Configure a PKI Using Microsoft Windows Server 2003

fyoudonotalreadyhaveapublickeyinfrastructure(PKI)inplacewithin yourorganizationandyouwouldliketotakeadvantageoftheSecureZIP featuresthatusedigitalcertificates,hereshowtoconfigurethetoolsfor creatingaPKIthatMicrosoftincludeswithWindowsServer2003.

Apublickeyinfrastructureisasystemtosupportissuing,using,andmanaging digitalcertificatesthatusepublickeycryptographytovalidateandsecure electronictransactions. WithaPKIinplace,SecureZIPcanusedigitalcertificatestostronglyencrypt, digitallysign,andauthenticatefiles.YoucanevenattachthefilestoMicrosoft OutlookemailmessagesdirectlyfromSecureZIP. TomakefulluseofSecureZIPscertificatebasedsecurityfeatureswith WindowsServer2003,youmustfirstdeployMicrosoftActiveDirectoryor anotherLDAPcompliantdirectoryservicetoprovideaccessiblelocationsfor storingcertificates,andyoumustinstallCertificateServices.Certificate Servicesenablesyoutosetupanenterprisecertificationauthorityfromwhich torequestcertificates.CertificateServicesalsohelpsyoumanagecertificates.
Note: To access certificates stored in Active Directory, SecureZIP requires the Directory Integration module, a separately licensed add-on to SecureZIP. SecureZIP uses certificates stored on an Active Directory server only for encrypting. SecureZIP does not use certificates in a directory to digitally sign files or to authenticate digital signatures.

ThisbriefguidedescribeshowtoinstallActiveDirectoryandCertificate ServicesonWindowsServer2003,EnterpriseEdition,andhowtouse CertificateServicestosetupyourowncertificationauthority(CA).Onceyou havetheCAsetup,youcanbeginmakingcertificaterequests. ThisguideassumesthatyouhavetheIISWebserverinstalled.Youmusthave IISinstalledtousetheWebenrollmentfeaturesofMicrosoftCertificate Services.

PKWARE, the PKWARE Logo, and PKZIP are registered trademarks of PKWARE, Inc. SecureZIP is a trademark of PKWARE, Inc. Trademarks of other companies mentioned appear for identification purposes only and are the property of the respective companies. 1.7/12/05

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

FormorecomprehensiveinformationaboutActiveDirectoryandCertificate Services,seethetopleveltopicsActiveDirectoryandSecurityonthe MicrosoftWindowsServer2003TechCenterWebsite: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/2e0186ba1a0942b581c83ecca4ddde5e.mspx

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Contents
Configure a PKI Using Microsoft Windows Server 2003.................................... 1 Install Microsoft Active Directory ............................................................................... 4 Install Certificate Services as an Enterprise Root Certification Authority.................. 9 Request and Install User Certificates...................................................................... 14 Use the Web Enrollment Form ................................................................................ 14 Use the Certificate Management Console............................................................... 17 Configure SecureZIP for Windows To Access Your Certificates ......................... 21 Point SecureZIP to Active Directory Certificate Stores ........................................... 21 Specify Default Certificates in SecureZIP ............................................................... 23 Turn On Encryption and/or Signing in SecureZIP ................................................... 24

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Install Microsoft Active Directory

ThefollowingstepsdescribehowtoinstallActiveDirectoryonWindows Server2003,EnterpriseEdition.ActiveDirectoryprovidesaplacetokeepthe publickeyportionofacertificatewhereitcanbeaccessedforasymmetric encryption.Yourpersonalcertificate(s)withtheirprivatekeysareinstalledon yourownmachine. ThestepsbelowdescribehowtoinstallActiveDirectoryinanewdomain. 1. LogintotheWindows2003serverthatyouwanttomakethedomain controllerforanewdomain. 2. OpentheActiveDirectoryInstallationwizard:FromtheStartmenu, selectRun.Type:dcpromo.ClickOK.

3. SelecttheoptionDomaincontrollerforanewdomain,asshownabove, andchooseNext.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Adialogopensinwhichtoselectatypeofdomain.

4. SelectDomaininanewforest,asshownabove,andchooseNext.This opensadialoginwhichtospecifyanameforthenewdomain.

5. Enteranameforthedomain.Microsoftrecommendsusing.localor .domforinternaldomains,butyoumayuseanydomainnameyou like.ChooseNext.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

AdialogopensinwhichtospecifyaNetBIOSnameforthedomain.

6. AccepttheproposedNetBIOSnameorenteradifferentoneand chooseNext. AdialogopensinwhichtospecifyfolderlocationsfortheActive Directorydatabaseandlogfiles.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

7. SelectlocationsfortheActiveDirectorydatabaseandlogfile.Choose Nexttoopenadialoginwhichtospecifyafoldertobesharedasthe systemvolume.

8. SpecifyalocationforthesharedsystemvolumeandchooseNext. ThefollowingdialogappearsifDNSisnotalreadyinstalledonthe localcomputer.

ToinstallDNS,selectInstallandconfiguretheDNSserver,asshownin thescreenshotabove,andchooseNext.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Adialogopensinwhichtospecifythetypeofpermissionsyouwant ActiveDirectorytouse.

9. SelectwhethertoinstallActiveDirectorytousepermissions compatiblewithpreWindows2000operatingsystems(mixedmode) orpermissionscompatibleonlywithWindows2000orWindows Server2003operatingsystems(nativemode). MixedmodesupportspreWindows2000domaincontrollers;native modedoesnot.Nativemodeispreferableifyoudonotneedto supportprogramsrunningonpreWindows2000operatingsystems. ChooseNexttodisplayasummaryofyoursettings.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

10.ChooseNexttoinstallActiveDirectory. AfterActiveDirectoryisinstalled,youarepromptedtoreboot.Youcanthen logintothedomain.Atthispoint,youcanconfigureworkstationstojoinand logintothedomain.

For clients to find the new domain, you must update any lookup zones on your internal DNS servers to point to the new domain controller. Alternatively, you may point clients to the new domain controller for DNS. If clients require Internet name resolution, you will need to configure this on the forwarders tab on the new domain controllers internal DNS server.

FormoreinformationaboutworkingwithaDNSserver,seethetopic,DNS serverrole:ConfiguringaDNSserver,ontheMicrosoftWindowsServer 2003TechCenterWebsite: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/4e1c7b1716ab4e7da33315befb15c82e.mspx

Install Certificate Services as an Enterprise Root Certification Authority

ThefollowingstepsdescribehowtoinstallCertificateServicesonWindows Server2003,EnterpriseEdition,andhowtosetupanenterpriseroot certificationauthority.CertificateServicesenablesyoutorequestandmanage certificates. ThesestepsassumethatActiveDirectoryisalreadydeployed. 1. Logintoadomaincontrollerormemberserverwithanaccountthatis amemberofboththeEnterpriseAdminsgroupandtheDomain Adminsgroup.
Note: If your organization has, or has ever had, any Windows 2000 Certificate Authorities, you must install the new Windows 2003 certificate templates before proceeding. See Install new templates and upgrade existing templates on the Microsoft Windows Server 2003 TechCenter Web site: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library /ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspx

2. OpentheAdd/RemoveProgramsapplicationintheControlPanel.

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

3. SelectAdd/Remove Windows Components. 4. IntheWindowsComponentswizard,highlightCertificateServicesand chooseDetails.SelectboththeCertificateServicesCAandWeb EnrollmentSupport.ChooseOK.

Adialogappearswithanotecautioningthatthelocalmachinename anddomainmembershipwillbeboundtotheCAinformation.

10

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

5. ChooseYes.Adialogopensinwhichtoselectthetypeofcertification authoritytosetup.

6. SelectEnterpriseRootCA. InstallinganenterpriserootCAallowsallcomputersthataremembers ofthetargetdomaintoautomaticallytrusttheCA. IfyouknowhowtoconfigureaCA,youcanalternativelyselecta standalonerootorsubordinateCA.SecureZIPworkswitheitherof theseaswell.

11

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

ChooseNexttoopenadialoginwhichtodefinetheCA.

7. SpecifyanameandvalidityperiodfortheCA.ChooseNext. Adialogopensinwhichtoenterlocationsforthecertificatedatabase andlog.

8. Specifythelocationsforthecertificatedatabase,databaselog,andthe sharedfolder(defaultsareacceptable).Choose:Next. IfIISisrunning,apromptinformsthatitneedstoberestarted.Choose OK.

12

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Setupnowcompletes.YoumayberequiredtoinsertyourWindows 2003Serverinstallationmediaortopointtheinstallertoa.cabfileon thenetwork.

13

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Request and Install User Certificates

NowthatCertificateServicesisinstalledandreadytouse,userscanrequest certificatesfromtheenterprisecertificationauthority(CA)setupinthe precedingsteps. Userscanrequestcertificatesintwoways: UsingtheCAsWebenrollmentform UsingtheCertificateManagementconsole

Bothmethodsinstalltherequestedcertificatesprivatekeyintotheloggedin userspersonalstore.IftheCAhasbeenconfiguredasanenterpriseCA,the CAautomaticallypublisheskeysintoActiveDirectory. Bothmethodsinstalltherequestedcertificatewithitsprivatekeyonthelocal WindowscomputerandpublishthecertificatespublickeytoActive Directory.

Use the Web Enrollment Form

UserscanenrollforpersonalcertificatesthroughtheCertificateServicesWeb enrollmentformlocatedattheURL: http://servername/CertSrv whereservernameisthenameoftheWebserverrunningWindowsServer 2003wheretheCAyouwanttoaccessislocated. Thefollowingstepsshowastraightforwardwaytorequestausercertificate throughWebenrollment.Astheaccompanyingscreensindicate,theprocess canbecustomizedinvariousways. FordetailedinstructionsonrequestingcertificatesovertheWeb,seethetopic, SubmitausercertificaterequestviatheWebtoaWindowsServer2003CA, ontheMicrosoftWindowsServer2003TechCenterWebsite,here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/b105bc5ddb4a457090f1873819d3a5cf.mspx

14

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

TheTechCenterWebsitealsocontainsawealthofinformationon administeringaCAandonmanagingcertificates. TouseWebenrollmenttorequestausercertificate: 1. InyourInternetExplorerbrowser,navigatetotheURLoftheWeb formfortheCAfromwhichyouwanttorequestausercertificate.For example,foraCAlocatedonWebserverabc-corp-ca,navigateto: http://abc-corp-ca/certsrv/

2. OntheWelcomescreenshownabove,choosethelink,Requesta certificate,toopenthepageshownbelow.

15

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

3. Choosethelink,UserCertificate,toopenthepageshownbelow.

4. ChoosetheSubmitbuttontosubmityourrequest.Thefollowing messagedisplays.

5. ChooseYestocompleteyourrequest.Thefollowingconfirmation screendisplays.

16

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

6. ChooseInstallthiscertificatetoinstallthecertificatewithitsprivatekey onthelocalmachineandtopublishthepublickeytoActiveDirectory whereitcanbeaccessedbyotherusers.

Use the Certificate Management Console

AsanalternativetorequestingacertificatethroughaCAsWebenrollment form,asdescribedabove,userscanusetheCertificateManagementconsoleto requestacertificatefromanenterpriserootCA.TheCertificateManagement consoleisaMicrosoftManagementConsole(MMC)snapinthatisincluded withNT5.0andlaterversionsofWindows.ItusesLDAPtoqueryPKI informationfromalocaldomaincontroller. 1. OpentheCertificateManagementconsole(certmgr):FromtheStart menu,chooseRun.Entercertmgr.msc,asshownbelow,and chooseOK.

17

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

2. RuntheCertificateRequestwizard:Inthecertmgrconsole,expandthe Personalfolderintheconsoletree(lefthandpane).Rightclickthe Certificatesfoldertoopenthecontextmenu.ChooseAll Tasks| Request New Certificate,asshownbelow.

3. IntheCertificateRequestwizard,selectthetypeofcertificateyou wanttorequest:SelectUser,asshownbelow,andchooseNext.

18

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

4. Asshownbelow,enterafriendlynameanddescriptionthatwillhelp youidentifythecertificate.ChooseNext.

5. Inthefinalwizardscreen,reviewyoursettings.Iftheyareokay, chooseFinishtocompletethewizard.

19

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

6. CheckintheCertificateManagementconsoletoconfirmthatyour certificatehasbeenissuedandinstalledinyourpersonalcertificate store.

20

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Configure SecureZIP for Windows To Access Your Certificates

ToconfigureSecureZIPforWindowstousecertificatesfor encryption/decryptionandforworkingwithdigitalsignatures,youmustdo thesethingsinSecureZIP: AddtheActiveDirectorycertificatestore(s)tothelistofstoresthat SecureZIPchecksforcertificates Haveeachuserdesignateadefaultcertificatetousewhenhedoes certificatebasedencryption TurnonencryptionorsigninginSecureZIPtohaveSecureZIPencrypt orsignfiles

Point SecureZIP to Active Directory Certificate Stores

ForSecureZIPforWindowstoaccessyourActiveDirectorycertificatesto encryptforthecertificatesowners,youmusttellSecureZIPwherethe certificatesare. Todothis,openSecureZIPanddothefollowing: 1. IntheToolsmenu,selectOptionstoopentheSecureZIPOptions dialog. 2. SelecttheSecuritycategory. 3. SelecttheCertificateStorestabtoseealistofcertificatestores SecureZIPcansearch.. TheCertificateStoreslistcontainsanitemforeverycertificatestore SecureZIPknowsabout.AstoreislabeledeitherLocalorLDAPinthe Typecolumn,dependingonwhetherthestoreisonyourlocalsystem oronanLDAPcompliantdirectoryserversuchasActiveDirectory. LDAPisaprotocolusedbyActiveDirectoryandotherdirectory servers.

21

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

4. ChoosetheAddbuttontoopenanewLDAPPropertiespage.

5. IntheLDAPPropertiesdialog,fillinthefieldswiththeinformation SecureZIPneedstoaccessthedirectory.Whendone,chooseOKto returntotheCertificateStorestab. ThefieldsintheLDAPPropertiesdialogaredescribedinthefollowing table.ThefieldsmarkedOptionalmaybeleftblankunlesstheyare requiredtoaccesstheserver.OnlytheNameandBasefieldsare required.

22

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Field Name Server Port Base

Description A label to identify the server in the Certificate Stores list. For example: Gamma (Optional) The TCP/IP address of the LDAP server or a name that resolves to such an address. For example: 192.172.0.1 (Optional) The TCP/IP port to use. Port 389 is customary and is entered as the default. The name of the entry that SecureZIP should use as the base or root of the LDAP search for certificates, analogous to a root folder or directory in a file system. For example: cn=users,dc=xyz,dc=com The query string format for the LDAP base can vary between LDAP implementations. For example, a server may expect query strings in the Internet domain-style format used by default by Microsoft Active Directory (for example, cn=users,dc=xyz,dc=com), or it may expect them in X.500 naming format (for example, o=xyz,c=US). Check with your LDAP or network administrator for the query string to use.

User Password

(Optional) The user account with which to log in if the LDAP server requires a login (Optional) The password associated with the user account

6. OntheCertificatesStorestab,chooseOKorApplytosavethenew certificatestoreforSecureZIPtouse.

Specify Default Certificates in SecureZIP

Usersmayhaveoneormorepersonalcertificatesthattheyusetosignfilesor toensurethattheycandecryptfilesthattheyencryptforothers.Ifauserhas onlyonecertificate,SecureZIPautomaticallyusesthatcertificate.Ifauserhas morethanone,theusercantellSecureZIPwhichcertificatetousebydefault. Tospecifyadefaultcertificatetousewhenencryptingforyourself: 1. InSecureZIP,intheToolsmenu,selectOptionstoopenthe SecureZIPOptionsdialog. 2. SelecttheSecuritycategory. 3. SelecttheEncryptiontab.

23

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

4. IntheMethoddropdown,selectoneofthetwoRecipientlistoptionsto enablethelistofpersonalcertificates. Inthelist,avalidcertificatedisplayswithagreencheckmark;an invalidcertificateshowsaredX. 5. Selectacertificatetousebydefault. Ifyouhaveonlyone,itisusedautomatically. Tospecifyadefaultcertificatetousewhensigning: 1. InSecureZIP,intheToolsmenu,selectOptionstoopenthe SecureZIPOptionsdialog. 2. SelecttheSecuritycategory. 3. SelecttheAuthenticationtab. 4. Selectacertificatetousebydefaultfromthelistofyourpersonal certificates. Ifyouhaveonlyonecertificate,itisusedautomatically.Avalid certificatedisplayswithagreencheckmark;aninvalidcertificate showsaredX.

Turn On Encryption and/or Signing in SecureZIP

TousecertificatestoencryptorsignfilesinSecureZIP,thosefunctionsmust beturnedon.SecureZIPthenroutinelyencryptsand/orsignsfilesuntilyou turnthefunctionsoff. Bydefault,encryptionisturnedonandsigningisturnedoff. Toturnoncertificatebasedencryption: 1. OntheEncryptiontabofSecurityOptions,intheMethoddropdown list,selectoneofthefollowing: o o Strong:RecipientList Strong:RecipientListorPassword

2. ChecktheboxEncryptfiles. SeetheSecureZIPhelpforother,moredirectwaystoturnonencryption.

24

HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003

Toturnonsigning,chooseSign Files on/offfromtheActionsmenu.Again, thereareother,moredirectways. SecureZIPisnowsetuptodocertificatebasedencryptionandapplydigital signatures.

25