Certificate Support and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Certificate Functionality
Overview: Using Certificate Features in a Managed Environment
How Update Root Certificates Communicates with Sites on the Internet
Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet
Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Server 2008
Additional References
Benefits and Purposes of Certificate Functionality
Certificates, and the public key infrastructures (PKIs) used to issue and manage them, support the authentication and encrypted exchange of information on open networks such as the Internet, extranets, and intranets. A certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. With certificates, host computers on the Internet establish trust in a certification authority (CA) that certifies individuals and resources that hold private keys. Trust in a PKI is ultimately based on a root certificate, that is, a certificate from a CA at the top of a public key hierarchy that establishes a well-defined level of integrity and security for the hierarchy.
Examples of times that a certificate is used are when a user:
Uses a browser to engage in a Secure Sockets Layer (SSL) session
Is prompted to accept a certificate as part of installing software
Is prompted to accept a certificate when receiving an encrypted or digitally signed e-mail message
When learning about PKI, it is important to learn about how certificates are issued and validated as well as how they expire or are revoked (if they need to be invalidated before they expire). This can help you understand the importance of up-to-date certificate revocation information, which can be crucial when an application is seeking to verify that a particular certificate is currently considered trustworthy. Certificate revocation information can be managed and distributed in the form of certificate revocation lists, and through Online Responders based on the Online Certificate Status Protocol (OCSP). Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information.
In an organization where servers run Windows Server 2008, you have a variety of options in the way certificates and certification revocation are handled. For more information about these options, see Additional References, later in this section.
Also note that in Group Policy for Windows Server 2008, you can control public key policies in more specific ways than was possible with Windows Server 2003 and previous Windows operating systems. For more information, see Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Server 2008, later in this section.
The Update Root Certificates Feature in Windows Server 2008
The Update Root Certificates feature in Windows Server 2008 is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by an application on the server. Specifically, if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the server.
The Update Root Certificates feature can be turned off in Windows Server 2008 by using Group Policy. For more information, see Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Server 2008, later in this section.
Overview: Using Certificate Features in a Managed Environment
In an organization where servers run Windows Server 2008, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install Active Directory Certificate Services (AD CS), which is a server role in Windows Server 2008. Another step that might be appropriate is to install the AD CS Online Responder service, which can respond to individual client requests for information about whether certificates have been revoked. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. For information about Group Policy and about a variety of role services in the AD CS server role, see Additional References, later in this section.
When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choice for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information about certificates, and Additional References, later in this section, provides a list of links.
Some of the concepts to study when learning about certificates include:
Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:
https://go.microsoft.com/fwlink/?LinkID=29138
You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at:
Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME).
Encryption keys and how they are generated.
Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority.
Certificate revocation.
In a medium to large organization, for the greatest control of communication with the Internet, you can manage the list of certification authorities yourself, meaning that you would use Group Policy to turn off the Update Root Certificates feature on Windows Server 2008 and to configure settings related to public key policies.
How Update Root Certificates Communicates with Sites on the Internet
This subsection focuses on how the Update Root Certificates feature communicates with sites on the Internet. The previous subsection, Overview: Using Certificate Features in a Managed Environment provides an overview of a few of the role services in the AD CS server role, some of which relate to communication with sites on the Internet. For information about those and other role services in the AD CS server role, see Additional References, later in this section.
If the Update Root Certificates feature has not been turned off through Group Policy, and the application on your server is presented with a certificate issued by a root CA that is not directly trusted, the Update Root Certificates feature communicates across the Internet as follows:
Specific information sent or received: The Update Root Certificates feature sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the root CA that is not directly trusted is on the list, Update Root Certificates obtains the certificate for that root CA and places it in the trusted certificate store on the server. No authentication or unique identification of the administrator or user is used in this exchange.
Default setting and ability to disable: Update Root Certificates is turned on by default in Windows Server 2008. You can turn off this feature by using Group Policy. For more information, see Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Server 2008, later in this section.
Trigger and user notification: Update Root Certificates is triggered when the administrator or user at the computer is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.
Logging: Events are logged in Event Viewer in Windows Logs\Application with a Source of CAPI2. Events containing information such as the following are logged:
For Event ID 7:
Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site
For Event ID 8:
Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value
Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Windows Update Web site.
Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet
If you want to prevent the Update Root Certificates feature in Windows Server 2008 from communicating automatically with the Windows Update Web site, you can turn off this feature by using Group Policy. For more information, see “To Turn Off the Update Root Certificates Feature by Using Group Policy,” later in this section.
How Turning Off Update Root Certificates on a Computer Can Affect Users and Applications
If the person at the server is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates feature is turned off through Group Policy, the person can be prevented from completing the action that required authentication. For example, the person can be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.
Procedures for Viewing or Changing Group Policy Settings that Affect Certificates in Windows Server 2008
The procedures in this section describe:
How to use Group Policy to turn off the Update Root Certificates feature for computers running Windows Server 2008.
How to view Group Policy for controlling public key policies for computers running Windows Server 2008.
To Turn Off the Update Root Certificates Feature by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008.
To View Group Policy for Controlling Public Key Policies for Windows Server 2008
- See Appendix B: Resources for Learning About Group Policy for Windows Server 2008 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 (with the Group Policy Management feature installed) or Windows Vista. Then open Group Policy Management Console (GPMC) by running gpmc.msc and edit an appropriate Group Policy object (GPO).
Note
You must perform this procedure by using GPMC on a computer running Windows Server 2008 or Windows Vista.
Expand Computer Configuration, expand Policies (if present), expand Windows Settings, expand Security Settings, and then click Public Key Policies.
View the settings that are available.
Expand User Configuration, expand Policies (if present), expand Windows Settings, expand Security Settings, and then click Public Key Policies.
View the settings that are available.
For information about using certificate-related Group Policy settings, see the Windows Server 2008 Technical Library Web site at:
https://go.microsoft.com/fwlink/?LinkId=106713
Additional References
The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:
Links to a variety of information about Active Directory Certificate Services, on the Windows Server 2008 TechCenter Web site at:
Descriptions of the features that are part of Active Directory Certificate Services, on the Windows Server 2008 Technical Library Web site at:
Information about certificate-related Group Policy settings, on the Windows Server 2008 Technical Library Web site at:
Help for Active Directory Certificate Services, on the Windows Server 2008 Technical Library Web site at:
"Certificate Revocation and Status Checking," a white paper on the Microsoft TechNet Web site at:
The Microsoft Root Certificate Program Web site at:
For information about Active Directory Federation Services (AD FS) or Active Directory Rights Management Services (AD RMS), see Active Directory Related Services and Resulting Internet Communication in Windows Server 2008 in this white paper.