Certificate Settings in Group Policy Step-

by-Step Guide for Windows Server

Code Name "Longhorn"
Microsoft Corporation

Published (for Beta 2): May 2006

Updated: August 2006

Updated for Beta 3: May 2007

Abstract
Certificate settings in Group Policy in the Windows Server Code Name "Longhorn" Beta 3
operating system allow you to manage the settings for certificate path discovery and
validation using Group Policy objects. This guide includes system requirements,
installation instructions, and step-by-step instructions for enforcing trust management
decisions and managing certificate settings according to your organization's security
requirements.
This is a preliminary document and may be changed substantially prior to final
commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

2007 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, SharePoint, Windows, Windows NT, Windows

Server, are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

All other trademarks are property of their respective owners.

Contents
Certificate Settings in Group Policy Step-by-Step Guide for Windows Server Code Name
"Longhorn"...................................................................................................................... 5
What is Certificate Settings in Group Policy?.................................................................5
Whats new in certificate settings in Group Policy?.....................................................5
Who should use certificate settings in Group Policy?..................................................7
Benefits of certificate settings in Group Policy............................................................7
In This Guide.................................................................................................................. 7
Scenario 1: Managing Trusted Root Certificates............................................................8
Before you start........................................................................................................... 8
Scenario 2: Managing Trusted Publishers....................................................................10
Before you start......................................................................................................... 10
Scenario 3: Deploying Intermediate CA Certificates.....................................................12
Before you start......................................................................................................... 13
Scenario 4: Blocking Certificates that are not Trusted According to Group Policy........14
Before you start......................................................................................................... 14
Scenario 5: Handling Large Certificate Revocation Lists..............................................15
Before you start......................................................................................................... 15
Scenario 6: Extending Expiration Times for CRLs and OCSP responses.....................17
Before you start......................................................................................................... 18
Additional Resources.................................................................................................... 20
 5

Certificate Settings in Group Policy Step-

by-Step Guide for Windows Server
Code Name "Longhorn"
This step-by-step guide provides the instructions that you need to set up certificate
settings in Group Policy in a test lab environment. We recommend that you do not use
this guide in a production environment. Step-by-step guides are not necessarily meant to
be used to deploy Windows Server Code Name "Longhorn" operating system features
without additional documentation (as listed in the Additional Resources section) and
should be used with discretion as a stand-alone document.

What is Certificate Settings in Group Policy?

As X.509 public key infrastructures become more prominent in applications and a
foundation of trust management, many organizations need more options to manage
certificate path discovery and path validation settings. Previous versions of Windows
operating systems did not have tools to customize certificate settings. Certificate settings
in Group Policy provide this ability in the Windows Server Code Name "Longhorn" Beta 3
operating system. It enables you to manage the certificate validation settings according to
the security needs of your organization.

You can use certificate settings in Group Policy to control certificate validation and path
discovery settings for your environment. These settings include ways to manage
certificates used by client computers in the domain, revocation policies, and network
retrieval settings.

Whats new in certificate settings in Group Policy?

Certificate settings in Group Policy allow you to easily configure and manage certificate
validation settings. With these settings, you can effectively perform a variety of tasks,
such as:

Deploy intermediate certification authority (CA) certificates for all computers in a

domain

Block certificates that are not trusted by the security policy

Manage certificates used for code signing

 6
Configure the retrieval settings for certificates and certificate revocation lists (CRLs).

The following image is a screenshot of the Group Policy Management console.

In the Group Policy Management console, you can find the certificate settings under
Computer Configuration, Windows Settings, Security Settings, and Public Key
Policies.

The Windows Server Code Name "Longhorn" certificate settings in Group Policy now
include four new Group Policy stores:

Intermediate Certification Authorities

Trusted Publishers

Untrusted Certificates

Trusted People

The Certificate Path Validation Settings object is also new and includes options to
configure path validation settings, such as network retrieval timeouts and revocation
settings.
 7

Who should use certificate settings in Group Policy?

This guide is intended for the following audiences:

IT planners and analysts who are evaluating the product

Security architects who are responsible for implementing Trustworthy Computing

Security administrators who run public key infrastructure (PKI) enabled applications
in their environment

Benefits of certificate settings in Group Policy

You can use the certificate settings in Group Policy to manage the certificate settings on
all the computers in the domain from a central location.

For example, in situations where certain intermediate CA certificates expire and clients
cannot automatically retrieve the certificate, you can now deploy these certificates on
client computers by using Group Policy.

In addition, you can use certificate settings in Group Policy to ensure that users never
download code signed by unapproved publisher certificates. You can also configure
network timeouts to better control the chain building timeouts for large CRLs and use
revocation settings to extend CRL expiration times if a delay in publishing a new CRL is
affecting applications. This guide will help you understand the key scenarios of these new
certificate settings and how to enable them to use the settings effectively.

In This Guide
The purpose of this guide is to help administrators become familiar with the Certificate
settings in Group Policy in Windows Server Code Name "Longhorn."
Scenario 1: Managing Trusted Root Certificates
Scenario 2: Managing Trusted Publishers
Scenario 3: Deploying Intermediate CA Certificates
Scenario 4: Blocking Certificates that are not Trusted According to Group Policy
Scenario 5: Handling Large Certificate Revocation Lists
Scenario 6. Extending Expiration Times for CRLs and OCSP Responses
Additional Resources
 8

Scenario 1: Managing Trusted Root

Certificates
In this scenario, you are responsible for management of the security environment
for your domain, and you want to completely manage trust and disallow users in
the domain to configure their own set of trusted root certificates and peer trust
certificates. You can easily enable this setting by using the Stores tab in
Certificate Path Validation Settings.

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management Microsoft Management Console (MMC) snap-in must be
installed on the domain controller
PKI must be setup on the domain
You must be logged on as a member of the Domain Admins group

To prevent users from managing certificate trust

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor, click
Add, and then click Finish.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy or Local Computer Policy,
Computer Configuration, Windows Settings, Security Settings and click
Public Key Policies. Then select Certificate Path Validation Settings.
5. Select the Stores tab.
6. Check Define these policy settings
7. Clear the Allow user trusted root CAs to be used to validate certificates
option in the Per User Certificate Stores section.
 9

8. Clear the Allow users to trust peer trust certificates option in the Per user
certificate stores section.
9. Select the root CAs that the client computers can trust in the Root certificate
stores section.
10. Click OK to apply the new setting.
The following figure is a screenshot of the Stores tab on the Certificate Path Validation
Settings Properties page.
 10

Scenario 2: Managing Trusted Publishers

In this scenario, you are responsible for managing the security environment of your
domain. The security policy of your company requires that only the administrators can
add certificates used for code signing. You can easily reflect this setting using the Trusted
Publishers user interface.

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management MMC snap-in must be installed on the domain controller
PKI must be setup on the domain
You must be logged on as a member of the Domain Admins group.
This scenario includes two parts:
Configuring Trusted Publishers
Configuring who can manage certificates that are used for code signing

To configure Trusted Publishers policy

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor, click
Add, and then click Finish.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy or Local Computer Policy,
Computer Configuration, Windows Settings, Security Settings and click
Public Key Policies. Then select the Trusted Publishers tab.
5. Implement the changes you desire, click Apply if you wish to make additional
changes, and OK when you are done making changes.
 11

To allow only administrators to manage certificates used for code signing

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor,
click Add, and then click Finish.
If you are editing the Group Policy object for the domain, under
Available snap-ins, double-click Group Policy Management Editor,
click Browse and select the Default Domain Policy Object or select the
domain, then click Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy or Local Computer
Policy, Computer Configuration, Windows Settings, Security Settings
and click Public Key Policies. Then select the Trusted Publishers tab.
5. In the Adding Trusted Publishers section, select Allow only all
administrators to manage Trusted Publishers.
6. Click Apply to apply the new settings, and OK when you are done making
changes.
The following figure is a screenshot of the Trusted Publishers tab on the Certificate
Path Validation Settings Properties page.
 12

Scenario 3: Deploying Intermediate CA

Certificates
In this scenario, you are responsible for managing the security environment of your
domain. You are encountering errors in certificate chain building due to expired
intermediate CA certificates. This is affecting revocation checking for your applications. To
solve this problem, you need to deploy new intermediate CA certificates on all computers
in the domain. You can do this easily from a central location using certificate settings in
Group Policy.
 13

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management MMC snap-in must be installed on the domain controller
PKI must be setup on the domain
You must be logged on as a member of the Domain Admins group.
This scenario includes two parts:
Managing intermediate CA certificates for the domain
Managing intermediate CA certificates for the local computer

To manage intermediate CA certificates for the domain

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy, Computer Configuration,
Windows Settings, and Security Settings and click Public Key Policies.
5. Right click on the Intermediate Certification Authorities store.
Click Import to import the certificates and follow the steps in the Certificate
Import wizard.

To manage intermediate CA certificates for the local computer

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
Under Available snap-ins, double-click Certificates, click Add. In the option, this
snap-in will always manage certificates for, select the Computer Account and
then select Local Computer and click Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. Expand the Certificates snap-in.
5. Right click on the Intermediate Certification Authorities store.
 14

6. Click Import to import the certificates and follow the steps in the Certificate
Import wizard.

Scenario 4: Blocking Certificates that are not

Trusted According to Group Policy
In this scenario, you are responsible for managing the security environment of
your domain. Based on Group Policy requirements, you do not want applications
and clients to trust specific certificates. However you cannot revoke these
certificates because they are issued by external CAs. You can disallow these
untrusted certificates by adding them to the untrusted certificates store. You can
now manage the untrusted certificates store using Group Policy.

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management MMC snap-in must be installed on the domain controller
PKI must be setup on the domain
You must be logged on as a member of the Domain Admins group.
This scenario includes two parts:
Blocking certificates for the domain
Blocking certificates for the local computer

To block certificates for the domain

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy, Computer Configuration,
Windows Settings, and Security Settings and click Public Key Policies.
5. Right click on the Untrusted Certificates store.
 15

6. Click Import to import the certificates and follow the steps in the Certificate
Import wizard.

To block certificates for the local computer

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
Under Available snap-ins, double-click Certificates, click Add. In the
option, this snap-in will always manage certificates for, select the
Computer Account and then select Local Computer and click Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. Expand the Certificates snap-in.
5. Right click on the Untrusted Certificates store.
6. Click Import to import the certificates and follow the steps in the Certificate
Import wizard.

Scenario 5: Handling Large Certificate

Revocation Lists
In this scenario, you are responsible for managing the security environment of your
domain. Your applications encounter frequent failures in retrieving large certification
revocation lists (CRLs). Large CRLs fail to download because it takes longer to download
them than the default timeout of 15 seconds. You want to configure the default retrieval
timeouts to solve this problem. You can easily configure this setting using the Network
Retrieval tab of the Certificate Path Validation Settings dialog box.

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management MMC snap-in must be installed on the domain controller
PKI must be setup on the domain
You must be logged on as a member of the Domain Admins group.

To increase the retrieval timeout option for large certificate revocation lists
1. Click Start, click Start Search, type mmc, and then press ENTER.
 16

2. On the File menu, click Add/Remove Snap-in.

If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor, click
Add, and then click Finish.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy or Local Computer Policy,
Computer Configuration, Windows Settings, Security Settings and click
Public Key Policies. Then select Certificate Path Validation Settings.
5. Select the Network Retrieval tab.
6. In the Default retrieval timeout settings section, select the Default URL
retrieval timeout (in seconds) option
7. Enter the desired timeout value.
8. Click OK to apply the new settings.
The following figure is a screenshot of the Network Retrieval tab of the Certificate Path
Validation Settings Properties dialog box.
 17

Scenario 6: Extending Expiration Times for

CRLs and OCSP responses
In this scenario, you are responsible for managing the security environment of your
domain. Network problems prevent you from publishing the latest CRL, which can cause
all certificate chain validations to fail. You want to extend the expiration time of the
existing CRL or the Online Certificate Status Protocol (OCSP) response to prevent this
from happening. You can use the Revocation tab on the Certificate Path Validation
Settings dialog box to manage this behavior.
 18

Before you start

You should have a computer configured as domain controller and a client computer
joined to the domain
Group Policy Management MMC snap-in must be installed on the domain controller
PKI must be setup on the domain
You must be a member of the Domain Admins group.
This scenario includes two parts:
Configuring revocation settings for the local computer
Extending the validity period for CRL and OCSP responses for the local computer

To configure revocation settings for the local computer

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor, click
Add, and then click Finish.
If you are editing the Group Policy object for the domain, under Available
snap-ins, double-click Group Policy Management Editor, click Browse
and select the Default Domain Policy Object or select the domain, then click
Finish.
3. In the console tree, go to Default Domain Policy or Local Computer Policy,
Computer Configuration, Windows Settings, Security Settings and click
Public Key Policies. Then select Certificate Path Validation Settings.
4. Select the Revocation tab.
5. Select the policy options you want.
6. Click Define these policy settings.
7. Click OK to apply the new setting.

To extend the validity period for CRL and OCSP responses for the local
computer
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor,
 19

click Add, and then click Finish.

If you are editing the Group Policy object for the domain, under
Available snap-ins, double-click Group Policy Management Editor,
click Browse and select the Default Domain Policy Object or select the
domain, then click Finish.
3. If you have no more snap-ins to add to the console, click OK.
4. In the console tree, go to Default Domain Policy or Local Computer
Policy, Computer Configuration, Windows Settings, Security Settings
and click Public Key Policies. Then select Certificate Path Validation
Settings.
5. Select the Revocation tab.
6. Select the Allow CRL and OCSP responses to be valid longer than their
lifetime option. For Time the validity period can be extended, enter the
desired value of time (in hours).
7. Click Define these policy settings.
8. Click OK to apply the new setting.
The following figure is a screenshot of the Revocation tab on the Certificate Path
Validation Settings Properties dialog box.
 20

Additional Resources
The following resources provide additional information about certificate settings in Group
Policy in Windows Server Code Name "Longhorn."
For help with certificate settings in Group Policy, as with any Microsoft Windows
component, please choose one of the support options listed on the Microsoft Help
and Support Web site (http://go.microsoft.com/fwlink/?LinkId=76619).
Domain controller role: Configuring a domain controller
(http://go.microsoft.com/fwlink/?LinkId=89553)
 21
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key
Infrastructure (http://go.microsoft.com/fwlink/?LinkId=89554)