Whenever I teach MCITP: Server Administrator or MCITP: Enterprise Administrator there is always one subject that I can guarantee the majority of delegates won’t have worked with directly. The subject is certificate services; for whatever reason this is an area people are aware of but one that they don’t seem to spend time learning or working with.
The thing is the more you work with Microsoft products like Exchange Server, Lync Server or the System Centre suite the more you need to understand certificate services.
The first thing to understand is what digital certificates give us, and that can be summed up in one word: trust. In all aspects of computing we need to be able to trust the entity we are communicating with. If it can be trusted then we can enable other services like authentication, we can provide data integrity or encrypt a connection. But if we don’t trust the end point we are speaking to then we can’t guarantee any of the other services.
Most of us come in to contact with Digital certificates when we access a secure web site. If you want to bank online or if you want to buy CDs from amazon you have to provide personal details, and you will only do that if the connection is encrypted and you are sure that you are speaking to the web site you think you are. This process starts with the website sending a copy of their digital certificate to your browser. Your browser then checks three things;
1) Is the certificate in date?
2) Does the name on the certificate match the name of the server or website you are connected to?
3) Has the certificate been issued from a trusted source?
It is the 3rd check that is the most important. We have to be sure that the entity who issued the certificate can be trusted, as if it can’t, anything protected by the certificates from that entity can’t be trusted.
How do we know who to trust? Well every PC has a list of trusted root certificate authorities.
You can see this list if you open up an MMC and add the certificates snapin:
Here you can see the trusted root certificates for a PC. If a certificate authority is trusted by being on this list it means that any certificate issued by them is also trusted and you can trust the information it provides, like the validity dates and name of the computer/services it is protecting.
How do certificates get in to the trusted store?
There is a group of online trusted certificate authorities that all PC’s trust. These companies have a proven track record that means that when we see a certificate provided by them to an organisation we can trust they have performed all reasonable checks to make sure the company is reputable and owns the domain name it is requesting a certificate for. So when we see a certificate that was assigned from Verisign or GoDaddy etc. our computer immediately trusts that if the name and dates match then it is safe to bring up an secure link and start sending data.
Another way certificates get into the trusted store is manually, by you making the choice to trust an authority that otherwise wouldn’t be trusted. This would be the case when we install a Microsoft Certificate authority to secure internal resources.
So far we have talked about websites and trusting them so we can secure a link, but if this was all certificates were used for then I would understand why so many IT professionals stay away from them, thinking that if they don’t manage websites then they don’t need to worry about certificates. This is where we need to understand a little bit more about our internal services and how certificates help to secure them.
Think about any two servers that need to swap information with each other, imagine that the data needs to be secured between the two servers. Well in order to do this we first need to trust the server we are speaking to is the correct one. So whether it is two exchange servers or two Lync servers or two routers about to bring up a site to site VPN, a certificate is need to prove each end is who he says it is before we can secure the connection.
In a later article we will discuss examples of how Microsoft services use digital certificates and we look at how to install a Microsoft certificate server and how we use it to issue digital certificates.