Use Certificate Server 1.0 to become a Certificate Authority
Wouldn't it be nice if you could give your trusted users transparent access to your secure Web site? Then, users wouldn't have to enter their username and password every time they enter the site. One way users can communicate to a secure portion of your Web site without having to enter a username and password is by using Internet Explorer (IE) on a Windows NT system, after you configure Internet Information Server (IIS) to require challenge/response authentication. But what do you do if your users don't run NT or IE? The answer: Use Microsoft Certificate Server, a component of the NT 4.0 Option Pack. Certificate Server lets you create and use digital certificates to authenticate users, and lets users access their NT user accounts without having to provide credentials each time they log on.
Digital certificates are crucial to Web security. A digital certificate is an electronic document that computer systems use to identify and authenticate users who are browsing the Web, using email, and transferring files. One way to obtain digital certificates is through a Certificate Authority (CA), a third-party provider that issues digital certificates to individuals or systems based on verification of a user's identity. Certificate Server lets you act as a CA for your enterprise, empowering you to protect employee confidentiality, reduce cost of ownership, and improve quality of service. (For background information about CAs and digital certificates, see Tao Zhou, "You Can Be a Web Certification Authority," October 1997.)
Unfortunately, finding useful documentation for configuring Certificate Server is difficult. You can find odd snippets of information on TechNet and the Microsoft Web site, but this sketchy data isn't enough to get you going in a reasonable amount of time. In this article, I'll take you through the step-by-step Certificate Server setup and configuration process I discovered. I'll show you how to install Certificate Server, start the Certificate Authority service, and issue client certificates.
Getting Started
To begin, you need to have installed IIS 4.0, the Microsoft Management Console (MMC), and Certificate Server 1.0, all of which Microsoft includes on the Microsoft Windows NT 4.0 Option Pack CD-ROM. Microsoft has posted on its Web site (http://www.microsoft.com) a hotfix for Certificate Server 1.0 to fix a problem that stops users without client certificates from accessing an area with both Certificate and Anonymous access enabled. As I have worked with Certificate Server, I've found that you don't need to install this hotfix because you can work around the problem when you configure permissions, a process I'll explain later. (However, I have stumbled across a few other bugs for which no hotfixes exist.)
Install Certificate Server from the Option Pack CD-ROM. If you've already installed Certificate Server and haven't been able to get it to work, I'll let you in on a secret. The Certificate Server installation prompts you to enter state details of the CA in the Microsoft Certificate Server Setup window, which Screen 1 shows. If you don't enter the CA name in the State field, the IIS metabase doesn't correctly register the CA. Consequently, Certificate Server doesn't accept client certificates this CA signs. If you experience this problem, you must reinstall Certificate Server. However, when you reinstall, you might receive one of two error messages--a Certificate Server Configuration Wizard error, or a Windows NT Setup error. All I have been able to discover regarding these error messages is that they signal that the csback.gif, csbull.gif, and cslogo.gif files didn't copy from the Certificate Server root directory (usually C:\winnt\system32\certsrv) into the CertEnroll subdirectory. If you receive either error message, copy the files over manually.
Start the Certificate Authority service in NT from Control Panel, Services. If the service doesn't start, the cause might be that the service can't locate the certmdb.mdb Microsoft Access database. For a reason I can't discover, the Certificate Server installation sets up the Open Database Connectivity (ODBC) system Data Source Name to point to the Certificate Server root directory; however, the global.asa file in the CertAdm subdirectory points to the C:\winnt\system32 directory. The Certificate Server installation places the certmdb.mdb file in the C:\winnt\system32 directory. Therefore, modify the CertSrv system Data Source Name (from Control Panel, ODBC) to point to the certmdb.mdb file, as Screen 2 shows. Your CA service will now be up and running.
Setting Up Your CA
Your Certificate Server installation will prompt you to create a Secure Sockets Layer (SSL) key for your server. The SSL server key lets a Web server and client browser negotiate secure encrypted sessions. Without the SSL key, certificate-based client authentication can't operate on IIS 4.0. You can generate and sign the SSL server key request in one step on your server by selecting Automatically send the request to an online authority in the Create New Key dialog box, as Screen 3 shows. If you choose to create a key request file, you can use Certificate Server's certreq.exe command-line utility to certify the file. (You can use key request files to request server-key signing from a third-party CA.) When you have a signed key, the Certificate Server installation is complete.
Now you must add the CA you just created to the list of trusted CAs on the server by installing the server key in your browser. To do so, launch IE 4.0 on the server and browse to http://server name/certsrv/certenroll/cacerts.htm. A Web page titled Certificate Authority Certificate List will display, listing the CA key you just created. Click the hyperlink and select Open this file from its current location. You will see a prompt to install a New Site Certificate, which Screen 4 shows. Click View Certificate, verify that the key details are as you entered them, and click OK. You will see another prompt asking you to accept adding the certificate to your root store. Click OK.
Select View, Internet Options, Content, Authorities to verify that IE 4.0 has successfully added the certificate to its list of trusted authorities. You will see the CA you created in IE 4.0's Certificate Authorities list, which Screen 5 shows.
Previous
Register
