Longhorn Server PKI

In many organizations, public key infrastructure (PKI) services (i.e., certificate services) are commonly used IT infrastructure building blocks. The certificate services bundled in Windows server OSs can generate a wide range of X.509-formatted digital certificates without incurring additional licensing costs. Organizations can use these certificates to secure mission-critical applications such as email exchanges, Web communications, administrators' and users' Windows logon processes, and code signing of inhouse-developed code.

In Windows Longhorn Server, the next version of the server OS that's due for release sometime in 2007, Microsoft includes the newest version of its enterprise PKI software. In this article I highlight the most important Longhorn Server PKI enhancements and explain how organizations can use these features to their advantage. Longhorn Server's PKI has the most features of any Windows PKI version so far. In addition, Microsoft made installing Windows Certificate Services easier than ever in Longhorn Server.

Longhorn PKI Components
When you install Longhorn Server's Certificate Services, you'll immediately notice that Control Panel no longer includes an Add or Remove Programs applet. You can use Longhorn Server's Add Roles Wizard to install Certificate Services. This wizard is accessible from the Initial Configuration Tasks screen, which opens after you first log on to a freshly installed system, and the Server Manager screen, which you can use at any time to configure server settings. Longhorn Server's PKI functionality is referred to as Active Directory Certificate Server in the Add Roles Wizard, as Web Figure 1 (http://www.windowsitpro.com, InstantDoc ID 95172), shows. Longhorn Server's Server Manager also includes a wizard to remove Certificate Services, called the Remove Roles Wizard.

The new Server Manager and its associated wizards are the results of Microsoft's engineering efforts to make Windows a more componentized OS. When you install the Active Directory (AD) Certificate Server role, you'll notice that it comprises four optional subcomponents: the Certification Authority, Certificate Authority Web Enrollment, Simple Certificate Enrollment Protocol (SCEP), and Online Certificate Status Protocol (OCSP) components. Microsoft also refers to these subcomponents as role services.

The first two components (i.e., Certification Authority and Certificate Authority Web Enrollment) were also available in previous versions of Windows Certificate Services. The Certification Authority is Microsoft's certificate and revocation list-generation engine; the Certificate Authority Web Enrollment is a set of Web pages that lets users use a Web interface to enroll for certificates. The SCEP component was previously included in both the Windows 2000 Server and Windows Server 2003 resource kits. The SCEP allows network devices such as routers and switches to easily enroll for certificates on a Windows Certification Authority (CA). The OCSP component provides a new service that wasn't available in previous Windows versions. Certificate users and applications can use the OCSP component to obtain real-time certificate status information (e.g., whether a certificate is still valid or has been revoked). Microsoft acquired a company named Alacris to obtain the OCSP logic. The Longhorn Server OCSP implementation is compliant with Request for Comments (RFC) 2560. OCSP client-server communications leverage HTTP and port 80 and don't require additional open network ports.

Server Manager's straightforward user interface and improved error and warning logic help ease the installation, configuration, and removal of Windows components. For example, when you install the Certificate Authority Web Enrollment component, if the Microsoft IIS Web server isn't already present on the local machine, the wizard prompts you to also install the IIS Web server role. Previously, administrators needed to ensure that IIS was successfully installed before installing the Certificate Authority Web Enrollment component.

Server Manager also reduces the number of required installation steps. A good example of this improvement is the Microsoft SCEP component installation. In previous Windows versions, you could add SCEP support after the Certificate Services installation by installing the SCEP services that were included in the resource kit. In Longhorn Server you can use one wizard to install the Certificate Services and SCEP support. In addition, the SCEP logic is bundled with Longhorn Server. To reduce support costs and ease Windows administrators' lives, Microsoft included most of the utilities that were previously in the resource kit. Get used to the idea: Longhorn Server has no resource kit!

Another important change that you need to be aware of when you plan to install Longhorn Server's Certificate Services is that not all PKI features are available in Longhorn Server Standard Edition. Only the certificate services that are bundled with Longhorn Server Enterprise Edition are feature-full. Table 1, provides an overview of the PKI feature set differences between these two Longhorn Server editions. Longhorn Server Standard Edition's PKI is adequate for organizations with few certificate needs (e.g., organizations that need only Secure Sockets Layer—SSL—server certificates), but organizations that use certificates to secure important mission-critical data and that have many PKI-enabled applications need the Longhorn Server Enterprise Edition PKI.

PKI Management Enhancements
A long-awaited PKI management feature is the addition of CA-specific performance counters. These counters are particularly useful for monitoring and managing Windows CAs. For example, you can use the performance counters to create reports on overall CA performance (e.g., number of failed requests, average certificate request processing time). ISPs or organizations might need such reports to illustrate their conformance with service level agreements (SLAs).

In Longhorn Server, administrators can use new counters in the revamped Reliability and Performance Monitor to monitor their CAs' performance. If Certificate Services is installed correctly, Longhorn Server Performance Monitor includes the following PKI-relevant performance counter groups: Certification Authority, Certification Authority Connections, Database, Database Instances, and Database TableClasses. If the OCSP service is installed, the OCSP Server and OCSP Server Connections counters are included.

A solution that provides additional tools to manage Windows Certificate Services is the Microsoft Operations Manager (MOM) management pack for the CA and OCSP services. Microsoft plans to release this management pack to coincide with Longhorn Server's release.

Longhorn Server Certificate Services also includes additional administrative delegation capabilities. Longhorn Server offers more granular control for delegating the PKI enrollment agent and certificate manager roles. In Windows Certificate Services an enrollment agent is an account that lets a user enroll for certificates on other users' behalves. A Windows CA administrator can assign a user the right to enroll for certificates on behalf of other users by issuing the user a special enrollment agent certificate. An example of when you'd use enrollment agents is if you wanted to allow an HR employee to preload users' smart card logon certificates on the users' smart cards. Previous Windows PKI versions don't let you control on which users' behalves an enrollment agent can enroll for a certificate, nor can you control the types of certificates (e.g., mail encryption, Web authentication) an enrollment agent can enroll for on other users' behalves. Longhorn Server's CA Properties lets you set both restrictions from the Enrollment Agents tab, which Figure 1 shows.

Longhorn Server includes a similar capability for certificate managers. Certificate managers are accounts that can approve or deny user certificate requests, as well as revoke certificates. A Windows CA administrator can assign a user the certificate manager role by giving the user the Issue and Manage Certificates permission in the CA Properties security settings. In Win2K and Windows 2003, PKI CA administrators can control which users or groups a Windows account can issue and manage certificates for. The Longhorn Server PKI adds the capability to control certificate issuance and management for a particular certificate manager based on the certificate type. For example, in Longhorn Server the CA administrator can restrict a certificate manager to issue and manage the Web authentication certificates for only those users who belong to the AD Sales group. You use Longhorn Server's CA Properties Certificate Managers tab to control certificate manager delegation.

Another useful addition to a CA administrator's toolset is the Microsoft Management Console (MMC) Enterprise PKI snap-in (PKIview.msc), which Figure 2 shows. In Windows 2003, the resource kit includes the Enterprise PKI viewer, which you must install separately. Longhorn Server includes this tool by default. CA administrators can use this snap-in to easily check the health status of all the CAs integrated with their AD environment. From the Enterprise PKI viewer you can check the validity and currentness of CA certificates, certificate revocation lists (CRLs—blacklists that contain the serial numbers of bad or revoked certificates), CRL distribution points (CDPs—locations from which PKI clients can download the latest CRLs), and Authority Information Access (AIA—locations from which PKI clients can download CA certificates).

Cryptographic Changes
Windows Certificates Services closely interacts with the OS's cryptographic engines. At the heart of Windows Vista's (the new Microsoft client OS) and Longhorn Server's cryptographic operations is a new cryptographic API, called Cryptography API: Next Generation (CNG). Microsoft will eventually use this new API to replace the current Cryptography API (CAPI), but in Vista and Longhorn Server the old and new APIs coexist—primarily for compatibility with legacy applications. The new CNG architecture is more modular and lets organizations easily add their proper cryptographic libraries (e.g., custom public key cryptographic libraries) to the Windows OS. For more information about the CNG architecture, go to Microsoft's CNG Web site (http://msdn2.microsoft.com/en-us/library/aa376210.aspx).

Thanks to CNG, Longhorn Server's Certificate Services supports state-of-the-art asymmetric ciphers such as the Elliptic Curve Digital Signature Algorithm (ECDSA) and hashing algorithms such as the Secure Hash Algorithm (SHA)-256. These ciphers are referred to in the industry as Suite B algorithms. Longhorn Server's Certificate Services can leverage Suite B algorithms to generate certificates and to secure the archival of private keys that are in the CA database. For more information about these algorithms, go to the National Security Agency's (NSA's) Suite B Cryptography Web site (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm).

To enable issuance of certificates that leverage Suite B algorithms, Longhorn Server's PKI includes additions to the certificate template properties. Certificate templates are blueprints of the different certificate types that an AD-integrated CA (aka enterprise CA) can issue. You can use the MMC Certificate Templates snap-in to manage certificate templates. The templates and their properties are stored in AD. Longhorn Server's extended certificate templates are referred to as version 3 (V3) templates. The new template properties are on the Cryptography and Request Handling tabs in a V3 certificate template's properties. Only Longhorn Server CAs can issue certificates that are based on V3 templates, and only Vista client computers and Longhorn Server computers can enroll for certificates that are based on V3 templates. V3 templates aren't available in the Certificate Authority Web Enrollment interface.

Vista and Longhorn Server also include a new common smart card Cryptographic Service Provider (CSP) that various smart card vendors' smart card subsystems can leverage. CSPs are cryptographic libraries that you can plug into the CAPI to let the Windows platform and its applications perform different types of cryptographic operations. The new common smart card CSP lets smart card vendors quickly and easily plug their smart card software into the Windows OS. But not just developers benefit from this technology; users and administrators will experience improved smart card Plug and Play (PnP) support.

Another smart card–related change that users and administrators can take advantage of in Vista and Longhorn Server is the expanded application support. For example, in Vista and Longhorn Server the Encrypting File System (EFS) can leverage smart cards to securely store a user's EFS private key. The EFS is an NTFS-based file encryption mechanism that Microsoft first introduced in Win2K. For more information about EFS in Vista and Longhorn Server, see "Vista and Longhorn Promise Enticing EFS Enhancements," November 2006, InstantDoc ID 93498.

Fundamental Changes
Although Microsoft made fewer and less visible changes to Certificates Services in Longhorn Server than in Windows 2003, these changes are no less interesting or important. For example, the new cryptographic architecture (i.e., CNG) lets Windows Certificate Services support state-of-the-art cryptography and lets organizations embed their proper cryptographic libraries. Longhorn Server Certificate Services also includes significant management enhancements. Although Microsoft doesn't plan to support upgrades from a Win2K or Windows NT 4.0 PKI, the company will support Windows 2003 PKI to Longhorn Server PKI upgrades. The benefits of Longhorn Server's improved PKI will make the upgrade well worth the effort for many organizations.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.