Using Certificate-Monitoring Tools with Windows Server 2008
One of the main objectives of administering certificates is to achieve an advanced level of security in your enterprise. Identity and access management should be taken very seriously. In this article we will very briefly cover what CA's are and then cover the important aspects of using specific certificate-monitoring tools such as PKIView.msc and certutil.exe with Windows Server 2008. It is Important to know how certificates affect your security posture and if they are healthy or require maintenance, such as replacement. An expired certificate can show a request of a service to show that your security is weak or non-existent; many times it may even instigate an attack. It may also indicate that you have not taken care of your updates, do not have a maintenance routine, and do not get real time fault-based email or text alerts or worse. This article covers the importance of using certificates, and how to monitor them with Windows Server 2008.
Certificates and Security
Security is not a small issue. In fact, security has to be considered at all levels of the infrastructure, from the most basic LANs to how a Web server will allow external users to access a Web page through a Secure Sockets Layer (SSL) connection. Every aspect of security needs to be scrutinized. This is true when deploying a Certificate Authority (CA), or a Public Key Infrastructure (PKI). Raising your security position on your network and systems will help to protect you from threats, risks and possible attacks. Using Windows Server 2008, this is achieved via a number of different methods, including security certificates, various forms of encryption, and a vast number of technologies that are accessible throughout the suite of tools and features available in Windows Server 2008. You can use the Add Role Wizard to configure a CA on Windows Server 2008.
You can install and configure Certificate Services by running the Add Roles Wizard. By selecting Active Directory Certificate Services (ADCS) from the Server Roles list, you allow Windows Server 2008 to act as a CA, or Certificate Authority. ADCS is used to create a CA, or Certification Authority to issue and manage certificates for various applications.
Figure 1: Configuring Active Directory Certificate Services
You will find that many Windows-based security services work with ADCS. To monitor certificates, you will need to understand what you are monitoring. Next, we will look at the Public Key Infrastructure.
What is a PKI?
Whenever an organization uses technologies such as smart cards, IPsec, Secure Sockets Layer (SSL), digital signatures, Encrypting File System (EFS), or other technologies that rely upon using specific levels of encryption, the organization will need to create a public system of encryption and identification. A PKI, or Public Key Infrastructure is used to help ensure that all who are using a system are in fact authorized to access it. Using PKI will enable the use of digital certificates between authenticated and trusted entities. A certificate is nothing more than an electronically-based official document that helps the client viewing the certificate to check the authenticity of the host with the certificate. The most common reason for using a system of certificates is Secure Sockets Layer (SSL), which verifies a user's identity and securely transmits data. Certificates in a PKI are used to secure data and manage the identification credentials of resources within and outside the organization. A Certificate Authority (CA) is part of a Public Key Infrastructure (PKI) which is responsible for validating certificates, issuing certificates, and revoking certificates. At the bare minimum, an enterprise using Microsoft Active Directory Certificate Services (ADCS) must have at least one CA that issues and revokes certificates. For redundancy, there is usually more than one CA deployed in an organization. Also, CAs can be either internal or external and can exist at several different levels, acting as a root CA or an issuance-only CA. There are many different ways to deploy your CA, so it is wise to understand your needs before you deploy.
Using Certificate-Monitoring Tools
Two important and useful certificate-monitoring tools that come with Windows Server 2008 are PKIView.msc and the handy certutil.exe tool.
When using the PKIView.msc tool, you will open the MMC for PKI. This command will launch the PKI Health tool to allow you the ability to monitor all activity and health regarding your current PKI. PKIView will also monitor Authority Information Access (AIA) and CRL distribution (CDP) extensions to make sure that everything goes smoothly and there are no interruptions in the service. PKIView.msc, was first available in the Windows Server 2003 Resource Kit. You can download this from Microsoft downloads and then run it quickly. PKIView can help you check the status of your PKI, monitor its health and overall activity. There are multiple visual indicators to help you get an idea of the overall health of your PKI. For example, a green checkmark will indicate that your PKI is healthy. A yellow warning sign indicates that a certificate or Certificate Revocation List (CRL) is close to expiration. A red error indicates CRL or Authority Information Access (AIA) locations cannot be reached. Red errors may also indicate that a CA is not trusted.
PKIView was originally part of the Windows Server 2003 Resource Kit and was called the PKI Health tool. The newer version (a native MMC snap-in) is now part of the OS. The newest version also supports Unicode.
The certification utility (certutil.exe) command allows you to determine the validity of issued certificates through the use of two switches:
certutil -verify -urlfetch
Using the -verify -urlfetch FileName switch allows you to see the output of the URL for each certificate. If it succeeds, it will display a "verified" output. If it fails, it will display an "error" output.
The -viewstore output allows you to see the contents of a specific Active Directory Domain Services store or object, which lets you choose to view all certificates in that store.
If the certutil command does not function correctly, or you do not have a certificate, you will receive an error message that it failed.
CRL checking is important and a main function with certification monitoring. Obviously, you do not want to have a certificate expire without it being replaced correctly, or updated. CRL, or Certificate Revocation List, is the list of certificates that need to be revoked - as its name implies. CRL checking is used to see if a trusted certificate is valid or not. This tool is critical to accurately determining the health of your certificate. It is imperative that you do so, because certutil.exe will verify the CRL of the CA, whereas the Certificate MMC Snap-In will not verify the CRL of certificates.
Certreq can be used to request certificates. You can use certreq to query a certification authority (CA) and create a new request for a certificate.
In this article we looked at how Windows Server 2008 works with Certificate Services as well as which tools you can use to monitor it with. We have also covered the use of both the PKIView.msc console and the command line based certutil.exe tool.
Links and Resources
- Microsoft Support
- Microsoft Information on PKI
- PKI Enhancements in Windows
- Auto-enrollment issues with certutil.exe tool
- Configure CDP and AIA Extensions
- Windows Server 2003 Resource Kit Tools
- Using Certificate Templates
- Certificate Templates Best practices
- Certificate Templates Concepts
- Certificate Templates Troubleshooting
- Troubleshooting Certificate Status and Revocation
- Windows Server 2008 Active Directory Certificate Services Management Pack for Microsoft OpsMgr 2005
- Understanding CERT_TRUST_STATUS Structure
- Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates
- Hardening ADCS