What Are Certificates?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Are Certificates?
In this section
Uses of Certificates
Digital certificates are electronic credentials that are used to certify the identities of individuals, computers, and other entities on a network.
Digital certificates function similarly to identification cards such as passports and drivers’ licenses. For example, passports and drivers’ licenses are issued by recognized government authorities, whereas digital certificates are issued by recognized certification authorities (CAs).
When someone requests a passport or driver’s license, the government authority verifies the identity of the requester, certifies that the requester meets all requirements to receive the card, and then issues the card. Before a certificate can be issued, a CA or CA administrator must verify the requester’s identity, determine that they meet all requirements to receive the certificate, and then issue the certificate.
Like an identification card such as a driver’s license or passport, a digital certificate can be used to verify the identity of its owner. When the certificate is presented to others, they help verify the identity of its owner based on the quality of the contents of the certificate:
Personal information that helps identify the owner.
The signature of the issuing authority. For digital certificates, the issuing authority is the CA.
Information needed to identify and contact the issuing authority.
In addition, the quality of a certificate is enhanced if it:
Is designed to be tamper-resistant and difficult to counterfeit.
Is issued by an authority that can revoke the certificate at any time (for example, if the employee to whom the certificate was issued is no longer employed by the organization).
Can be checked for revocation by contacting the issuing authority.
Uses of Certificates
Private and public networks are being used with increasing frequency to communicate sensitive data and complete critical transactions. This has created a need for greater confidence in the identity of the person, computer, or service on the other end of the communication. In addition, these valuable communications must be protected while they are on the network. Although accounts and passwords provide a certain level of assurance in the identity of the entity on the other end of the network, they offer little or no protection while data is in transit. In comparison, digital certificates and public key encryption provide an enhanced level of authentication and privacy to digital communications.
Certificates and certificate services from numerous vendors are being used to strengthen the security of a variety of applications and user scenarios. Windows Server 2003 Certificate Services makes possible strong security based on public key encryption that can enhance a variety of internal and external applications for your organization, including:
Authentication is crucial to secure and reliable communication. Each party to a communication must be able to prove their own identity to those with whom they communicate, and in turn must be able to verify the identity of the parties at the other end of the communication.
This process can be challenging when both parties are in the same location. Authentication of identity on a network can be even more difficult because the communicating parties do not physically meet as they communicate. This makes it potentially easier for an unethical person to intercept messages that are meant to be private or to pretend that they are another person or entity.
Digital certificates and public key encryption provide an enhanced means of verifying identity, which makes it difficult for an entity to impersonate another entity. Digital certificates help verify identity because the data in a certificate includes the public cryptographic key from the certificate subject’s public and private key pair. A message signed with its sender’s private key can be verified by the message’s recipient as authentic by using the sender’s public key, which can be found on a copy of the sender’s certificate. Verifying a signature by using a public key from a certificate proves that the signature was produced using the certificate subject’s private key. If the sender has been vigilant and has kept the private key secret, the receiver can be confident in the identity of the message sender.
A few of the ways certificates are used to provide authentication are:
Authentication of a user to a secure Web site via the Transport Layer Security (TLS) or the Secure Sockets Layer (SSL) protocol.
Authentication of a server to a user via TLS.
Logging on to a Windows Server 2003 domain.
Authentication of a client on a wireless network.
Authentication of a client across the Internet to create a virtual private network (VPN).
Internet Protocol security (IPSec).
Communications over a network, such as the Internet, are subject to possible monitoring by unknown and, perhaps, malicious users. Public networks are treacherous for unencrypted sensitive information because anyone can access the network and analyze the data being transmitted between two points. Even private local area networks (LANs) are vulnerable to determined efforts by intruders to acquire physical access to the network. Consequently, if sensitive information is transmitted between computing devices on any type of network, users will almost certainly want to use some sort of encryption to keep their data private.
Encryption is the process of disguising a message or data in such a way as to hide its substance. It can be thought of as locking something valuable into a strongbox with a key. Conversely, decryption can be compared to opening the box and retrieving the valuable item. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted by using a key. Encrypted data and the key used to encrypt data are both unintelligible.
Public key encryption is not used to encrypt large amounts of data; instead, data is typically protected with a private key and that private key in turn is encrypted with the public key of the recipient of the data. The encrypted secret key will then be transmitted to the recipient along with the encrypted data. The recipient will use the private key to decrypt the secret key. The secret key will then be used to decrypt the message itself.
Certificates enable privacy for data that is transmitted using a number of different methods. Some of the commonly used privacy-enabling protocols that use certificates are:
Secure Multipurpose Internet Mail Extensions (S/MIME).
Encrypting File System (EFS)
An increasing number of digital documents require strong evidence that the data has not been altered since it was signed and confirmation of the identity of the person or entity who signed the data. A digital signature helps ensure the integrity and origin of data, which are essential for secure e-commerce transactions.
Digital signatures are typically used when data is distributed in plaintext, or unencrypted, form. In these cases, although the sensitivity of the message itself might not warrant encryption, there could be a compelling reason to ensure that the data is in its original form and has not been sent by an impostor. In a distributed computing environment, plaintext can conceivably be read or altered by anyone on the network who has access to it, whether authorized or not.
To use certificates in Windows Server 2003, you need to set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations.
You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.
If you are using Active Directory to manage user and computer accounts on the network, your enterprise CAs can use information contained in Active Directory — such as user account names, security group memberships, and certificate templates — to simplify certificate enrollment, renewal, revocation, and validation.
In addition, Active Directory stores public key Group Policy for distribution to all computers that are within the scope of a Group Policy object. Public key Group Policy enables you to control which CAs are to be trusted in the enterprise, specify alternative EFS recovery agents, and configure automatic enrollment and renewal of certificates for computers running Windows 2000, Windows XP, and Windows Server 2003 — all from a central administration point.
Active Directory also supports mapping certificates to network user accounts for authenticating clients and controlling access to network resources. Using smart cards for the user logon process is a special case of certificate mapping that extends the Kerberos v5 authentication protocol to include authentication of users on the basis of certificates and private keys that are stored on smart cards. Using smart cards for the user logon process provides enhanced security for user authentication and a single set of user credentials for logging on locally or remotely over a network.
The following figure illustrates the role of domain client certificates in an Active Directory environment.
Domain Client Certificates in Active Directory
The following resources contain additional information that is relevant to this section: