Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Certificates Help

Certificates Help

Certificates Help

This topic extends the help provided for certificates in Windows.
 

Table of Contents


Certificate Path Validation Settings

You can use Group Policy to easily configure and manage these certificate validation settings. The following are some of the tasks you can perform with these settings:

  • Deploy intermediate certification authority (CA) certificates.
  • Block certificates that are not trusted.
  • Manage certificates used for code signing.
  • Configure retrieval settings for certificates and certificate revocation lists (CRLs).

Certificate path validation settings are available in Group Policy at the following location: Computer Configuration\Windows Settings\Security Settings\Public Key Policies.

 When you double-click Certificate Path Validation Settings at this location, additional options are available by selecting the following tabs:

  • Stores
  • Trusted Publishers
  • Network Retrieval
  • Revocation

The following procedure describes how to configure certificate path validation settings. The sections following the procedure will describe the settings in each of these areas.

 Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure path validation Group Policy for a domain

  1. On a domain controller, click Start, point to Administrative Tools, and then click Group Policy Management.
    Note: In Windows Server 2012, you can run the Group Policy Management console from Server Manager. Click Tools, then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Path Validation Settings, and then click the Stores tab.

  6. Select the Define these policy settings check box.

  7. Configure the optional settings that you need to apply.

  8. When you are finished making changes, you can select a different tab to modify additional settings, or click OK to apply the new settings.

Stores tab

Some organizations want to prevent users in the domain from configuring their own set of trusted root certificates and to decide which root certificates within the organization can be trusted. The Stores tab can be used to accomplish this.

The following options are available on the Stores tab:

  • Allow user trusted root CAs to be used to validate certificates. Clearing this check box prevents users from deciding which root CA certificates to use to validate certificates. Although this option can help prevent users from trusting and validating certificates from a chain that is not secure, it can also result in application failures or lead users to disregard root certificate trust as a means of validating a certificate that is presented to them.
  • Allow users to trust peer trust certificates. Clearing this check box prevents users from deciding which peer certificates to trust. Although this option can help prevent users from trusting certificates from a source that is not secure, it can also result in application failures or lead users to disregard certificates as a means of establishing trust. You can also select the certificate purposes, such as signing or encryption, for which peer trust certificates can be used.
  • Root CAs the client computer can trust. In this section, you can identify specific root CAs that can be trusted by users in the domain:     
    • Third-Party Root CAs and Enterprise Root CAs. By including both non-Microsoft and enterprise root CAs, you broaden the range of root CA certificates that a user can trust.
    • Only Enterprise Root CAs. By restricting trust to only enterprise root CAs, you effectively restrict trust to certificates issued by an internal enterprise CA that obtains authentication information from and publishes certificates to Active Directory Domain Services (AD DS).
  • CAs must also be compliant with User Principal Name constraints. These settings also restrict trust to internal enterprise CAs. In addition, the user principal name constraint would prevent them from trusting authentication-related certificates that do not conform to conditions related to user principal names.

In addition, some organizations may want to identify and distribute specific trusted root certificates to enable business scenarios where additional trust relationships are needed. To identify the trusted root certificates that you would like to distribute to clients in your domain, see Use Policy to Distribute Certificates.

Trusted Publishers tab

Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or ignore the signing certificates associated with applications that they install.

The policy options on the Trusted Publishers tab of the certificate path validation policy allow you to control who can make decisions about trusted publishers:

  • Administrators and users
  • Only administrators
  • Only enterprise administrators

In addition, policy options on this tab allow you to require that trusted publisher certificates be checked that they:

  • Have not been revoked
  • Have valid time stamps     

Network Retrieval tab

To be effective, certificate-related data such as certificate revocation lists (CRLs) and certificates in the Microsoft Root Certificate Program must be updated regularly. However, problems can arise if validation checking and retrieval of certificate revocation data and cross-certificates are interrupted because more data is being transferred than originally anticipated.

Network retrieval settings allow administrators to:
  • Automatically update certificates in the Microsoft Root Certificate Program.
  • Configure retrieval timeout values for CRLs and path validation (larger default values may be useful if network conditions are not optimal).        
  • Enable issuer certificate retrieval during path validation.    
  • Define how frequently cross-certificates are downloaded.

Revocation tab

To support revocation checking, Active Directory Certificate Services (AD CS) supports the use of CRLs and delta CRLs as well as Online Certificate Status Protocol (OCSP) responses distributed by Online Responders.

Path validation Group Policy settings allow administrators to optimize the use of CRLs and Online Responders, particularly in situations where extremely large CRLs or network conditions detract from performance.

The following settings are available:

  • Always prefer Certificate Revocation Lists (CRLs) over Online Certificate Status Protocol (OCSP) responses. In general, clients should use the most recent revocation data that is available, regardless of whether it comes from a CRL or Online Responder. If this option is selected, a revocation check from an Online Responder will only be used if a valid CRL or delta CRL is not available.
  • Allow CRL and OCSP responses to be valid longer than their lifetime. It is generally not recommended to allow CRLs and OCSP responses to be valid beyond their validity period. However, this option might be needed in situations where clients are unable to connect to a CRL distribution point or Online Responder for an extended amount of time. However, the length of time beyond the stated validity period that a CRL or OCSP response can be used is also configurable under this policy setting.

 

Domain Group Policy

Domain Group Policy can be used to manage the following types of certificate-related activities in an Active Directory Domain Services (AD DS) environment:

  • Credential roaming
  • Autoenrollment of certificates
  • Certificate path validation
  • Certificate distribution

Credential roaming

Credential roaming allows X.509 certificates, certificate requests, and private keys specific to a user in AD DS to be stored independently from the user profile and used on any computer on the network.

Digital certificates and private keys involve comparatively small amounts of data that need to be stored in a secure manner. Credential roaming policy provides a means for managing the use of these credentials on multiple computers in a manner that addresses the secure storage and size requirements of digital certificates and private keys. In Windows Server 2008 R2 and Windows Server 2008, credential roaming policy includes stored user names and passwords as well as certificates and keys.

For more information, see Enable Credential Roaming.

For more information about credential roaming and significant differences between its implementation in Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (http://go.microsoft.com/fwlink/?LinkID=85332).

Certificate autoenrollment

Many organizations use Group Policy to automatically enroll users, computers, or services for certificates.

For more information, see Configure Certificate Autoenrollment

Certificate path validation

As certificate use for secure communication and data protection is increasing, administrators can use certificate trust policy to enhance their control of certificate use and public key infrastructure performance by using certificate path validation options.

Certificate path validation settings in Group Policy allow administrators to manage stores, trusted publishers, network retrieval, and revocation checking.

For more information, see Manage Certificate Path Validation.

Certificate distribution

The certificate distribution capabilities in Group Policy are useful for managing certificate-related trust in an organization. It allows you to ensure that certain certificates are trusted and that certificate chain building occurs with little or no user intervention. You can also block the use of certificates that you cannot directly revoke because they were issued by an external certification authority (CA).

For more information, see Use Policy to Distribute Certificates.

Certificate Trust List

A certificate trust list (CTL) is a list of items that has been signed by a trusted entity. The list of items could be anything, such as a list of hashes of certificates, or a list of file names. In most cases, a CTL is a list of hashed certificate contexts. All the items in the list are authenticated and approved by the signing entity. The primary use of CTLs is to verify signed Messages, using the CTL as a source of trusted root certificates. An alternate use of a CTL is to list untrusted certificates, in this case it would be a list of certificates that the client computer should consider untrustworthy.
, , , , , , , , [Edit tags]
Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 13 Feb 2013 3:32 PM

    Ed Price - MSFT edited Revision 9. Comment: White space issues

  • 16 Jul 2012 2:16 PM

    Kurt L Hudson edited Revision 6. Comment: Updated Group Policy Management opening instructions for Windows Server 2012

  • 7 Jun 2012 3:53 PM

    Patris_70 edited Revision 5. Comment: added en-US tag and title

  • 7 Jun 2012 11:49 AM

    Kurt L Hudson edited Revision 4. Comment: Updated to include discussion of CTLs

  • 6 Mar 2012 4:27 PM

    Kurt L Hudson edited Revision 3. Comment: Updated further with domain Group Policy information

  • 6 Mar 2012 4:10 PM

    Kurt L Hudson edited Revision 2. Comment: Work in progress

  • 6 Mar 2012 3:59 PM

    Kurt L Hudson edited Revision 1. Comment: work in progress

  • 6 Mar 2012 2:07 PM

    Kurt L Hudson edited Original. Comment: changing to H1 and getting ready to populate content here

Page 1 of 1 (8 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 6 Mar 2012 2:07 PM

    Kurt L Hudson edited Original. Comment: changing to H1 and getting ready to populate content here

  • Posted by
    on 6 Mar 2012 3:59 PM

    Kurt L Hudson edited Revision 1. Comment: work in progress

  • Posted by
    on 6 Mar 2012 4:10 PM

    Kurt L Hudson edited Revision 2. Comment: Work in progress

  • Posted by
    on 6 Mar 2012 4:27 PM

    Kurt L Hudson edited Revision 3. Comment: Updated further with domain Group Policy information

  • Posted by
    on 7 Jun 2012 11:49 AM

    Kurt L Hudson edited Revision 4. Comment: Updated to include discussion of CTLs

  • Posted by
    on 7 Jun 2012 3:53 PM

    Patris_70 edited Revision 5. Comment: added en-US tag and title

  • Posted by
    on 16 Jul 2012 2:16 PM

    Kurt L Hudson edited Revision 6. Comment: Updated Group Policy Management opening instructions for Windows Server 2012

  • Posted by
    on 13 Feb 2013 2:53 PM

    Ed Price - MSFT edited Revision 8. Comment: Removed "(en-US)" from the title. Tags.

  • Posted by
    on 13 Feb 2013 3:32 PM

    Ed Price - MSFT edited Revision 9. Comment: White space issues

Page 1 of 1 (9 items)