For example, Secure Socket Layer servers often run as a service in the "LocalSystem" security context, but Secure Socket Layer clients usually run in the security context of the user who launched the client process. The security context that uses a certificate must "trust" the certificate authority (CA) that issued the certificate. A certificate authority is trusted by a security context when a certificate that is issued by the certificate authority is installed in either that user account or in the trusted root certificate store for the security context the server is running in.
Secure Socket Layer and Transport Layer Security servers must present a server authentication certificate to clients, which must be issued by a certificate authority that is trusted by the client. Usually this certificate is stored in the server's "My" (also called "Personal") certificate store and is retrieved prior to the Secure Socket Layer or Transport Layer Security authentication. If the server process will run in the LocalSystem context, the server authentication certificate should be put in the My or Personal store of the local computer.
If Secure Socket Layer or Transport Layer Security client authentication is required, then the Secure Socket Layer or Transport Layer Security client must present a client authentication certificate to the server that was issued from a certificate authority that is trusted by the server. Usually the client authentication certificate is stored in the My or Personal certificate store of the security context that the client process will run in and is retrieved prior to the Secure Socket Layer or Transport Layer Security connection.
Using Certificate ServerMicrosoft Windows 2000 Server includes Microsoft Certificate Server. To install Certificate Server, go to Control Panel, start the Add/Remove Programs utility, and then click Add/Remove Windows Components. After installation, Certificate Server can act as a certificate authority and issue certificates for server and client authentication through Microsoft Internet Explorer and the Certificate Enrollment Control.
Certificate Server is also available for Microsoft Windows NT 4.0 Server. You can install it from the Windows NT 4.0 Server Option Pack, which is available from the following Microsoft Web site:
The Certificate Enrollment Control needs Internet Explorer 5.0 or later to function correctly. To configure the Secure Socket Layer or Transport Layer Security client and server to trust Certificate Server as a certificate authority, retrieve the certificate authority certificate from Certsrv through the http://server/certsrv interface. The Certsrv home page provides an option for you to retrieve the certificate authority certificate. Select this option, click next, and then click Download CA certificate. Follow the wizard's instructions to download and install the certificate. A local administrator must install the certificate authority certificate on both the Secure Socket Layer or Transport Layer Security client system and the server system.
After you install the certificate authority certificate on both the Secure Socket Layer or Transport Layer Security client and server systems, use the Secure Socket Layer or Transport Layer Security server system to return to the Certsrv home page:
- Click Request a certificate, and then click Advanced Request.
- Click Request a certificate using a form.
- Fill in the certificate identification fields and make sure that the certificate's "Intended Purpose" is set to Server Authentication.
- Click Submit.
If Secure Socket Layer or Transport Layer Security client authentication is required, you must have a client authentication certificate installed on the client system. To install a client authentication certificate: from the Secure Socket Layer or Transport Layer Security client, go to the Certsrv home page and request a client authentication certificate. Use the same process as before, except in the certificate request form make sure the "Intended Purpose" of the certificate is set to Client Authentication. Also, do not select Use local machine store if you must place the certificate in the current user's My or Personal certificate store.
Using Third-Party CertificatesAdditionally, test certificates may be available from third-party certificate vendors. Contact specific certificate vendors for information about purchase and use of test certificates.
Testing CertificatesYou can use the Webclient and Webserver Secure Socket Layer and Transport Layer Security samples in the Microsoft Platform SDK to verify the installation of Secure Socket Layer or Transport Layer Security certificates. These samples create a Secure Socket Layer or Transport Layer Security connection to test if the certificates were created and installed correctly.
For more information, see the Readme.txt file that is available with these samples. You can download the Platform SDK from the following Microsoft Web site:
Note If you want to use the Webclient and Webserver samples to verify the certificates, when you create the server authentication certificate you must make sure that the name in the certificate matches the name of the Secure Socket Layer or Transport Layer Security server that the Web client will connect to.
Article ID: 288897 - Last Review: May 31, 2009 - Revision: 1