Certificate Support and Internet Communication (Windows Server 2003)
Applies To: Windows Server 2003 with SP1
The following subsections provide information about:
The benefits of the certificate functionality built into operating systems in the Microsoft Windows Server 2003 family, including the benefits of Update Root Certificates
How Update Root Certificates communicates with sites on the Internet
How to control Update Root Certificates to limit the flow of information to and from the Internet
Benefits and Purposes of Certificate Functionality
Certificates, and the public key infrastructure of which they are a part, support authentication and encrypted exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. With certificates, host computers on the Internet no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certification authority that certifies individuals and resources that hold private keys. The host can establish this trust through a certificate hierarchy that is ultimately based on a root certificate, that is, a certificate from an authority that is trusted without assurances from any other certification authority.
Examples of times that a certificate is used are when you:
Use a browser to engage in a Secure Sockets Layer (SSL) session
Accept a certificate as part of installing software
Accept a certificate when receiving an encrypted or digitally signed e-mail message
When learning about public key infrastructure, it is important to learn not only about how certificates are issued, but how certificates are revoked, and how information about those revocations is made available to clients. This is because certificate revocation information is crucial for an application that is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet for information not only about certification authorities, but also for certificate revocation information.
In an organization where servers run products in the Microsoft Windows Server 2003 family, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Components in a Managed Environment."
The Update Root Certificates component in the Windows Server 2003 family is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by an application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the computer. Note that the Update Root Certificates component is optional, that is, it can be removed or excluded from installation on a computer running a product in the Windows Server 2003 family.
Overview: Using Certificate Components in a Managed Environment
In an organization where servers run products in the Windows Server 2003 family, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority, inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services component. Another step that might be appropriate is to configure the publication of certificate revocation information to the Active Directory® directory service. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.
When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choosing for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.
Some of the concepts to study when learning about certificates include:
Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates)
Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME)
Encryption keys and how they are generated
Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority
Ways that Active Directory and Group Policy can work with certificates
The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:
Help for products in the Windows Server 2003 family.
You can view Help for products in the Windows Server 2003 family on the Web at:
The Microsoft Windows Server 2003 Deployment Kit and the Microsoft Windows Server 2003 Technical Reference.
You can view links on the Windows Deployment and Resource Kits Web site at:
"Troubleshooting Certificate Status and Revocation," a white paper on the Microsoft TechNet Web site at:
Links to information about public key infrastructure for Windows Server 2003 on the Microsoft Web site at:
How Update Root Certificates Communicates with Sites on the Internet
This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment," provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet.
If the Update Root Certificates component is installed on a server, and an application is presented with a certificate issued by a root authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows:
Specific information sent or received: Update Root Certificates sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on the server. No user authentication or unique user identification is used in this exchange.
The Windows Update Web site is located at:
Default setting and ability to disable: Update Root Certificates is installed by default with products in the Windows Server 2003 family. You can remove or exclude this component from installation on a server.
Trigger and user notification: Update Root Certificates is triggered when the server is presented with a certificate issued by a root authority that is not directly trusted. There is no user notification.
Logging: Events containing information such as the following will be logged:
Event ID: 7
Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site
Event ID: 8
Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value
Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Information about Update Root Certificates activity is not stored on any server at Microsoft.
Transmission protocol and port: The transmission protocol is HTTP and the port is 80.
Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet
If you want to prevent the Update Root Certificates component in the Windows Server 2003 family from communicating automatically with the Windows Update Web site, you can remove or exclude this component from installation on servers. You can do this during deployment by using standard methods for unattended installation or remote installation, as described in Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003). If you are using an answer file, the entry is as follows:
[Components] Rootautoupdate = Off
How removing or excluding Update Root Certificates from servers can affect applications
If a server is presented with a certificate issued by a root authority that is not directly trusted, and the Update Root Certificates component is not installed on that server, you (or your application) will be prevented from completing the action that required authentication. For example, you might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.
If you choose to remove or exclude Update Root Certificates from servers, consider providing instructions that tell administrators what to do if they receive untrusted certificates.
Procedures for Excluding or Removing the Update Root Certificates Component from an Individual Computer
The following procedures describe:
How to use Control Panel to remove the Update Root Certificates component from an individual computer running a product in the Windows Server 2003 family.
How to exclude the Update Root Certificates component during unattended installation of a product in the Windows Server 2003 family by using an answer file.
To remove the Update Root Certificates component from an individual computer running a product in the Windows Server 2003 family
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add or Remove Windows Components (on the left).
Scroll down the list of components to Update Root Certificates, and make sure the check box for that component is cleared.
Follow the instructions to complete the Windows Components Wizard.
To exclude the Update Root Certificates component during unattended installation by using an answer file
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003).
In the [Components] section of the answer file, include the following entry:
Rootautoupdate = Off