Certificate Settings StepByStep Guide

Certificate Settings in Group Policy Step-

by-Step Guide for Windows Server

Code Name "Longhorn"
Microsoft Corporation
Published (for Beta 2): May 2006
Updated: August 2006
Updated for Beta : May 200!
Certificate settings in "roup Policy in the #indo$s %er&er Code 'a(e )*onghorn) Beta
operating syste( allo$ you to (anage the settings for certificate path disco&ery and
&alidation using "roup Policy ob+ects, -his guide includes syste( re.uire(ents/
installation instructions/ and step0by0step instructions for enforcing trust (anage(ent
decisions and (anaging certificate settings according to your organi1ation2s security
Certificate Settings in Group Policy Step-
by-Step Guide for Windows Server
Code Name "Longhorn"
-his step0by0step guide pro&ides the instructions that you need to set up certificate
settings in "roup Policy in a test lab en&iron(ent, #e reco((end that you do not use
this guide in a production en&iron(ent, %tep0by0step guides are not necessarily (eant to
be used to deploy #indo$s %er&erF Code 'a(e )*onghorn) operating syste( features
$ithout additional docu(entation (as listed in the Additional 5esources section) and
should be used $ith discretion as a stand0alone docu(ent,
What is Certificate Settings in Group Policy!
As :,B0G public 3ey infrastructures beco(e (ore pro(inent in applications and a
foundation of trust (anage(ent/ (any organi1ations need (ore options to (anage
certificate path disco&ery and path &alidation settings, Pre&ious &ersions of #indo$s
operating syste(s did not ha&e tools to custo(i1e certificate settings, Certificate settings
in "roup Policy pro&ide this ability in the #indo$s %er&er Code 'a(e )*onghorn) Beta
operating syste(, 4t enables you to (anage the certificate &alidation settings according to
the security needs of your organi1ation,
<ou can use certificate settings in "roup Policy to control certificate &alidation and path
disco&ery settings for your en&iron(ent, -hese settings include $ays to (anage
certificates used by client co(puters in the do(ain/ re&ocation policies/ and net$or3
retrie&al settings,
What"s new in certificate settings in Group Policy!
Certificate settings in "roup Policy allo$ you to easily configure and (anage certificate
&alidation settings, #ith these settings/ you can effecti&ely perfor( a &ariety of tas3s/
such as:
;eploy inter(ediate certification authority (CA) certificates for all co(puters in a
Bloc3 certificates that are not trusted by the security policy
Manage certificates used for code signing
Configure the retrie&al settings for certificates and certificate re&ocation lists (C5*s),
-he follo$ing i(age is a screenshot of the "roup Policy Manage(ent console,
4n the "roup Policy Manage(ent console/ you can find the certificate settings under
Computer Configuration/ Windows Settings/ Security Settings/ and Public $ey
-he #indo$s %er&er Code 'a(e )*onghorn) certificate settings in "roup Policy no$
include four ne$ "roup Policy stores:
4nter(ediate Certification Authorities
-rusted Publishers
Untrusted Certificates
-rusted People
-he Certificate Path Halidation %ettings ob+ect is also ne$ and includes options to
configure path &alidation settings/ such as net$or3 retrie&al ti(eouts and re&ocation
Who should use certificate settings in Group Policy!
-his guide is intended for the follo$ing audiences:
4- planners and analysts $ho are e&aluating the product
%ecurity architects $ho are responsible for i(ple(enting -rust$orthy Co(puting
%ecurity ad(inistrators $ho run public 3ey infrastructure (P84) enabled applications
in their en&iron(ent
&enefits of certificate settings in Group Policy
<ou can use the certificate settings in "roup Policy to (anage the certificate settings on
all the co(puters in the do(ain fro( a central location,
7or e>a(ple/ in situations $here certain inter(ediate CA certificates e>pire and clients
cannot auto(atically retrie&e the certificate/ you can no$ deploy these certificates on
client co(puters by using "roup Policy,
4n addition/ you can use certificate settings in "roup Policy to ensure that users ne&er
do$nload code signed by unappro&ed publisher certificates, <ou can also configure
net$or3 ti(eouts to better control the chain building ti(eouts for large C5*s and use
re&ocation settings to e>tend C5* e>piration ti(es if a delay in publishing a ne$ C5* is
affecting applications, -his guide $ill help you understand the 3ey scenarios of these ne$
certificate settings and ho$ to enable the( to use the settings effecti&ely,
'n (his Guide
-he purpose of this guide is to help ad(inistrators beco(e fa(iliar $ith the Certificate
settings in "roup Policy in #indo$s %er&er Code 'a(e )*onghorn,)
%cenario A: Managing -rusted 5oot Certificates
%cenario 2: Managing -rusted Publishers
%cenario : ;eploying 4nter(ediate CA Certificates
%cenario E: Bloc3ing Certificates that are not -rusted According to "roup Policy
%cenario B: =andling *arge Certificate 5e&ocation *ists
%cenario 6, 9>tending 9>piration -i(es for C5*s and 6C%P 5esponses
Additional 5esources
Scenario *+ ,anaging (rusted -oot
4n this scenario/ you are responsible for (anage(ent of the security en&iron(ent
for your do(ain/ and you $ant to co(pletely (anage trust and disallo$ users in
the do(ain to configure their o$n set of trusted root certificates and peer trust
certificates, <ou can easily enable this setting by using the %tores tab in
Certificate Path Halidation %ettings,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
+oined to the do(ain
"roup Policy Manage(ent Microsoft Manage(ent Console (MMC) snap0in (ust be
installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group
(o prevent users from managing certificate trust
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3
dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/
Computer Configuration/ Windows Settings/ Security Settings and clic3
Public $ey Policies, -hen select Certificate Path 5alidation Settings,
B, %elect the Stores tab,
6, Chec3 4efine these policy settings
!, Clear the llow user trusted root Cs to be used to validate certificates
option in the Per 6ser Certificate Stores section,
D, Clear the llow users to trust peer trust certificates option in the Per user
certificate stores section,
G, %elect the root CAs that the client co(puters can trust in the -oot certificate
stores section,
A0, Clic3 1$ to apply the ne$ setting,
-he follo$ing figure is a screenshot of the Stores tab on the Certificate Path 5alidation
Settings Properties page,
Scenario 9+ ,anaging (rusted Publishers
4n this scenario/ you are responsible for (anaging the security en&iron(ent of your
do(ain, -he security policy of your co(pany re.uires that only the ad(inistrators can
add certificates used for code signing, <ou can easily reflect this setting using the -rusted
Publishers user interface,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
joined to the domain
Group Policy Management MMC snap0in (ust be installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group,
-his scenario includes t$o parts:
Configuring -rusted Publishers
Configuring $ho can (anage certificates that are used for code signing
(o configure (rusted Publishers policy
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3
dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/
Computer Configuration/ Windows Settings/ Security Settings and clic3
Public $ey Policies, -hen select the (rusted Publishers tab,
B, 4(ple(ent the changes you desire/ clic3 pply if you $ish to (a3e additional
changes/ and 1$ $hen you are done (a3ing changes,
(o allow only administrators to manage certificates used for code signing
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/
clic3 dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under
vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3
clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the
do(ain/ then clic3 /inish,
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer
Policy/ Computer Configuration/ Windows Settings/ Security Settings
and clic3 Public $ey Policies, -hen select the (rusted Publishers tab,
B, 4n the dding (rusted Publishers section/ select llow only all
administrators to manage (rusted Publishers,
6, Clic3 pply to apply the ne$ settings/ and 1$ $hen you are done (a3ing
-he follo$ing figure is a screenshot of the (rusted Publishers tab on the Certificate
Path 5alidation Settings Properties page,
Scenario ;+ 4eploying 'ntermediate C
4n this scenario/ you are responsible for (anaging the security en&iron(ent of your
do(ain, <ou are encountering errors in certificate chain building due to e>pired
inter(ediate CA certificates, -his is affecting re&ocation chec3ing for your applications, -o
sol&e this proble(/ you need to deploy ne$ inter(ediate CA certificates on all co(puters
in the do(ain, <ou can do this easily fro( a central location using certificate settings in
"roup Policy,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
joined to the domain
Group Policy Management MMC snap0in (ust be installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group,
-his scenario includes t$o parts:
Managing inter(ediate CA certificates for the do(ain
Managing inter(ediate CA certificates for the local co(puter
(o (anage inter(ediate CA certificates for the do(ain
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy/ Computer Configuration/
Windows Settings/ and Security Settings and clic3 Public $ey Policies,
B, 5ight clic3 on the 'ntermediate Certification uthorities store,
Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate
4(port $i1ard,
(o (anage inter(ediate CA certificates for the local co(puter
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
Under vailable snap-ins/ double0clic3 Certificates/ clic3 dd< 4n the option/ this
snap-in will always manage certificates for/ select the Computer ccount and
then select Local Computer and clic3 /inish,
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 9>pand the Certificates snap0in,
B, 5ight clic3 on the 'ntermediate Certification uthorities store,
6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate
4(port $i1ard,
Scenario =+ &loc>ing Certificates that are not
(rusted ccording to Group Policy
4n this scenario/ you are responsible for (anaging the security en&iron(ent of
your do(ain, Based on "roup Policy re.uire(ents/ you do not $ant applications
and clients to trust specific certificates, =o$e&er you cannot re&o3e these
certificates because they are issued by e>ternal CAs, <ou can disallo$ these
untrusted certificates by adding the( to the untrusted certificates store, <ou can
no$ (anage the untrusted certificates store using "roup Policy,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
joined to the domain
Group Policy Management MMC snap0in (ust be installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group,
-his scenario includes t$o parts:
Bloc3ing certificates for the do(ain
Bloc3ing certificates for the local co(puter
(o bloc3 certificates for the do(ain
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy/ Computer Configuration/
Windows Settings/ and Security Settings and clic3 Public $ey Policies,
B, 5ight clic3 on the 6ntrusted Certificates store,
6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate
4(port $i1ard,
(o bloc3 certificates for the local computer
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
Under vailable snap-ins/ double0clic3 Certificates/ clic3 dd< 4n the
option/ this snap-in will always manage certificates for/ select the
Computer ccount and then select Local Computer and clic3 /inish,
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 9>pand the Certificates snap0in,
B, 5ight clic3 on the 6ntrusted Certificates store,
6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate
4(port $i1ard,
Scenario #+ ?andling Large Certificate
-evocation Lists
4n this scenario/ you are responsible for (anaging the security en&iron(ent of your
do(ain, <our applications encounter fre.uent failures in retrie&ing large certification
re&ocation lists (C5*s), *arge C5*s fail to do$nload because it ta3es longer to do$nload
the( than the default ti(eout of AB seconds, <ou $ant to configure the default retrie&al
ti(eouts to sol&e this proble(, <ou can easily configure this setting using the Networ>
-etrieval tab of the Certificate Path 5alidation Settings dialog bo>,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
joined to the domain
Group Policy Management MMC snap0in (ust be installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group,
(o increase the retrieval timeout option for large certificate revocation lists
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3
dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/
Computer Configuration/ Windows Settings/ Security Settings and clic3
Public $ey Policies, -hen select Certificate Path 5alidation Settings,
B, %elect the Networ> -etrieval tab,
6, 4n the 4efault retrieval timeout settings section/ select the 4efault 6-L
retrieval timeout @in secondsA option
!, 9nter the desired ti(eout &alue,
D, Clic3 1$ to apply the ne$ settings,
-he follo$ing figure is a screenshot of the Networ> -etrieval tab of the Certificate Path
5alidation Settings Properties dialog bo><
Scenario %+ .Btending .Bpiration (imes for
C-Ls and 1CSP responses
4n this scenario/ you are responsible for (anaging the security en&iron(ent of your
do(ain, 'et$or3 proble(s pre&ent you fro( publishing the latest C5*/ $hich can cause
all certificate chain &alidations to fail, <ou $ant to e>tend the e>piration ti(e of the
e>isting C5* or the 6nline Certificate %tatus Protocol (6C%P) response to pre&ent this
fro( happening, <ou can use the -evocation tab on the Certificate Path 5alidation
Settings dialog bo> to (anage this beha&ior,
&efore you start
<ou should ha&e a co(puter configured as do(ain controller and a client co(puter
joined to the domain
Group Policy Management MMC snap0in (ust be installed on the do(ain controller
P84 (ust be setup on the do(ain
<ou (ust be a (e(ber of the ;o(ain Ad(ins group,
-his scenario includes t$o parts:
Configuring re&ocation settings for the local co(puter
9>tending the &alidity period for C5* and 6C%P responses for the local co(puter
(o configure revocation settings for the local computer
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3
dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable
snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse
and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3
, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/
Computer Configuration/ Windows Settings/ Security Settings and clic3
Public $ey Policies, -hen select Certificate Path 5alidation Settings,
E, %elect the -evocation tab,
B, %elect the policy options you $ant,
6, Clic3 4efine these policy settings,
!, Clic3 1$ to apply the ne$ setting,
(o eBtend the validity period for C-L and 1CSP responses for the local
A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-,
2, 6n the /ile (enu/ clic3 dd0-emove Snap-in,
4f you are editing the "roup Policy ob+ect for the local co(puter/ under
vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/
clic3 dd/ and then clic3 /inish,
4f you are editing the "roup Policy ob+ect for the do(ain/ under
vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3
clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the
do(ain/ then clic3 /inish,
, 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer
Policy/ Computer Configuration/ Windows Settings/ Security Settings
and clic3 Public $ey Policies, -hen select Certificate Path 5alidation
B, %elect the -evocation tab,
6, %elect the Allo$ C5* and 6C%P responses to be &alid longer than their
lifeti(e option, 7or (ime the validity period can be eBtended/ enter the
desired &alue of ti(e (in hours),
!, Clic3 4efine these policy settings,
D, Clic3 1$ to apply the ne$ setting,
-he follo$ing figure is a screenshot of the -evocation tab on the Certificate Path
5alidation Settings Properties dialog bo>,
dditional -esources
-he follo$ing resources pro&ide additional infor(ation about certificate settings in "roup
Policy in #indo$s %er&er Code 'a(e )*onghorn,)
7or help $ith certificate settings in "roup Policy/ as $ith any Microsoft #indo$s
co(ponent/ please choose one of the support options listed on the Microsoft =elp
and %upport #eb site (http:@@go,(icrosoft,co(@f$lin3@C*in34dI!66AG),
;o(ain controller role: Configuring a do(ain controller
Best Practices for 4(ple(enting a Microsoft #indo$s %er&er 200 Public 8ey
4nfrastructure (http:@@go,(icrosoft,co(@f$lin3@C*in34dIDGBBE)

