents tab.
4. Click Archive The Key, and then click Add.
5. When Key Recovery Agent Selection dialog box opens, select the KRA certificate, and click OK.
6. Click OK to start key recovery.
7. Restart the CA service.

How to create a certificate template to issue archival keys:

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click Certificate Templates and then click Manage to open the management tool for certificate templates.
3. Right-click User Template, and then click Duplicate Template on the shortcut menu.
4. When the Properties of New Template dialog box appears, enter a name in the Template Display Name box.
5. Enable the Publish Certificate In Active Directory checkbox.
6. Click the Request Handling tab.
7. Enable the Archive Subject's Encryption Private Key checkbox.
8. Enable the Allow Private Key to be Exported checkbox.
9. Click the Issuance Requirements tab.
10. Uncheck the CA Certificate Manager Approval checkbox to enable the CA to issue the certificate.
11. Click OK.
12. Close the Certificate Template console.
13. Open the Certification Authority console.
14. Right-click the Certificate Templates node, and click New, and then Certificate Template To Issue from the shortcut menu.
15. In the Enable Certificate Templates dialog box, select Archive User.
16. Click OK.

How to recover an archived key:

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Expand Issued Certificates to find the key which you want to recover.
3. Double-click the certificate icon.
4. In the Certificates dialog box, click the Details tab.
5. Document the serial number of the certificate.
6. Open a command prompt, and use the Certutil command-line utility to extract the key to an output file. The output file is called a blob file, and it holds the private key, in the in PKCS #7 format. You can use the syntax listed below:
   • certutil - getkey <serial_number> <blob_file>
7. The following step is to convert the file to a file with a .pfx extension. You can use the syntax listed below:
   • certutil -recoverkey -f <blob_file> <pfx_file>
8. When prompted to provide a password for the file, set a strong password.
9. Proceed to transfer the file to the desktop of the user.
10. Log on, and then in Windows Explorer, double-click the file.
11. The Certificate Import Wizard initiates.
12. Through the prompts of the wizard, locate the key in the certificate repository of the user.

How to export keys

You can manually export private keys, certificates, and certificate chains; and store it in a secure location. You can use one of the following tools or utilities to export keys:

• The Certification Authority console
• The Certificates snap-in
• The Certutil command-line utility

The following export formats can be used when exporting private keys and certificates:

• PKCS #7 format: This format should be used for certificate chains, and to export certificates that do not include private keys. The PKCS #7 format does not work for exporting certificates that have private keys.
• PKCS #12: The PKCS #12 format should be used to export certificates that include private keys. The standard compels you to set a password to secure the private key.

One requirement that exists for exporting keys; is that a certificate template is enabled which permits exporting of private keys. You can do this by enabling the Allow Private Key To Be Exported checkbox for the particular certificate template.

The options that are available when exporting certificates and keys are listed below:

• Include all certificates in the certification path if possible: Use this option to include the complete certificate chain of the particular certificate which you are exporting.
• Enable strong protection: Use this option to store the PKCS #12 format file with 128-bit data encryption. In addition to this, it is strongly recommended that you use a strong password to further protect the contents of the file.
• Delete the private key if the export is successful: This option is usually used when a private key is being moved to a different computer. When selected, the private key of the certificate is removed from the certificate repository.

To export a certificate:

1. Click Start, Run, enter mmc, and click OK.
2. Click Add/Remove Snap-In from the File menu.
3. Click Add in the Add/Remove Snap-In dialog box.
4. When the Add Standalone Snap-In dialog box opens, click Certificates, from the Available Standalone Snap-Ins list, and then click Add.
5. Close all open dialog boxes.
6. In the Certificates snap-in, expand the Personal node, and then expand the Certificates node.
7. Click Certificates, right-click the certificate that you want to export, and click All Tasks, and then Export from the shortcut menu.
8. The Welcome To The Certificate Export Wizard initiates next. Click Next.
9. When the Export Private Key page opens, click Yes, Export The Private Key. Click Next.
10. On the Export File Format page, enable the Include All Certificates In The Certification Path If Possible checkbox.
11. Select the Enable Strong Protection option. Click Next.
12. When the Password page opens, enter a strong password in the Password and Confirm Password text boxes. Click Next.
13. On the File To Export page, enter the details for the file. Click Next.
14. On the Completing The Certificate Export Wizard page, click Finish.

How to retrieve an exported certificate:

1. In the Certificates snap-in, expand the Personal node, and then expand the Certificates node.
2. Right-click Certificates and click All Tasks, and then Import from the shortcut menu.
3. When the Certificate Import Wizard starts, click Next.
4. Enter the details of the certificate that you want to import in the File Name box. Click Next.
5. Enter the password needed to import the certificate. Click Next.
6. When the Certificate Store page appears, enable the Automatically Select The Certificate Store Based On The Type Of Certificate option. Click Next.
7. Click Finish.

Performing Additional CA Administrator Tasks

How to approve or deny a certificate in the CA pending queue:

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Expand Certification Authority, <CA Server>, and Pending Requests.
   • To approve a certificate, right-click the particular certificate, select All Tasks, and then Issue from the shortcut menu.
   • To deny a certificate, right-click the particular certificate, select All Tasks, and then Deny from the shortcut menu.
3. If you selected to approve the certificate, the certificate is moved from Pending Requests to the Issued Certificates folder.

How to renew keys

Public and private key pairs usually need to be renewed when they expire, or when they have been compromised. To renew keys:

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Select Certification Authority, and <CA Server>.
3. Click All Tasks, and then click Renew CA Certificates from the Action menu.
4. When the Install CA certificate message dialog box appears, click Yes to stop Certificate Services on the server.
5. On the Renew CA Certificate dialog box opens, click Yes for a new public and private key pair to be generated.
6. Restart the CA server.

How to enable auditing on the CA server

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Select Certification Authority, and <CA Server>.
3. Right-click the CA, and click Properties from the shortcut menu.
4. When the Properties dialog box opens, click the Auditing tab. The events that you can specify for auditing are listed below:
   • Back up and restore the CA database
   • Change CA configuration
   • Change CA security settings
   • Issue and manage certificate requests
   • Revoke certificates and publish CRLs
   • Store and retrieve archived keys
   • Start and stop Certificate Services
   After enabling the desired event checkboxes for auditing, click Apply.
5. Click OK
6. The events which you specified for auditing can be viewed in the Event Viewer tool.

How to back up the CA server

1. Click Start, Administrative Tools, and then click Certification Authority.
2. Right-click the CA server that should be backed up, and click All Tasks, and then Back Up CA from the shortcut menu.
3. The Certification Authority Backup Wizard launches.
4. On the Welcome screen of the wizard, click Next.
5. On the Items to Back Up page, you can select the following options:
   • Private key and CA certificate
   • Certification database and certification database log
6. In the Backup To This Location text box, enter a location for the backup files. Click Next.
7. In the Password and Confirm Password text boxes, enter a strong password. Click Next.
8. Click Finish.

Bookmark Implementing Public Key Infrastructure

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum