Windows Server 2008 and certificate Monitoring Tools tutorial

One of the primary goals of managing certificates is to improve the security level of the enterprise, where authentication and access management should be valued. In this article, we'll start with a brief overview of the CA definition, and then focus on the application of Windows Server 2008 with professional certificate monitoring tools (Pkiview.msc and Certutil.exe). For an enterprise, it is very important to understand how the certificate affects the security status of the enterprise and whether the certificate is valid or needs to be maintained (e.g., replaced). Because expired certificates indicate that the enterprise security situation is very bad, it is easy to incur attacks, but also indicates that the enterprise did not update the certificate in a timely manner, there is no routine maintenance, no real-time status alerts or mail prompts. This article explores the importance of using certificates in Windows Server 2008 and how to monitor certificate conditions.

Certificates and Security

Security is not a small problem. In fact, all aspects of the infrastructure need to consider security issues, from the most basic LAN to the Web server how to allow external users to access Web pages via SSL (secure Sockets Layer, Secure Sockets Layer). Also, all aspects of security need to be taken into consideration, especially when deploying a CA or PKI (public key Infrastructure). Of course, the benefits of security are self-evident, and improving the security of the enterprise network and system protects the enterprise from various attacks and security threats. The security of Windows Server 2008 can be implemented in many different ways, including the use of security certificates, different forms of encryption, and the toolkit and various features in Windows Server 2008, and you can also use the Add Role Wizard in Windows Configure the CA in Server 2008.

Install ADCs

Users can install and configure the Certificate Services certificate service by running the Add Roles Wizard. By removing active Directory certificate Services (ADCS) for the Server roles list, let Windows Server 2008 Act as a CA or certificate authority ( Certificate Authority (ADCS), which is used to create a CA or certificate authorization center to publish and manage certificates for different applications.

Figure 1: Configuring active Directory Certificate Services

You will find that many windows-based security services can be combined with ADCS, and to monitor certificates, you have to figure out what needs to be monitored. Next, we'll discuss the public key infrastructure.

What is a PKI?

When businesses start using smart cards, Ipsec, SSL (secure Sockets Layer, Secure Sockets Layer), digital signatures, Encrypting File System (EFS), or other technologies that rely on professional encryption levels, organizations need to establish a public system of encryption and authentication. PKI, or public key infrastructure, is used to ensure that all people using the same system can authenticate to access the system. Using PKI allows authentication entities to authenticate through electronic certificates, electronic certificates are in fact the electronic version of the document, it can help clients through the certificate to verify the identity of the host. The most common technique for using a certificate system is SSL,SSL to securely transmit data by authenticating the user, and using certificates in a PKI is designed to protect data security and to manage access validation mechanisms for internal and external resources within the enterprise. The Certificate Authority Center is part of the public key infrastructure, and the CA is responsible for verifying the certificate, publishing the certificate, and revoking the certificate. At a minimum, any enterprise that uses Microsoft Active Directory certificate Services (ADCS) has at least one Certificate Authority Center for Certificate Publishing and revocation, and some companies will deploy more than one certificate Authority center. In addition, a CA can be deployed either internally or externally, and can be set at different levels, either the root CA or the CA that publishes the certificate only. There are many ways to deploy a CA, and it's better for organizations to understand their needs before they start deployment.

Using the Certificate Monitoring tool

There are two important practical certificate monitoring tools in Windows Server 2008, Pkiview.msc and complex certutil.exe tools.

Pkiview.msc

When using the Pkiview.msc tool, users need to open MMC for the PKI. This command will start the PKI Health tool to ensure that all activities and conditions related to the existing pke are monitored. PKIView also monitors authority information Access (AIA) and CRL distribution (CDP) extensions to ensure that the monitoring services are not interrupted. Pkiview.msc first appeared in the Windows Server 2003 Resource Kit, which you can download and install from the Microsoft website. PKIView can help users view the state of the PKI and monitor the entire activity of the PKI. There are also multiple visual indicators to help users understand the PKI in a holistic manner. For example, the green flag shows that the PKI is in good condition, and the yellow warning flag indicates that the certificate or certificate revocation list (CRL) is already out of date and that the red error flag indicates that the CRL or authority information Access (AIA) location is not available. You can also indicate that the CA is not trustworthy.

Attention:

PKIView was initially part of the Windows Server 2003 Resource Kit, also known as the PKI Health tool, and the new version (originally an MMC module) is already part of the operating system, and the newer versions also support Unicode.

Certutil.exe

The validation tool (Certutil.exe) command can use two parameters to determine the validity of a issued certificate:

certutil-verify–urlfetch

Using the –verify–urlfetch filename allows the user to see the output of each certificate URL, and if successful validation displays the "verified" output, and if it fails, the error output is displayed

certutil-viewstore

The –viewstore output allows the user to view the contents of a particular active Directory Domain Services store or object, allowing the user to choose to view the credentials in all stores.

If the certutil command does not execute correctly, or if you do not have a certificate, you will get the error message.

CRL checking is an important function of certificate monitoring and is the main function. Obviously, you don't want the certificate to expire before it is replaced or upgraded. A CRL, or also known as a certificate revocation list, is the list of certificates that need to be revoked, as their name implies. CRL checking is to see if a certificate is valid, and this tool is an important tool to ensure the validity of a certificate. It is important to use this tool because Certutil.exe will check the CA's CRL, while certificate MMC Snap-In will not check the certificate's CRL.

Using CertReq

CertReq can be used to request a certificate, you can use CertReq to query the CA and create a new request for the certificate.

In this article, we discussed the application of Windows Server 2008 with professional certificate monitoring tools (Pkiview.msc and Certutil.exe), and the use of monitoring tools. We also discussed the use of the Pkiview.msc console and the Certutil.exe tool command line. Hope to be able to the enterprise IT management of Netizen help.