Performing Manual Enrollment

Wed, 29 Jun 2011 14:45:46 | Certificate Security

The sections that follow detail the procedures for requesting certificates from a Windows Server 2003 CA. A Certificate Services installation includes the Certificate Services Web Enrollment pages. The Web pages are only accessible if Internet Information Services (IIS) 6.0 is also installed at the CA.

Note The IIS 6.0 installation must enable Active Server Pages (ASP) for Certificate Services Web Enrollment pages installation.

Note If you did not install IIS 6.0 before you install Certificate Services, you must install IIS 6.0 and then type certutil -vroot at a command prompt to create the required virtual roots and file shares required by the Certificate Services Web Enrollment pages.

Requesting a Certificate

Use the following procedure to request a certificate from the Certificate Services Web Enrollment pages:

1. Open Internet Explorer.

2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the Domain Name System [DNS] name of the Windows Server 2003 CA).

Note The Certificate Server's DNS name should be added to the Local intranet site at all computers. If the Web site is not added to the Local intranet site, users are prompted for their user name and password. The process of adding the DNS name to the Local intranet site is described in Chapter 15, "Smart Card Deployment."

3. On the Welcome page, click the Request a certificate link.

4. On the Request a Certificate page, click the Advanced Certificate Request link.

Note This page only appears if the User certificate template is published at the CA. If the User certificate template is not published, step 4 does not occur.

5. On the Advanced Certificate Request page, click the Create and Submit a Request to this CA link.

6. On the Advanced Certificate Request page (see Figure 12-2), you can define the following options for the certificate request:

•5 Microsoft Certificate Services - Microsoft Internet Explorer

■ _ |n|x|

File Edit View Favorites Tools Help

ir

1 Microsoft Certificate Services - Komar Consulting Issuing CA

home E£1

Advanced Certificate Request

1 Certificate Template:

User jJ

Key Options:

(* Create new key set f** Use existing key set

CSP:

Microsoft Enhanced Cryptographic Provider vl.O

Key Usage:

® Exchange

Key Size:

1VOA ¡J ": ^J ffioninai BW8 KS: S1Z 1IEi 2D4S 4!B6 81921S3Bi)

f* Automatic key container name User specified key container name

Mark keys as exportable

D Export keys to file

I- Enable strong private key protection

Store certificate in the local computer certificate store

Stores the certificate in the focal computer store

instead of in the user's certificate store. Does not

install the root CA's certificate. You must be an

administrator to generate or use a key in the iocal

machine store.

Additional Options

Request Format:

CMC C PKCS1Q

Hash Algorithm: |

| SHA-1 zl

Only used to sign request

I- Save request to a file

J

Attributes:

J

Friendly Name:

User

| i Submit > j|

d

Figure 12-2 The Advanced Certificate Request page

Figure 12-2 The Advanced Certificate Request page

■ Certificate template drop-down list. Lists the certificate templates for which the user is assigned Read and Enroll permissions.

■ Key set. Allows you to choose between generating a new key set or using the existing key set.

■ CSP drop-down list. Allows you to select a CSP installed on the client computer to use for the certificate request.

■ Key size. The length of the key pair generated for the certificate request.

■ Container name. The key container where the certificate's key pair is stored.

■ Export options. Allows you to request that the certificate's private key be exportable.

■ Strong key protection. Requires a password each time the certificate's private key is accessed.

■ Store certificate in the local computer store. Enable this option for computer certificates only, not for user certificates.

■ Request format. You can choose between Certificate Management Message over Cryptographic Message Syntax (CMC) or Public Key Cryptography Standards (PKCS) #10 request formats. CMC is required for digitally signed requests and key archival requests.

■ Friendly name. A logical name assigned to the certificate. This name is not part of the certificate. Rather, it is the logical display name when the certificate is viewed with Microsoft tools that can be changed without invalidating the signature applied to the certificate.

7. Once all options are defined, click Submit on the Advanced Certificate Request page.

8. In the Potential Scripting Violation dialog box, allow the Web site to request a certificate on your behalf by clicking Yes.

9. On the Certificate Issued page, click the Install this Certificate link.

10. In the Potential Scripting Violation dialog box, accept that the Web site is adding a certificate to your computer by clicking Yes.

11. Ensure that the Certificate Installed page appears, indicating that the certificate has installed successfully.

12. Close Internet Explorer.

Note The default values shown on the Advanced Certificate Request page are based on the values defined in the certificate template.

Note Microsoft Knowledge Base Article "Flaw in Certificate Enrollment Control May Cause Digital Certificates to Be Deleted" describes the MS02-048 security update, which introduced the Potential Scripting Violation dialog box. This dialog box warns the user anytime a certificate request is submitted to a CA or a CA-issued certificate is installed in the user's store.

Retrieving a Pending Certificate Request

If the the CA Certificate Manager Approval option in the certificate template is enabled on the Issuance Requirements tab, the certificate request becomes pending until a certificate manager performs requestor validation. Once the certificate man ager verifies identity and issues the certificate, you can complete certificate installation as follows:

1. Open Internet Explorer at the same computer where the original request was submitted.

2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the DNS name of the Windows Server 2003 CA).

3. On the Welcome page, click the View the Status of a Pending Certificate Request link.

4. On the View the Status of a Pending Certificate Request page, click the link for the pending certificate.

Note The computer where the certificate request is performed must have cookies enabled. If cookies are not enabled, the View the Status of a Pending Certificate Request page does not show any entries.

5. On the Certificate Issued page, click the Install this Certificate link.

6. In the Potential Scripting Violation dialog box, accept that the Web site is adding a certificate to your computer by clicking Yes.

7. Ensure that the Certificate Installed page appears, indicating that the certificate has installed successfully.

8. Close Internet Explorer.

Note If cookies are disabled in Internet Explorer, you cannot retrieve a pending certificate request.

Submitting a Certificate Request from Network Devices

In some cases, the certificate request is generated at a network device or in another operating system, such as Linux. In these cases, the certificate request is commonly generated in a PKCS #10 format. Certificate Services Web Enrollment pages provide a facility to submit the PKCS #10 certificate request and issue a certificate based on the subject information and public key in the request.

Use the following procedure to request a certificate with a PKCS #10 file created by a network device or alternate operating system.

1. Open Internet Explorer.

2. In Internet Explorer, open the URL http://CertServerDNS/certsrv (where CertServerDNS is the DNS name of the Windows Server 2003 CA).

3. In the Welcome page, click the Request a Certificate link.

4. On the Request a Certificate page, click the Advanced Certificate Request link.

5. On the Advanced Certificate Request page, click the Submit A Certificate Request By Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File link.

Reviewing the Certificate Request

A certificate manager should not accept any PKCS #10 request file without first reviewing the certificate request's contents. The certutil command allows you to review the contents by running certutil -dump request.req (where request.req is the name of the PKCS #10 request file).

402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version PKCS10 Certificate Request: Version: 1 Subject:

CN=Andy Ruth

Public Key Algorithm:

Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00

Public Key Length: 1024 bits Public Key: UnusedBits = 0

0000

30

81

89

02

81

81

00

bc

d6

cc

13

34

21

1e

c9

dd

0010

8 4

84

92

5b

bf

7b

4e

1b

87

f8

3a

8e

9e

23

6c

ce

0020

5f

01

c5

3b

4a

01

5f

b2

bb

67

3a

67

5f

d7

76

15

0030

78

f4

d8

f1

ba

3a

b3

ab

56

69

bd

e3

0d

39

22

f7

0040

a4

18

96

61

c2

ee

12

b4

63

ba

ee

04

cf

ad

fe

d4

0050

08

5e

95

51

44

3d

76

38

5c

00

77

c6

0e

7d

7b

dd

0060

96

58

70

f 8

82

51

95

9b

75

be

45

a0

ea

d3

a8

0a

0070

52

5c

97

8e

a4

c4

8 4

1a

4f

0f

bd

f9

20

a2

70

de

0080

2f

a9

22

6e

a7

58

a5

02

03

01

00

01

4 attributes:

Request Attributes: 4

4 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 5.1.2600.2

Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[1][0]: Unknown Attribute type Client Id: = 1 XECI_XENROLL -- 1 User:

Machine: London.corp.microsoft.com Process: cscript

Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[2][0]: Unknown Attribute type Certificate Extensions: 5

2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage

Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

1.2.840.113549.1.9.15: Flags = 0, Length = 37 SMIME Capabilities

[1]SMIME Capability

Object ID=1.2.840.113549.3.2 Parameters=02 02 00 80

[2]SMIME Capability

Object ID=1.2.840.113549.3.4 Parameters=02 02 00 80

[3]SMIME Capability Object ID=1.3.14.3.2.7

[4]SMIME Capability

Object ID=1.2.840.113549.3.7

2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier

7c 4e b0 7b ca b7 c1 66 a8 b5 c2 15 83 84 f2 7d a1 eb 43 ac

2.5.29.37: Flags = 0, Length = c Enhanced Key Usage

Client Authentication (1.3.6.1.5.5.7.3.2)

1.3.6.1.4.1.311.20.2: Flags = 0, Length = 16 Certificate Template Name ClientAuth

Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[3][0]: Unknown Attribute type CSP Provider Info KeySpec = 1

Provider = Microsoft Enhanced Cryptographic Provider v1.0 Signature: UnusedBits=0

0000

9f

8 f

46

13

93

4c

a4

79

bb

10

82

53

70

12

b9

8f

0010

48

05

8b

76

07

c8

8c

d1

db

78

71

e3

44

c3

a3

2b

0020

c5

43

01

6d

15

1b

c2

d3

aa

29

3f

f5

3c

43

8a

fa

0030

e1

2d

6a

71

da

26

ff

97

a7

58

59

73

d8

db

8d

53

0040

e7

25

3a

bf

21

16

d5

1b

1c

bc

f7

1e

83

de

3e

92

0050

0a

f0

70

d0

b5

9a

11

79

44

7f

d6

aa

4d

70

4d

cd

0060

25

83

9f

3a

3c

59

30

03

d0

05

24

1b

19

74

5e

24

0070

76

7e

76

f 8

cb

39

14

8 4

66

19

84

45

d8

08

b0

0d

0080

00

00

00

00

00

00

00

00

Signature Algorithm:

Algor Algor 05 00 Signature ithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA ithm Parameters:

31 84 ff 5d e4 0f 32 69 27 ca e4 fb 6a 34 f9 9c 0010 53 6e ac d0 80 98 19 ba d6 55 8f 9f 7b dd 2c 0e 0020 32 a6 cc 18 0e 34 2f a3 dc 11 49 e3 54 69 08 ad

0030 fa 15 8e 52 7b 16 b4 ad 98 bc 4f 0d 00 7a 20 29 0040 a8 ac e2 c6 48 d6 c7 e7 dd 77 9a 0b 37 f9 ef 77 0050 09 b1 28 01 f6 a1 40 12 2e a8 98 9d 16 b9 99 ff 0060 8b b3 59 0d ac 50 ca 8a 1f d5 8c 38 ac 92 a8 71 0070 28 f0 34 07 dc fb d2 68 4e ee d7 fc 5a 34 9b 11 Signature matches Public Key

Key Id Hash(sha1): 7c 4e b0 7b ca b7 c1 66 a8 b5 c2 15 83 84 f2 7d a1 eb 43 ac

CertUtil: -dump command completed successfully.

Before submitting the PKCS #10 request file to the CA, ensure that the subject information is correct, the correct key length and certificate template are selected, and the signature matches the public key. If these conditions are met, you can submit the certificate request to the CA.

6. On the Submit a Certificate Request or Renewal Request page, right-click the Saved Request box and click Paste. (See Figure 12-3.) Ensure that the Certificate Template drop-down list is set to the required certificate template and click Submit.

Figure 12-3 Submitting a PKCS #10 certificate request file

Note If the certificate is for a Secure Sockets Layer (SSL) accelerator or a third-party Web server, choose the Web Server certificate template.

If the certificate request is generated by a Cisco virtual private network (VPN) client, choose the User certificate template.

7. On the Certificate Issued page, select Base-64 encoded or DER encoded and click the Download Certificate or Download Certificate Chain link.

8. In the File Download dialog box, click Save.

9. In the Save As dialog box, select a folder and file name for the certificate and click Save.

10. Close Internet Explorer.

The issued certificate now must be installed on the network device or on the other operating system. The process to select depends on the network device or operating system where the PKCS #10 request file was generated.

0 -2

Average user rating: 1 stars out of 2 votes

« 
 »

Related posts

Post a comment

  • Receive news updates via email from this site