Documente Academic
Documente Profesional
Documente Cultură
Abstract
Certificate settings in Group Policy in the Windows Server Code Name "Longhorn" Beta 3
operating system allow you to manage the settings for certificate path discovery and
validation using Group Policy objects. This guide includes system requirements,
installation instructions, and step-by-step instructions for enforcing trust management
decisions and managing certificate settings according to your organization's security
requirements.
This is a preliminary document and may be changed substantially prior to final
commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
You can use certificate settings in Group Policy to control certificate validation and path
discovery settings for your environment. These settings include ways to manage
certificates used by client computers in the domain, revocation policies, and network
retrieval settings.
In the Group Policy Management console, you can find the certificate settings under
Computer Configuration, Windows Settings, Security Settings, and Public Key
Policies.
The Windows Server Code Name "Longhorn" certificate settings in Group Policy now
include four new Group Policy stores:
Trusted Publishers
Untrusted Certificates
Trusted People
The Certificate Path Validation Settings object is also new and includes options to
configure path validation settings, such as network retrieval timeouts and revocation
settings.
7
For example, in situations where certain intermediate CA certificates expire and clients
cannot automatically retrieve the certificate, you can now deploy these certificates on
client computers by using Group Policy.
In addition, you can use certificate settings in Group Policy to ensure that users never
download code signed by unapproved publisher certificates. You can also configure
network timeouts to better control the chain building timeouts for large CRLs and use
revocation settings to extend CRL expiration times if a delay in publishing a new CRL is
affecting applications. This guide will help you understand the key scenarios of these new
certificate settings and how to enable them to use the settings effectively.
In This Guide
The purpose of this guide is to help administrators become familiar with the Certificate
settings in Group Policy in Windows Server Code Name "Longhorn."
Scenario 1: Managing Trusted Root Certificates
Scenario 2: Managing Trusted Publishers
Scenario 3: Deploying Intermediate CA Certificates
Scenario 4: Blocking Certificates that are not Trusted According to Group Policy
Scenario 5: Handling Large Certificate Revocation Lists
Scenario 6. Extending Expiration Times for CRLs and OCSP Responses
Additional Resources
8
8. Clear the Allow users to trust peer trust certificates option in the Per user
certificate stores section.
9. Select the root CAs that the client computers can trust in the Root certificate
stores section.
10. Click OK to apply the new setting.
The following figure is a screenshot of the Stores tab on the Certificate Path Validation
Settings Properties page.
10
6. Click Import to import the certificates and follow the steps in the Certificate
Import wizard.
6. Click Import to import the certificates and follow the steps in the Certificate
Import wizard.
To increase the retrieval timeout option for large certificate revocation lists
1. Click Start, click Start Search, type mmc, and then press ENTER.
16
To extend the validity period for CRL and OCSP responses for the local
computer
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
If you are editing the Group Policy object for the local computer, under
Available snap-ins, double-click Local Group Policy Object Editor,
19
Additional Resources
The following resources provide additional information about certificate settings in Group
Policy in Windows Server Code Name "Longhorn."
For help with certificate settings in Group Policy, as with any Microsoft Windows
component, please choose one of the support options listed on the Microsoft Help
and Support Web site (http://go.microsoft.com/fwlink/?LinkId=76619).
Domain controller role: Configuring a domain controller
(http://go.microsoft.com/fwlink/?LinkId=89553)
21
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key
Infrastructure (http://go.microsoft.com/fwlink/?LinkId=89554)