Certificate Support and Internet Communication
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of the certificate functionality built into Microsoft Windows Server 2003 with Service Pack 1 (SP1), including the benefits of Update Root Certificates
How the Update Root Certificates component in Windows Server 2003 with SP1 communicates with sites on the Internet
How to control Update Root Certificates to limit the flow of information to and from the Internet
Benefits and Purposes of Certificate Functionality
Certificates, and the public key infrastructure of which they are a part, support authentication and encrypted exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. With certificates, host computers on the Internet no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certification authority that certifies individuals and resources that hold private keys. The host can establish this trust through a certificate hierarchy that is ultimately based on a root certificate, that is, a certificate from a certification authority that establishes a well-defined level of integrity and security for the hierarchy.
Examples of times that a certificate is used are when you:
Use a browser to engage in a Secure Sockets Layer (SSL) session
Accept a certificate as part of installing software
Accept a certificate when receiving an encrypted or digitally signed e-mail message
When learning about public key infrastructure, it is important to learn not only about how certificates are issued, but about how certificates are revoked and how information about those revocations is made available to clients. This is because certificate revocation information is crucial for an application that is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information.
In an organization where servers run Windows Server 2003 with SP1, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Components in a Managed Environment."
The Update Root Certificates component in Windows Server 2003 with SP1 is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by an application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the computer. Note that the Update Root Certificates component is optional, that is, it can be removed or excluded from installation on a computer running Windows Server 2003 with SP1.
Overview: Using Certificate Components in a Managed Environment
In an organization where servers run Windows Server 2003 with SP1, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services component. Another step that might be appropriate is to configure the publication of certificate revocation information to the Active Directory® directory service. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.
When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choosing for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.
Some of the concepts to study when learning about certificates include:
Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:
You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at:
Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME).
Encryption keys and how they are generated.
Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority.
Ways that Active Directory and Group Policy can work with certificates.
The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:
Help for products in the Windows Server 2003 family.
You can view Help for products in the Windows Server 2003 family on the Web at:
The Microsoft Windows Server 2003 Deployment Kit and the Microsoft Windows Server 2003 Technical Reference.
You can view links on the Windows Deployment and Resource Kits Web site at:
"Troubleshooting Certificate Status and Revocation," a white paper on the Microsoft TechNet Web site at:
Links to information about public key infrastructure for Windows Server 2003 on the Microsoft Web site at:
In a medium-size to large organization, for the greatest control of communication with the Internet, it is recommended that you manage the list of certification authorities yourself.
How Update Root Certificates Communicates with Sites on the Internet
This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment" provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet.
If the Update Root Certificates component is installed on a server, and has not been disabled through Group Policy, and an application is presented with a certificate issued by a root certification authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows:
Specific information sent or received: Update Root Certificates sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on the server. No user authentication or unique user identification is used in this exchange.
The Windows Update Web site is located at:
Default setting and ability to disable: Update Root Certificates is installed by default in Windows Server 2003 with SP1. You can disable this component with Group Policy, or you can remove it or exclude it from installation on a server.
Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.
Logging: Events containing information such as the following will be logged:
For Event ID 7:
Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site
For Event ID 8:
Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value
Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Microsoft Windows Update Web site.
Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet
If you want to prevent the Update Root Certificates component in Windows Server 2003 with SP1 from communicating automatically with the Microsoft Windows Update Web site, you can disable this component with Group Policy, or you can remove it or exclude it from installation on servers. You can exclude the component during deployment by using standard methods for unattended installation or remote installation, as described in Appendix A, "Resources for Learning About Automated Installation and Deployment.” If you are using an answer file, the entry is as follows:
[Components] Rootautoupdate = Off
For information about how to disable Update Root Certificates through Group Policy, see “To Disable the Update Root Certificates Component by Using Group Policy,” later in this section.
How Disabling, Removing, or Excluding Update Root Certificates from Servers Can Affect Applications
If a server is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates component is not installed on that server, you (or your application) will be prevented from completing the action that required authentication. For example, you might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.
Procedures for Preventing Root Certificates from Being Updated on an Individual Computer
The following procedures describe:
How to use Group Policy to disable the Update Root Certificates component.
How to use Control Panel to remove the Update Root Certificates component from an individual computer running Windows Server 2003 with SP1.
How to exclude the Update Root Certificates component during unattended installation of Windows Server 2003 with SP1 by using an answer file.
To Disable the Update Root Certificates Component by Using Group Policy
See Appendix B: Resources for Learning About Group Policy for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.
You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Key.
To Remove the Update Root Certificates Component from an Individual Computer Running Windows Server 2003 with SP1
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Scroll down the list of components to Update Root Certificates, and make sure the check box for that component is cleared.
Follow the instructions to complete the Windows Components Wizard.
To Exclude the Update Root Certificates Component During Unattended Installation by Using an Answer File
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment.
In the [Components] section of the answer file, include the following entry:
Rootautoupdate = Off