MCTS Self-Paced Training Kit (Exam 70-653): Managing and Configuring Remote Access in Windows Small Business Server 2008
- 8/19/2009
Lesson 1: Managing Certificates
Having remote access to organization resources is great, but some Windows Small Business Server users will wonder whether it is secure. Small business owners tend to be frugal and expect a high return on their investment without having to spend additional money. Therefore, Windows SBS offers two types of certificates to secure remote access and communication: a self-issued certificate option, and the option to install a third-party certificate. Regardless of the choice, Windows SBS 2008 makes it easy to implement certificates on the network.
Estimated lesson time: 60 minutes
Understanding Certificates in Windows Small Business Server
Consider a certificate. It is issued by a certification authority (CA) and is an electronic representation of an object (user, computer, service, or network device). A certificate is used with a public and a private key pair. When the CA issues a public key certificate (such as the self-issued certificate in Windows Small Business Server), two keys are created:
A private key This key is known only to the key’s owner.
A public key This key is known by other entities on the network.
The public key is published or shared with others. Other users can also retrieve the public key from the certificate and use it to encrypt communication data. The data encrypted by the public key can be decrypted only by using the private key.
In general, a certificate contains the following information:
Information about the issuing CA
Information about the object holding the private key created by the certificate
The public key of the certificate
Information about the validity or revocation status of the certificate
Name of the digital signing algorithms supported by the certificate
During installation of Windows SBS 2008, the Active Directory Certificate Services (AD CS) and Certificate Authority (CA) are installed automatically.
The AD CS creates, manages, and removes x.509 certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME) and Secure Sockets Layer (SSL). This service is required to create certificates.
The CA issues and manages the certificates. It accepts certificate requests, verifies the information according to the CA policy, and issues its private key to apply its digital signature to the certificate.
For more information about how AD CS works, see “Active Directory Certificate Services” at Microsoft TechNet (http://technet.microsoft.com/en-us/library/cc534992.aspx).
Self-Issued Certificates
Every CA has a certificate to confirm its identity. Often, this certificate is issued by another, trusted CA and is called the trusted CA root certificate. Windows SBS 2008 differs in that it can use its own self-issued certificate. During Windows SBS installation, a root certificate is self-issued using the internal domain name. The self-issued root certificate is stored in the certificate store from where it is pushed out through Group Policy to all domain-joined client computers.
When you run the Internet Address Management Wizard, Windows SBS uses the internal domain name (when running the Internet Address Management Wizard) and creates a leaf certificate, as shown in Figure 5-1. The leaf certificate is considered a self-issued certificate and is bound to the Windows SBS 2008 Web sites in Internet Information Services (IIS) to secure communication and help protect remote access for the following components:
Remote Web Workplace (RWW)
Outlook Anywhere
Windows Mobile devices
Secure VPN (if configured)
Secure wireless (if configured)
Internet Protocol Security (IPSec; if configured)
The leaf certificate is valid for two years from the date of issue and uses a 1,024-bit key. At the end of two years, it is automatically renewed without affecting the users’ connectivity to the server.
Third-Party Certificates
In certain situations, a third-party certificate is required, such as when a mobile operator or device does not accept a self-issued certificate. Using a self-signed certificate in these situations will cause a failure when a mobile device attempts to connect to the server. (For information about mobile device integration, see Chapter 6.)
Figure 5-1 Path of self-issued Windows SBS certificates: The leaf certificate remote.contoso.com is displayed under the root certificate Contoso-SERVER01-CA.
The good news is that third-party certificates have become less expensive over time and are easy to manage in Windows Small Business Server. In Windows SBS 2008, you can easily integrate a third-party certificate on the network. Often people ask whether third-party certificates are more secure than self-issued certificates are. The answer is that there is no difference in terms of security from one type of certificate to the other; the difference between self-issued and third-party certificates is in the effort expended to distribute the certificates to mobile devices and remote users.
The benefit of a third-party certificate over a self-issued certificate is that most third-party root certificates are already installed on mobile devices. (Look at the certificate store on your mobile device, for example.) Most self-issued certificates must be deployed to and installed on each mobile device or remote client, which requires more effort, depending on how many client devices you have to manage if the certificate must be distributed to remote locations.
For instance, say you have 40 sales agents in the field who need to have remote access from their mobile devices and non-domain-joined laptops. If you use a self-issued certificate, you must install the self-issued certificate on each mobile device and laptop. That could turn into quite a task, especially if the sales agents come to the office only randomly or you have to travel to their location for the installation. On the other hand, the root certificate of a third-party certificate will already be installed on the mobile devices and laptops, and you will need to install only the corresponding code-signing certificate on the server. Even the most cost-conscious small business can agree that a one-time $60 fee for the third-party certificate and 10 minutes of a technician’s time to install a third-party certificate is less expensive than installing a self-issued certificate on multiple non-domain-joined clients!
Administering Third-Party Certificates
The Add A Trusted Certificate Wizard in Windows SBS 2008 can assist you in requesting and installing a third-party certificate from a CA. The trusted certificate will replace the default self-issued certificate when it is installed on the server.
Before you can request a third-party certificate you must have run the Internet Address Management Wizard and registered and configured a public Internet address for the server. (See Chapter 1 Lesson 4, “Performing Initial Getting Started Tasks,” for more information.)
The Add A Trusted Certificate Wizard is located in the Windows SBS Console, in the Network tab, in the Connectivity tab, in the task pane. The Add A Trusted Certificate Wizard administers the following tasks:
Requesting and installing a trusted certificate
Importing a trusted certificate
Importing a trusted certificate request
Removing a trusted certificate request
Removing a trusted certificate
Request and Install a Trusted Certificate
The Add A Trusted Certificate Wizard generates a request for a trusted certificate from a CA using the information provided during installation and when the Internet Address Management Wizard was run. It generates a certificate request using encoded data based on this information. After the certificate request is generated, you can save the request to file and send the file to the CA, or you can copy the request using the Copy function, and then paste it into the space provided on the CA’s Web site.
Depending on which CA you use, the request for the trusted certificate may be handled immediately and a trusted certificate made available right away, or the request may be validated offline, in which case you have to wait to receive and install the certificate.
Once the certificate request is in process, the Add A Trusted Certificate Wizard offers the following options:
My Certificate Provider Needs More Time To Process The Request Choose this option when you have to wait to receive the trusted certificate. At this point a new task, Remove This Certificate Request, is added to the Connectivity task pane. Later, when you receive the certificate file from the CA, return to the Add A Trusted Certificate Wizard and select the I Have A Certificate From My Certificate Provider option.
I Have A Certificate From My Certificate Provider Select this option when you receive a trusted certificate immediately from the certificate provider or when you receive a certificate later and return to this page to install it. You can paste the encoded text from the certificate provider into the message box in the Import A Trusted Certificate dialog box, or you can browse to the location where you stored the certificate file.
I Want To Cancel My Request Select this option to remove a pending certificate request and reinstate the original self-issued certificate.
Import and Export a Trusted Certificate
If you already have a trusted third-party certificate in use on another server and would like to use it on the server running Windows SBS 2008, you can export the certificate and install it using the Add A Trusted Certificate Wizard. Follow these three steps:
Exporting a certificate Open Certmgr.msc (click Start, click Run, and type certmgr.msc in the Open box) and select the certificate to export. Several certificates may have the same name, and in that case be sure to verify that the certificate you are exporting has a valid expiration date and was issued by a trusted authority.
You can choose from the following certificate file formats:
Personal Information Exchange (PKCS #12) This format enables the transfer of certificates and their private keys between computers or to removable media. The PKCS #12 format (.pfx) is the only format supported in the Windows Server 2008 operating system to export a certificate and its private key and requires a password.
Cryptographic Message Syntax Standard (PKCS #7) This format enables transfer between computers or to removable media of a certificate and all the certificates in its certification path.
Distinguished Encoding Rules (DER) Encoded Binary X.509 This format uses the .cer extension and can be used by certification authorities to support interoperability for computers not running the Windows Server 2003 operating system or later.
Base64 Encoded X.509 This encoding method was developed for S/MIME. All MIME-compliant clients can decode Base64 files. This format uses the .cer extension and can be used by CAs to support interoperability for computers not running Windows Server 2003 or later.
Importing a certificate To import the certificate on Windows SBS 2008, use the Windows SBS Console (Advanced Mode). The Windows SBS Console (Advanced Mode) is almost identical to the standard Windows SBS Console but offers some additional options not found in the standard console. You access it by clicking Start, pointing to Administrative Tools, and clicking Windows SBS Console (Advanced Mode). In the Network tab, in the Connectivity tab, in the task pane, click Manage Certificates to open the local certificates snap-in. In the Certificates (Local Computer) console, expand Certificates, expand Personal, right-click Certificates, click All Tasks, and then click Import. Click through the Certificate Import Wizard and browse to the location where you saved the .pfx file. Next, enter the password that you created in the export procedure, ensure that the Mark This Key As Exportable and Include All Extended Properties options are selected, verify the certificate is imported into the Personal folder, and click Finish.
Now that you have imported the certificate, you must bind it to the Windows SBS 2008 Web sites and import it using the Add A Trusted Certificate Wizard to replace the self-issued certificate.
Bind the trusted certificate with Windows Small Business Server Once you have imported the trusted certificate, run the Add A Trusted Certificate Wizard to bind the imported certificate with Windows SBS 2008. Select the I Want To Use A Certificate That Is Already Installed On The Server option, and then select the certificate from the list of certificates installed on the server. By default, this list displays only certificates with the .pfx extension. Then, click Finish. To indicate a successful binding the message The Trusted Certificate Is Imported Successfully is displayed, as shown in Figure 5-2. From now on, the trusted certificate will be used as the default certificate in Windows SBS 2008.
Figure 5-2 The Add A Trusted Certificate Wizard message that signals a successful import of a third-party certificate
Remove a Trusted Certificate
If you no longer want to use a third-party certificate or the certificate has expired and will not be renewed, you can remove the third-party certificate. In the Windows SBS Console, in the Network tab, in the Connectivity tab, in the task pane, click the Remove My Trusted Certificate task. When you remove a third-party certificate, Windows SBS 2008 replaces it with the self-issued certificate and uses that.
Repair a Trusted Certificate
After a third-party certificate is installed in Windows SBS 2008, a new task, Fix My Web Site Certificate, appears in the task pane of the Connectivity tab in the Windows SBS Console. If any issues should arise with the third-party certificate, consider this task as your first level of support and run the Fix My Web Site Certificate Wizard.
The wizard searches for a third-party certificate and, if one is found, rebinds it to the Web site. If the Fix My Web Site Certificate Wizard cannot find a third-party certificate, it will bind the self-issued certificate to the Windows SBS Web site instead.
For more details about managing common administrative tasks in IIS, see “IIS 7.0: Common Administrative Tasks” at Microsoft TechNet (http://technet.microsoft.com/en-us/library/cc771979.aspx) and “IIS 7.0: Configuring Server Certificates in IIS 7.0” at Microsoft TechNet (http://technet.microsoft.com/en-us/library/cc732230.aspx).
Figure 5-3 The Internet Information Services (IIS) Manager Server Certificates page lists the self-issued certificates currently in use.
Distributing Self-Issued Certificates
By default, all domain-joined clients receive the root certificate through Group Policy regardless of whether the certificate is self-issued or from a third-party. Clients receive this certificate as long as it has been added to the certificate store and bound to the Windows Small Business Server Web sites.
The certificate file and an executable file (InstallCertificate.exe) are compressed into a certificate distribution package (Install Certificate Package.zip) and stored in the %systemdrive%\users\public\public downloads shared folder. The certificate distribution package can be downloaded onto a USB device or other removable media and taken to remote devices not joined to the domain.
Install Certificates on Non-Domain-Joined Client Computers
To install the self-issued certificate on a remote client computer or mobile device, copy the certificate installation package from the USB device or removable media to the remote client. If you are installing the certificate to a mobile device, ensure that the mobile device is physically connected to the remote client computer.
Extract the files from Install Certificate Package.zip and open the InstallCertificate.exe file on the remote client. In the Certificate Installation dialog box that opens, you can choose where you want to install the certificate, as shown in Figure 5-4. You have two options:
Install The Certificate On My Computer Choose this option on computers running Windows XP SP2 or Windows Vista.
Install The Certificate On My Mobile Device Choose this option on mobile devices running Windows Mobile 6.
The Certificate Installation Wizard then installs the certificate on the device of your choice. If you are installing the certificate on a device running Windows Mobile 5.0 or Windows Mobile 2003, you must use the Windows Mobile Device Center or the SPAddCert.exe utility to install the self-issued certificate.
Figure 5-4 The Certificate Installation Wizard installs the self-issued certificate at the proper location on the computer or mobile device.
Practice: Managing Certificates in Windows Small Business Server 2008
The following exercises help familiarize you with managing self-issued and third-party trusted certificates in Windows SBS 2008. You must be logged on as the network administrator and have run the Internet Address Management Wizard on the Home page and set up your Internet address to complete this exercise successfully.
Exercise 1 Verify the Self-Issued Certificate
In this exercise, you learn where to view certificates in the certificate store.
On the server running Windows SBS 2008, click Start, point to All Programs, click Windows Small Business Server, and then click Windows SBS Console (Advanced Mode).
On the navigation bar, click the Network tab, and then click the Connectivity tab.
In the task pane, click Manage Certificates. This opens the Certificates (Local Computer) window.
Expand Certificates, expand Trusted Root Certification Authorities, click Certificates, and then double-click Contoso-SERVER01-CA.
In the General tab, observe who the certificate was issued to, who it was issued by, and the validity period (five years).
Click the Details tab, scroll down, and observe the fields and their values.
Click the Certification Path tab to observe the certification path and status. Click OK.
Double-click a third-party trusted certificate, and then compare the information in the tabs with information given for the self-issued certificate. Notice that the certificates are very similar except for the issuer, validity length, and intended purpose.
In the Certificates (Local Computer) window, in the left pane, expand the Remote Desktop store, click Certificates, and then observe the certificate stored there.
In the left pane, expand Personal, click Certificates, and observe the certificates stored there. Check the Intermediate Certification Authority, Certificates store. Windows Small Business Server places all certificates in the appropriate stores.
Double-click each certificate and check its validity period (two or five years) and intended use. Then, click the Certification Path tab to see a leaf certificate.
Close the Certificates (Local Computer) window and the Windows SBS Console.
Exercise 2 Request a Third-Party Certificate
In this exercise, you request a third-party certificate using the Add A Trusted Certificate Wizard.
Log on as network administrator, and open the Windows SBS Console.
On the navigation bar, click Network, and then click the Connectivity tab.
Click Add A Trusted Certificate in the task pane.
Review the information on the Welcome page, and then click Next.
On the Get The Certificate page, click I Want To Buy A Certificate From A Certificate Provider, and then click Next.
Change any incorrect information used to generate the request for the certificate, and then click Next.
Windows SBS 2008 generates the encoded information that the CA requires. On the Generate A Certificate Request page, click Save To File to save the encoded information to a file. Name the file CertRequest, and click Save. By default, the file will be saved in the user’s Documents folder. Click Next.
Select My Certificate Provider Needs More Time To Process The Request, and click Next.
Review the warning information, and then close the wizard.
Exercise 3 Export a Trusted Certificate
In this exercise, you export a trusted certificate.
Note: In this exercise, you must have an existing trusted certificate. For this demonstration, you can use the self-issued certificate. In a real-world situation, the certificate provider would provide instructions on how to import and export the third-party certificate. On the server running Windows SBS 2008, click Start, point to All Programs, click Windows Small Business Server, and then click Windows SBS Console (Advanced Mode).
On the navigation bar, click the Network tab, and then click the Connectivity tab.
In the task pane, click Manage Certificates.
Expand Certificates (Local Computer), Trusted Root Certification Authorities, Certificates. Right-click Contoso-SERVER01-CA, select All Tasks, and then click Export.
After you have read the information on the Welcome To The Certificate Export Wizard page, click Next.
Click Yes, Export The Private Key.
On the Export File Format page, select Include All Certificates In The Certificate Path If Possible and Export All Extended Properties. Be sure that the Delete The Private Key If The Export Is Successful option is cleared. Click Next.
Type a password such as abcd1234 to protect the certificate file, and then click Next.
Save the .pfx file to your desktop. Name the file TrustedCert, click Save, click Next, and then click Finish.
Exercise 4 Import a Trusted Third-Party Certificate
In this exercise, you import a certificate.
Note: In this exercise, you must have an existing trusted certificate. For this demonstration, you can use the self-issued certificate. In a real-world situation, the certificate provider would provide instructions on how to import and export the third-party certificate. Also, in a realistic situation you would move the trustedcert.pfx file to the server that is running Windows SBS 2008 by using the network or a USB flash drive. (In this set of exercises, it is already located on the desktop.)
Open the Windows SBS Console in Advanced Mode.
On the navigation bar, click the Network tab, and then click the Connectivity tab.
In the task pane, click Manage Certificates.
In the Certificates (Local Computer) window, expand Certificates, expand Personal, right-click Certificates, click All Tasks, and then click Import.
On the Certificate Import Wizard Welcome page, click Next.
Browse to the desktop, and select trustedcert.pfx. If the file is not showing, change the file type in the Open dialog box to All Files (*.*). Click Open, and then click Next.
Type the password abcd1234, select Mark This Key As Exportable and Include All Extended Properties, and then click Next.
Leave the default setting Place All Certificates In The Following Store: Personal Folder, click Next, and then click Finish.
Exercise 5 Bind a Trusted Certificate to Windows Small Business Server
In this exercise, you bind a third-party certificate to the Windows Small Business Server Web sites using the Add A Trusted Certificate Wizard.
Because you do not have a real trusted certificate, you will not be able to finish the steps of this exercise. You will be able to follow the steps to the point when the file is requested, and then you can cancel out of the exercise.
Open the Windows SBS Console.
On the navigation bar, click the Network tab, and then click the Connectivity tab.
In the task pane, click Add A Trusted Certificate.
On the Welcome page, read the information, and then click Next.
On the Get The Certificate page, click I Have A Certificate From My Certificate Provider, and then click Next.
On the Import The Trusted Certificate File page, either paste the information that you received from the provider or browse to the location where you saved the trusted certificate file, and then click Next.
When the wizard finishes, click Finish.
If you are using a real trusted certificate, now the certificate is bound to the Windows SBS 2008 Web sites.
Exercise 6 Remove a Third-Party Certificate Request
In this exercise, you remove a third-party certificate request. There are two options available to remove the third-party certificate request. Follow these steps in the Windows SBS Console for the first option:
In the Network tab, in the Connectivity tab, in the task pane, click Add A Trusted Certificate, and then click Next.
Click I Want To Cancel My Request, and then click Next.
In the warning dialog box, click Yes.
On The Certificate Request Is Removed page, click Finish.
Follow these steps in the Windows SBS Console for the second option:
In the Network tab, in the Connectivity tab, in the task pane, click Remove This Certificate Request.
Click Yes when prompted.
Exercise 7 Install the Self-Issued Certificate on a Non–Domain-Joined Client Computer
In this exercise, you install a self-issued certificate on a non-domain-joined computer using the Install Certificate Wizard.
Open Internet Explorer either on the server that runs Windows SBS 2008 or on a domain-joined client computer.
Type \\server01\public\public downloads in the address bar to open the Public Downloads folder.
Copy the Install Certificate Package to a USB storage device (if you are using Windows Server 2008 Hyper-V, for this exercise copy to a shared folder that you will be able to access from the non-domain-joined client computer).
Create a folder in the My Documents folder and name it Certificate. Copy Install Certificate Package.zip file to this folder. Right-click the Install Certificate Package.zip file, and select Extract All. In the Select A Destination dialog box, click Next to extract files to the same folder.
Double-click InstallCertificate.exe to open the Certificate Installation dialog box.
Select the Install The Certificate On My Computer option, and click Install.
You will get a certificate installed message. You can verify the installation by checking certmgr.msc.