1 Certificates
1.1 Background
This blog posting covers certificates. The purpose of this post is for those who would like to better understand certificates, their structure, and their contents. This blog post also covers basic management of certificates.
1.2 What is a certificate?
A certificate is a digital document that binds an identity to a public key. The identity contained in a certificate can be associated with any number of things including computers, users, and services such as a web site. Certificates also contain additional information that makes the certificate more useful in many respects.
1.3 Keys
Public Key cryptography makes use of two related keys. There is a public key and a private key. Any data that is encrypted with the public key can be decrypted the private key. Also, any data that encrypted with the private key can be decrypted with the public key. The public key is distributed via certificates and the private key is protected on a computer or on a cryptographic device such as a smart card.
1.4 Validity Periods
Certificates also have a period of time for which they are valid. In other words, a certificate is valid for a certain period of time. This built in expiration mechanism helps increase the security of certificates. This is due to the fact that if a certificate is compromised and that compromise is not detected it will eventually expire and become invalid.
1.5 Digital Signature
A certificate is digitally signed by the CA that issued the certificate. This signature can be validated to verify that the certificate was in fact
1.6 Viewing Certificates in the Windows GUI
There is some basic information you can get from a certificate by viewing it in the Windows UI. However, for most troubleshooting you will want to look at the certificate fields which will be discussed in the next section.
1.6.1 General Tab
In the General Tab you can look at a description of the purposes of the certificate. You can also get the identity of the subject and the issuer. You can view the validity period of the certificate. If there is a private key associated with the certificate available in the certificate store you will see that as well.
1.6.2 Details Tab
In the Details Tab you will see all of the fields listed in the certificate as well as some additional information supplied by the Operating System. We will discuss these fields in the next section. You can also use the Copy to File… button to export a certificate.
1.6.3 Certification Path Tab
The Certification Path Tab shows the chain of the certificate, starting at the current certificate and going up as far as the Root CA. There is also a Certificate status section that can be used for identifying issues with the certificate in terms of trust or validation.
1.7 Certificate Fields
To better understand certificates including how they are used and validated we need to understand the various fields that are contained in a certificate.
Certificates contain two types of fields Version 1 Fields and Extensions.
1.7.1 Version 1 Fields
Version 1 fields are those that were specified in the original specification for X.509 certificates defined in RFC 1422.
1.7.1.1 Version
This field indicates the X.509 version that is being used. The current version of the X.509 standard is Version 3.
1.7.1.2 Serial Number
Serial Number is a unique identifier for each certificate. The Serial Number should be unique at least on a per CA basis. In other words, a Certification Authority should not issue more than one certificate with the same Serial Number.
1.7.1.3 Signature Algorithm
This field contains the name of the Public Key Algorithm and Hashing Algorithm that were used to sign the certificate.
1.7.1.4 Issuer
This field indicates the name of the CA that issued the certificate
1.7.1.5 Valid From (Validity Period)
This field indicates at what date and time the certificate becomes valid.
1.7.1.6 Valid To (Validity Period)
This field indicates at what date and time the certificate expires
1.7.1.7 Subject
This field contains the identity that is bound to the public key of the certificate. The identity is bound to that public key duet to the fact that the certificate contains both the public key as well as the identity are contained within a certificate that is signed by a trusted certification authority.
1.7.1.8 Public key
This field contains the public key that is bound to the certificate.
1.7.2 Extensions
After the publication of RFC 1422 the idea of extensions in certificates were introduced in a later RFC. Extensions are optional fields that can be included in a certificate. However, generally the extensions included in RFC 5280 should be understood by PKI enabled applications.
1.7.2.1 Subject Key Identifier
This field contains a hash of the public key in the certificate, this information is one way to identify the certificate.
1.7.2.2 Authority Key Identifier
This field contains a hash of the public key that is contained in the CA certificate, this is one way to identify the certificate of the CA that issued the current certificate.
1.7.2.3 CRL Distribution Points
This field indicates where Certificate Revocation Lists can be downloaded from to determine if the certificate has been revoked.
1.7.2.4 Authority Information Access
This field indicates where the certificate of the CA that issued the certificate can be downloaded. This field will also indicate where the OSCP service can be accessed, if one is available in the environment.
1.7.2.5 Key Usage
This field indicates what purposes the keys in the certificate can be used for and these purposes include Digital Signature, Key Encryption, Key Agreement, Certificate Signing, CRL Signing, Key Agreement Enciphering, Key Agreement Deciphering.
1.7.2.6 Certificate Template Information
This is a Microsoft specific extension which means it is note one included in the RFC 5280, as such it would only be expected to be understood by Microsoft applications. This field contains the name and OID of the Certificate Template.
1.7.2.7 Certificate Template Name
This is a Microsoft specific extension which means it is note one included in the RFC 5280, as such it would only be expected to be understood by Microsoft applications. This field contains the name of the Certificate Template.
1.7.2.8 Enhanced Key Usage
This extension specifies for what purposes the public key may be used.
1.7.2.9 Application Policies
This extension specifies for what applications the certificate can be used.
1.7.2.10 Subject Alternative Name
The Subject Alternative Name or SAN is an optional field that contains the identity or identities that are bound to the certificate. The SAN extension is typically used when the certificate will contain more than one identity. To elaborate further identity information can be stored in either the subject field, the Subject Alternative Name extension or both. Some services such as SSL with ignore the subject field if the Subject Alternative Name extension is populated.
1.7.2.11 Basic Constraints
Typically, this extension is only included in CA certificate and identifies the certificate as a CA certificate.
1.8 View the Certificate via Command Line
You can also view the raw certificate via the command line if the certificate is saved as a flat file on the file system.
To view the certificate in the console run: Certutil <Certificate File Name>
It is often more desirable to output the text to a file.
Below is an example of the output of the certificate file dumped to a text document.
1.9 Certificate Storage
In Windows certificates can be stored in a number of places, so let’s discuss the various locations where certificates are stored and the benefits of storing certificates in these locations.
1.9.1 Active Directory Certificate Services Database
Certification Authorities by default store a copy of every issued certificate in its database. Storing certificates in the CA Database enables the following capabilities:
- Retrieval- Having a copy of each certificate provides a central repository from where certificates can be retrieved by enrollees or a certificate manager.
- Recovery- Certificates can be recovered for a user or computer since a copy of the certificate is stored in the CA Database. Additionally, if Key Archival is enabled the private key can be recovered for encryption certificates.
- Forensics and Analysis: The database can be searched to determine what certificates have been issued and provide useful information such as when a certificate expires.
- Revocation: If a certificate has been compromised or is no longer trusted that certificate can easily be located in the CA database and revoked.
1.9.2 Active Directory
Certificates can be stored on the userCertificate attribute of a user or computer that enrolls for a certificate. Publishing certificates to a computer or user object is typically not necessary for most applications. However, some applications such as EFS or Email Encryption can query Active Directory for the certificate of the user that the document or email for which it is being encrypted.
As previously mentioned the certificate is published to the userCertificate during enrollment. The certificate is published by the Certification Authority. The Cert Publishers security group is the group that has permission to write to the userCertificate attribute. In order for the CA to be able to publish a certificate to the userCertificate attribute it must be a member of the Cert Publishers group in the corresponding Active Directory domain.
Additionally, the certificate template must be configured to Publish certificate in Active Directory as seen in the screenshot below:
1.9.2.1 Viewing the userCertificate Attribute
There are several ways to view certificates that are stored in the userCertificate attribute.
1.9.2.1.1 Certmgr.msc
If a user opens Certmgr.msc they can view what certificates are stored on their user object by navigating to the Active Directory User Object node.
1.9.2.1.2 Active Directory Users and Computers
To view the userCertificate attribute in Active Directory Users and Computers navigate to the user or computer whose userCertificate attribute you wish to view. Open the properties for the user or computer account and navigate to the Published Certificates tab. If the Published Certificates tab is not available, you need to enable Advanced Features in the Active Directory Users and Computers View menu.
1.9.2.1.3 ADSIEDIT
To view the userCertificate attribute connect to the Domain Partition (Default Naming Context). Go to properties on the corresponding object and navigate to the userCertificate attribute.
1.9.3 Local Storage of Certificates and Private Keys
For certificates that are stored on the local machine for the computer or user these certificates are stored on the local file system or registry. The only exception to this is if you are storing certificates and/or keys on a cryptographic device such as a TPM or Smart Card.
The following tables illustrate where certificates are stored on the local computer.
The following table shows where Computer certificates are stored on the computer.
| Store | Storage Location |
| Root | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates |
| My | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates |
| Request | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Request\Certificates |
| TrustedPublisher | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates |
| TrustedPeople | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| Disallowed | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates |
| CA | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates |
| ACRA | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ACRS\CTLs |
http://msdn.microsoft.com/en-us/library/windows/desktop/bb204781(v=vs.85).aspx
The following table shows where User certificates are stored on the computer.
| Store | Storage Location |
| Root | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates |
| My | file:\\%APPDATA%\Microsoft\SystemCertificates\My\Certificates |
| Request | file:\\%APPDATA%\Microsoft\SystemCertificates\Request\Certificates |
| TrustedPublisher | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates |
| TrustedPeople | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| Disallowed | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates |
| CA | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates |
http://msdn.microsoft.com/en-us/library/windows/desktop/bb204781(v=vs.85).aspx
The following table shows where CNG Private Keys are stored.
| Key type | Directory |
| User Private | %APPDATA%\Microsoft\Crypto\Keys |
| Local system private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys |
| Local service private | %WINDIR%\ServiceProfiles\LocalService |
| Network service private | %WINDIR%\ServiceProfiles\NetworkService |
| Shared private | %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys |
http://msdn.microsoft.com/en-us/library/bb204778%28VS.85%29.aspx
1.9.3.1 Protection of Private Keys that are stored locally
Private keys are protected by the Data Protection Application Programming Interface (DPAPI). DPAPI protects the private keys with encryption and that encryption is accessed with a key that is a derivation of the user or computer’s password.
1.9.4 Smart Card
Certificates can also be stored on a cryptographic device called a Smart Card. Smart cards are typically credit card size and require a smart card reader. However, there are also USB smart cards that have an integrated smart card reader. Regardless, these devices have an integrated circuit and cryptographic functions are performed on that hardware. Certificates and private keys are stored on the smart card. To use the keys on that smart card a user must have knowledge of the PIN associated with that smart card and must enter the PIN when using the smart card. The key advantage is that the private keys are protected by hardware. A secondary advantage is the smart card provides a mechanism to roam the user’s certificates and keys. This is due to the fact that the certificates and keys can be used on any system where the user inserts their smart card.
1.9.5 Virtual Smart Card / Trusted Platform Module
Starting in Windows 8.0 the capability to store certificates on the Trusted Platform Module chip was introduced. A Virtual Smart Card is created on the TPM and the certificate is stored on the Virtual Smart Card which is protected by the TPM. The Virtual Smart Card offers some of the advantages of physical smart card in the sense that the private keys are protected by hardware and cryptographic functions that require use of the private key occur on the TPM. However, since the TPM is physically part of the computer certificates do not roam with the user as they do in the case of physical smart cards. However, in some cases that is a practical advantage since physical smart cards can be lost or forgotten by the user.
1.9.6 Hardware Security Modules
A Hardware Security Module (HSM) is a dedicated cryptographic security device for protecting keys. In PKI we use an HSM to protect the private keys that are linked to a certificate and that are part of a public/private key pair. HSMs are commonly used to protect the Private Keys of Private Keys are isolated to prevent tampering or exportation of the Private Keys. Cryptographic functions that require use of the private key occur in the HSM. HSMs typically use K of N security to prevent a single individual from having control of the HSM. K of N security means that a certain number of credentials have to presented in order to make changes to the HSM. For example, if 5 credentials are provisioned for administrative actions on HSM, you can configure the HSM so that at least 3 of those 5 credentials must be presented to the HSM for administrative actions to be performed. There are several types of HSMs currently used. There are USB HSMs that are typically used for an Offline CA or for Code Signing. There are PCI Express HSMs that can be used with a Physical CA. However, the most commonly type used of HSM that I have seen in use are Network HSMs. Network HSMs are connected to via Ethernet.
1.10 Certificate Administration
There are a number of tools that are used for certificate administration. The most common tool that you may end up using for certificate administration is the Certificates MMC. The Certificates MMC itself can be targeted at the certificate store of a user, a computer, or a service account. However, you will most commonly use the Certificates MMC for administration of user or computer certificates, and hence we will focus on administration of user and computer certificates.
1.10.1 Certmgr.msc
Certmgr.msc is the certificates MMC for managing user certificates. Using this MMC you can perform the following actions for the user:
- View Certificates
- Import Certificates
- Export Certificates
- Enroll for Certificates
- View Requests
- Generate Certificate Request
- Process Approved Certificate Requests
Below is a screenshot of the Certmgr.msc:
The table below describes the purpose of each container in Certmgr.msc.
| Folder Name | Contents |
| Personal | Certificates associated with private keys to which you have access. These are the certificates that have been issued to you, or to the computer or service for which you are managing certificates. |
| Trusted Root Certification Authorities | Implicitly trusted certification authorities. Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft. |
| Enterprise Trust | A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. |
| Intermediate Certification Authorities | Certificates issued to subordinate certification authorities. |
| Active Directory User Object | Certificates associated with your user object and published in Active Directory. |
| Trusted Publishers | Certificates from certification authorities that are trusted by Software Restriction policies. |
| Untrusted Certificates | An untrusted certificate is a certificate that a certification authority has revoked, or a certificate that for other reasons has been placed in the Untrusted Certificates folder on your computer. |
| Third-Party Root Certification Authorities | Trusted root certificates from certification authorities other than Microsoft and your organization. |
| Trusted People | Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. |
| Client Authentication Issuers | A list of issuers whose certificates are trusted for TLS/SSL Client Authentication. |
| Certificate Enrollment Requests | Pending or rejected certificate requests. |
| Smart Card Trusted Roots | On smart card insertion, the Certificate Propagation service propagates any root certificates on the card to the Smart Card Trusted Roots certificate stores on the local computer. This process establishes a trust relationship with the organization. |
1.10.2 Certlm.msc
Certlm.msc is the Certificate MMC for managing certificates for the local computer. Prior to Windows 8.1 the shortcut (certlm.msc) was not available for launching the Certificate MMC targeted to the local computer. So, for pre-Win8 or pre-Windows Server 2012 machines the following steps can be used to launch the Certificates MMC targeted for the local computer.
Steps for Opening Certificates MMC Targeted for Local Computer
Step 1: Click the Start key and then the R key
Step 2: Type mmc.exe and click OK
Step 3: In the new console select the File menu and from the File menu select Add/Remove Snap-in…
Step 4: Select Certificates and then click the Add button
Step 5: Select Computer account and then click Next
Step 6: Select Local computer: (the computer this console is running on), and the click Finish
Step 7: Click OK
The Certificates MMC targeted for the Local Computer will now be Open
1.10.2.1 Certlm.msc Uses
The following tasks for the local computer can be performed using certlm.msc:
- View Certificates
- Import Certificates
- Export Certificates
- Enroll for Certificates
- Generate Certificate Request
Below is a screenshot of the Certmgr.msc:
The table below describes the purpose of each container in Certlm.msc.
| Folder Name | Contents |
| Personal | Certificates associated with private keys to which you have access. These are the certificates that have been issued to you, or to the computer or service for which you are managing certificates. |
| Trusted Root Certification Authorities | Implicitly trusted certification authorities. Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft. |
| Enterprise Trust | A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. |
| Intermediate Certification Authorities | Certificates issued to subordinate certification authorities. |
| Trusted Publishers | Certificates from certification authorities that are trusted by Software Restriction policies. |
| Untrusted Certificates | An untrusted certificate is a certificate that a certification authority has revoked, or a certificate that for other reasons has been placed in the Untrusted Certificates folder on your computer. |
| Third-Party Root Certification Authorities | Trusted root certificates from certification authorities other than Microsoft and your organization. |
| Trusted People | Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. |
| Client Authentication Issuers | A list of issuers whose certificates are trusted for TLS/SSL Client Authentication. |
| Remote Desktop | Certificates that are used to provide SSL security for RDP connections. |
| Smart Card Trusted Roots | On smart card insertion, the Certificate Propagation service propagates any root certificates on the card to the Smart Card Trusted Roots certificate stores on the local computer. This process establishes a trust relationship with the organization. |
| Web Hosting | Highly scalable certificate store for SSL certificates that can support thousands of certificates to support increased secure site density. |
The following video provides additional information on certificates:
-Chris
xdot509.blog 