Using Win2K Certificate Services to Configure a Standalone CA, Part 2

Email this Article

Printer-Friendly

View Reader Comments

[January 16, 2002]
Using Win2K Certificate Services to Configure a Standalone CA, Part 2
By: Ken Spencer
Feature
InstantDoc #23654
Web Exclusive from Windows IT Pro

Issue certificates from your CA to your extranet users

In "Using Win2K Certificate Services to Configure a Standalone CA, Part 1," January 2002, InstantDoc ID 23373, I showed you how to install and configure Certificate Services on a Windows 2000 machine to create a Certificate Authority (CA) and generate certificates that your extranet users can use to access your Web site. Now, let's take a close look at the second half of that proposition: issuing and mapping certificates.

Issuing Certificates
Before you start issuing certificates, you need to make some important decisions: Who will be able to request and issue certificates? Because you're setting up the CA to issue certificates to extranet users, you have a couple of options for creating, distributing, and managing those certificates. You can give extranet users the access they need to request their own certificates, or you can assign someone the task of creating and distributing certificates.

Let's walk through the first scenario for both you and the user. After you know this basic scenario, you can create any tpe of solution. Your primary concern is to determine how your extranet users will access the Certificate Services site to request certificates. By default, the Everyone group has access to Certificate Services for requesting and reading certificates. All you need to do is send Everyone group members an email message that contains a link to your server:

http://<localhost>/certsrv

Assuming your users access the server over the intranet or Internet, this URL's localhost variable would be either your server's name or a Data Source Name (DSN) name that points to the Certificate Services site. (You can also use an IP address to get to the server.)

Because the Everyone group has permission to request certificates, a group member visiting the URL will see the Welcome page that Figure 1 shows. To request a certificate, the user selects the Request a certificate radio button, then clicks Next. After selecting the certificate type—a Web Browser certificate, in this example—and clicking Next, the user enters demographic information and clicks Submit to send the request to Certificate Services. The browser shows a status message indicating that the server is processing the request. The server then instructs the user to return to the site after a designated number of days to check for the certificate. After the user receives notification that the server has received the request, he or she can close the browser.

What happens next depends on how you've configured Certificate Services. By default, for a standalone CA such as the one in our example, Certificate Services sets each requested certificate to a pending status. This scenario is probably best because when you receive a certificate request, you have time to choose whether to approve the certificate. You can use the certificate-request information to examine a user's demographic information and, for example, verify the user's credentials. Alternatively, you can choose to automatically issue all requested certificates—probably not wise, because then any user who stumbles across your site could retrieve a certificate.

After you approve a certificate request, you can use the Microsoft Management Console (MMC) Certification Authority snap-in to issue the certificate. Start the snap-in and open the Pending Requests folder. The snap-in lists new certificate requests, as Figure 2 shows. To issue the certificate, right-click the request, select All Tasks, then click Issue. Doing so adds the certificate to the Issued Certificates folder. To deny a request, select All Tasks, then click Deny.

To determine whether his or her requested certificate has been approved or denied, the user can select Check on a pending certificate on the Welcome page, then click Next. The certificate request will appear in a drop-down list. The user selects the certificate in question, then clicks Next. If you've approved the request, the user will see an Issued status. The user now needs only to click Install this certificate to install the certificate in Microsoft Internet Explorer (IE). Depending on the Internet connection speed, the installation process should proceed quickly.

Mapping Certificates
Now that your new CA has issued certificates to your extranet users, how do you permit them to use their certificates to access your Web site? You need to set up Microsoft Internet Information Services (IIS) 5.0 to recognize certificates that your CA issues and map the certificates to a specified user account on your servers or in Active Directory (AD). Then, you can use that account to control access to the extranet site.

Consider the implications of this scenario. All your extranet users will have controlled access to your site, but you'll need only one Win2K user account for all users. If you perform such administrative actions as changing permissions or killing access to the site for the entire group, you need to make changes to that one account only. You have no user groups or accounts to manage. Of course, the downside of using just one account is that you can't track individual user actions or set user-specific security.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Master SharePoint with 3 eLearning Seminars: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Microsoft BI Conference – Oct. 6-8: Discover best practices and gain product insight from Microsoft’s product experts in the 2nd annual event in Seattle.

Attention User Groups & User Group Leaders...: Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Get SQL Server 2008 at SQL Connections: Don’t miss SQL Server Magazine Connections Conference, the premier event for Microsoft developers and DBAs, in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.

SQL Server Magazine Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS