Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Third party certification authority key/certicate management in Windows

Answered Third party certification authority key/certicate management in Windows

  • Wednesday, November 21, 2012 3:19 PM
     
     
    Sign In to Vote
    0

    Hello,

    I would like to ask some questions regarding managing user and webserver certificates and key pairs that are issued from a trusted third party certification authority. If a PKI infrastructure using an enterprise CA was deployed in the organization, we could issue/revoke/archive/backup certificates and be able to use the CA database for recovery. Is it possible to centrally store and manage (backup/archive) certificates that are issued from a third party certification authority using Windows utilities? AD is Windows2008R2.

    I also understand that we can use the Certificates MMC snap-in to manage certificates, but I would be greatful if someone clarified where certificates and keys are located.

    Finally as we plan to use a PKI infrastructure with Exchange Server 2010 for mail encyption/signing, I would like some information on how this can be implemented using user certificates issued by a third party CA.

    Thank you in advance.

     

All Replies

  • Thursday, November 22, 2012 10:00 AM
     
     Answered
    Sign In to Vote
    0

    Users and computers certificates and related keys are primarily stored locally in each user profile and in each machine store. Private keys can be backed up to a CA at the time of request but not after that!

    You can configure AD to roam user certificates and keys regardless who issued the certificate. This will give you a good recovery method if the local profile is corrupted or a certificate is deleted locally bu the user. Read more on Credentials Roaming: http://technet.microsoft.com/en-us/library/cc773373(v=ws.10).aspx

    Regarding mail encryption/signing, you need:

    • A certificate that supports S/MIME capabilities and includes your user's email address
    • The third party CA must be trusted by all clients
    • The user certificate needs to be published to user's AD object to be available for other users through the global address list in AD

    /Hasain

     
  • Friday, November 30, 2012 9:57 AM
     
     
    Sign In to Vote
    0

    Dear Hasain,

    Thank you for your answer, it was really helpful! I am sorry for my late reply; I was busy with other tasks. Although I read various documents regarding Credential Roaming implementation and troubleshooting, I still don’t understand how I can manage the certificates replicated on the AD. With credential roaming if there has been a modification of the certificates in the local store or the user object in Active Directory, the changes are either downloaded to the store or uploaded to Active Directory, however I do not understand where certificates are stored on the AD. Is there an interface/snap-in being created after credential roaming has been implemented to manage all certificates? (I remind you that we do not have an enterprise CA issuing certificates but a third party certification authority)

    I have another question regarding your answer. What do you mean by saying “The user certificate needs to be published to user's AD object to be available for other users through the global address list in AD”? How can I do that? How can I publish a user certificate to the user’s AD object and what is the global address list in AD?

     

    Thank you in advance

     
  • Tuesday, December 04, 2012 10:23 AM
     
     Answered
    Sign In to Vote
    0

    Credential Roaming is a synchronization method that uses properties on the users AD object to store information. To manage any certificates and keys you need to logon as that user on any domain member and all certificates and keys will be synchronized and available using the certificate management MMC sanp-in.

    The Global Address List (GAL) also known as Microsoft Exchange Global Address Book is a directory service within the Microsoft Exchange email system. The GAL contains information for all email users, distribution groups, and Exchange resources. The GAL uses information form objecta in AD such as email addresses and users certificates. You can either use certmgr.msc MMC snap-in or outlook to publish a user certificate used for secure e-mail to GAL(AD).

    Using the certificate MMC snap-in, look for the "Active Directory User Object" in the left navigation list!

    /Hasain

    • Marked As Answer by nikolas85 Monday, December 10, 2012 11:09 AM
    •  
     
  • Monday, December 10, 2012 11:09 AM
     
     
    Sign In to Vote
    0

    Dear Hasain,

    Thank you for your answer, it was helpful and clarified things. I may use the Credential Roaming feature, although I was looking for a service allowing for centralized management of domain certificates issued by a third party certification authority. If I get it right, credential roaming does replicate the certificates on the Active Directory user objects but in order to manage those certificates an administrator needs to connect to a domain member using the user's credentials; that would be difficult in a large organization and does not seem to enable a central point of management for all domain certificates. 

    Thank you