Microsoft Certificate Server Version 1.0 Beta 3 Release Notes
The following sections are included in this document:
Quick Start
New Features in Certificate Server Version 1.0 Beta 3
Obtaining Support and Providing Feedback
Known Problems and Limitations
Documentation Issues
Copyright Information
The following information should be read before attempting to install Certificate Server Version 1.0 Beta 3.
- The Certificate Server Beta 3 release does not support upgrades and should only be installed on a clean machine. For more information see Known Problems and Limitations.
- In the Choose Storage Location step of the Configuration Wizard, the shared directory specified must already exist; the wizard will not create this directory.
- In the Enter Identifying Information step of the Configuration Wizard, you must provide the following information: Name, Organization, Organizational Unit, Locality, State, and Country.
The Microsoft Certificate Server version 1.0 Beta 3 release includes many new features. These features are briefly described below.
- Web-based Administration
- Using a web browser, the administrator can connect to the certificate server, view the certificate log and certificate queue, and revoke certificates. This feature will be eliminated in the K2 final product in favor of MMC-based administration.
- Ordering Name Components
- A REG_MULTI_SZ registry value can be used for setting the order of Relative Distinguished Name (RDN) components at policy module initialization time.
- Multiple RDN Values
- In the policy module and server intermediary, any interface that specifies a name component (such as CN) can specify multiple distinguished name components by comma separated values.
Example: The string "CN=test,name" will result in a DN that contains "CN=test CN=name".
- Extensions
- Using the ICertServerPolicy interface, the policy module can now specify extensions to be included in the published certificate. The policy module can now call standard interfaces and ASN.1-encode standard extension types, including integers and strings.
Example: The following Microsoft« Visual Basic« sample sets a revocation URL string and a critical extension flag into the certificate:
Dim CertPolicy As CCertServerPolicy
Set CertPolicy = New CCertServerPolicy
CertPolicy.SetCertificateExtension _
"2.29.38.4", _
PROPTYPE_STRING, _
EXTENSION_CRITICAL_FLAG, _
"http://UrlTest.htm"
- Pending Requests
- The policy module can specify that a request not be issued or denied, but be logged for administrator use. Using the ICertAdmin interface or the Web-based administration tool, the administrator can then specify whether the pending request will be re-submitted to the policy module, or denied.
Example: See policyvb.dll included in the sample code files.
- Date Control
- The policy module can now set the begin and expiration dates on the certificate to be issued.
Example: The following Microsoft« Visual Basic« sample sets the begin and expiration properties in the certificate:
Dim CertPolicy As CCertServerPolicy
Set CertPolicy = New CCertServerPolicy
CertPolicy.SetCertificateProperty _
"NotBefore", _
PROPTYPE_DATE, _
date1
CertPolicy.SetCertificateProperty _
"NotAfter", _
PROPTYPE_DATE, _
date2
- Netscape Style Revocation
- Web scripts are provided that allow the server to perform revocation checks as specified in the Netscape certificate-extensions document.
- Exit Module Interface
- The ICertExit and ICertServerExit interfaces are now functional. This allows an exit module to be defined and retrieve certificates as they are issued, as well as publish them to a directory or other repository.
- Local Machine Keys
- Certificate Server now uses Microsoft« CryptoAPI keys with the CRYPT_MACHINEKEYSET registry key specified. This allows the server to run as a valid service without needing to specify a user login account.
- Manual CA hierarchies
- Upon setup, the administrator can now configure the Certificate Authority (CA) to issue a PKCS#10 certificate request for the CA key. The key can then be given to a previously configured CA, which issues a certificate for the new CA. This connects the new CA into a certification hierarchy. The issued certificate is then accepted back into the new CA, and will be given to clients as the certificate for this CA.
- Administrator Interface Expanded
- The following methods have been added to the ICertAdmin interface:
* ResubmitRequest
* DenyRequest
* IsCertificateValid
* GetRevocationReason
* SetRequestAttributes
- <KEYGEN> Tag Support
- Certificate Server now supports creation of client authentication certificates for Netscape Navigator, which requires support for Netscape's proprietary <KEYGEN> HTML tag.
Example: See the kgenroll.asp and kgaccept.asp pages for examples of ASP pages that implement Netscape enrollment.
- Request Formats
- The ICertRequest::Submit method now allows requests to be entered in Base64, Base64+text attributes and headers, or binary. Both PKCS10 and KeyGen requests are supported.
- Header Attributes
- A request may now contain header attributes when included in a request.
Example: The following shows a request with header attributes for CommonName and Organization:
CommonName: Your Name
Organization: Test Org
-----BEGIN CERTIFICATE REQUEST-----
sasdkfh4589023457sdfnmcvnasdtr347509345sadifjsacnv
-----END CERTIFICATE REQUEST-----
Additionally, the ICertAdmin interface can now set request attributes, and the ICertServerPolicy and ICertServerExit interfaces can retrieve request attributes.
- Expanded Visual Basic Property-Set Types
- String, date, long, and binary types are now supported on calls to the SetCertificateProperty, GetRequestProperty, and GetCertificateProperty methods in the ICertServerPolicy and ICertServerExit interfaces.
- Direct COM Calls and IDispatch on Interfaces
- All Certificate Server interfaces are now callable as IDispatch or regular COM interfaces.
- Unattended Setup
- Certificate Server now supports unattended setup. The following is an example of the strings used for performing unattended setup of Certificate Server:
[certsrv_client]
sharedfolder = \\server\share\cs
[certsrv_server]
name = my test name
organization = my test org
organizationalunit = my organizational unit
locality = my locality
State = my state
country = US
We welcome your impressions, feedback, and suggestions. Please install Certificate Server as soon as possible and report any problems. For technical support on this product, join us at news://betanews.microsoft.com/microsoft.beta.iis4.general. This is a private newsgroup on the Internet. Product support engineers will service your messages, inquiries, and problem reports in a timely manner.
The following list describes problems and limitations that are known to exist in this release of Certificate Server:
- The Certificate Server Beta 3 won't work at all if installed on a primary or backup domain controller.
- The Certificate Server Beta 3 release does not support upgrades and should only be installed on a clean machine. Certificate Server Beta 2 sites should install Beta 3 on a different machine if it is neccesary to maintain the old server database (certsrv.mdb) until new certificates can be issued using the Beta 3 release. However, if maintainence of the Beta 2 server database is not important, then Beta 3 can safely be installed on the same machine by following this procedure:
- The Uninstall shortcut located in the cert server program group should be run to uninstall the Beta 2 cert server.
- Remove all Certificate Server Beta 2 files, including certsrv.mdb.
- Using Regedit, remove the "CertSvc" and "Certificate Authority" folders under HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services.
- Install Certificate Server using Windows NT 4.0 Option Pack Setup.
- In the "Identifying Information" step of the Configuration Wizard, if you type an asterisk (*) or question mark (?) character into the Name field, the following error message will popup during setup:
"An error was detected while configuring the Certificate Server. The Certificate Server Configuration Wizard will need to be rerun to complete the Certificate Server configuration. Cannot copy file => 0x6e(110). C:\Winnt\System32\CertSrv\CertEnroll\nsrev_....(Name field inserted here).asp"
The work-around is to avoid asterisk and question mark characters in the CA's name field.
- In this release, the "Shared Folder" location designated in the "Choose Storage Location" step of the Configuration Wizard must be located on the machine on which Certificate Server is being installed.
- In order to use the enrollment control you must set the Safety Level in Internet Explorer to Medium.
- When Request a Client Authentication Certificate is selected on the Certificate Server Enrollment Tools Web Page, the enrollment pages attempt to detect the version and type of browser that is running. If the browser is Internet Explorer version 3.0 to 3.02 running on Intel, the old certenr3.dll will download. If the browser is Internet Explorer version 3.0 to 3.02 running on Alpha, the user is prompted to upgrade the browser to Internet Explorer 3.02 UPD (Authenticode 2.0). If the browser is Internet Explorer version 3.02 UPD (Authenticode 2.0) or higher running on Intel or Alpha, the platform-specific Xenroll.dll will download. It will also detect a Netscape browser and issue the appropriate cert. If the pages cannot detect which browser is running, the user will be prompted to identify the machine type and browser. Users wishing to write their own control should obtain the certenr3.exe downloadable archive file located at http://www.microsoft.com/intdev/security/csa/enroll.htm which has information on how to do this.
- There is an undocumented user interface that pops up when a user installs a client-authentication certificate generated by the new certificate enrollment control (XEnroll). The user interface asks the user if they want to install the root certificate. The user must also install the Certificate Authority (CA) root certificate if they're running Internet Explorer version 3.02 or earlier. The root certificate that XEnroll installs is placed in HKEY_CURRENT_USER\software\microsoft\systemcertificates and the CA Root goes under HKEY_LOCAL_MACHINE\services\currentcontrolset\securityproviders\Schannel\certificateauthorities. Only Internet Explorer 4.0 knows where to look for the root certificate installed by XEnroll. If the user is running Internet Explorer 3.02 or earlier, they will have to install the CA root certificate from the ASP pages.
- The Certificate Server Administration Tools only display a 'Requery' button if there are entries in the server database when the tools startup. For example, if the Certificate Log Utility is run before any certificates have been issued, the server database will be empty and the Log utility will not display a æRequeryÆ button. This means that if the Certificate Log Utility is left running and certificates are issued, it will be necessary to exit the Certificate Log Utility and restart it in order to view the issued certificates. Once one certificate is displayed in the Certificate Log Utility, the æRequeryÆ button becomes active and clicking it will display entries for newly issued certificates.
The Certificate Queue Utility exhibits similar behavior with respect to pending requests. The 'Requery' button in the Certificate Queue Utility will only be visible if the utility is started after at least one request has been submitted.
- If you get an ODBC error when using administration tools such as the Certificate Log Utility or Certificate Queue Utility, do the following:
- Open an MS-DOS command prompt and type "net stop IISADMIN".
- Answer yes when prompted to stop the WWW, FTP and any other services listed.
- Once this is complete, restart all the applicable servers. For example to restart the WWW service, type "net start W3SVC". To restart the FTP service, type "net start MSFTPSVC".
- Due to a limitation in SChannel involving SHA-1, clients will not be able to install an SHA-1 certificate unless Windows NT Service Pack 3 is present on the machine. This means that clients using Windows NT without Service Pack 3 and clients using Windows 95 cannot use a certificate authority that has an SHA-1 self-signed root certificate.
<
- CA hierarchies are not fully functional due to lack of support in SChannel.
- Local CRL fetches from the CA server machine can hang under certain conditions. The workaround is to stop and start the cert server after generating a new CRL and writing it to a file available for web access via the "Generate New Certificate Revocation List". This problem should only manifest itself when attempting an "http: get" from the CA server machine to the same or any other machine. One example of this is attempting to verify the revocation status of a certificate containing the CRL in a process running on the same machine as the CA, when the CRL is not in the cache, or when the CRL has expired -- in these cases, the CRL will be fetched via HTTP.
- In some cases Certificate Server may fail to start automatically due to being unable to load an external policy module (the policy module is available but there is a timing problem). Certificate Server may also hang when called by CertReq for this reason. In such a case an event will be added to the event log to indicate this. To work around the problem, start the service after booting using "net start certsvc" or using the Control Panel Services applet.
- Certsrv does not notify the exit module in the event of a CRL being issued.
- Certsrv does not notify the exit module in the event of a shutdown.
- In this release, only complete installations of Certificate Server are supported. Installing the Certificate Server Web Client on a machine by itself is not supported.
- When requesting a certificate by using the enrollment pages, you must use the 'Submit' button, rather than the Enter key. Otherwise an error will result.
- A limitation in Internet Explorer prevents its UI from displaying more than 26 personal certificates. If you apply for more than 26 certificates, the UI under View.Options.Security.Personal is empty even though there are certificates in the 'My' store. If you delete enough of the certificates under HKEY_CURRENT_USER\Software\microsoft\SystemCertificates\My\Certificates so that there are no more than 26, the certificates will show up again in the UI.
The following is a list of known documentation issues that exist in this release of Certificate Server:
- In the Certificate Server Administration Tools topic, the screenshot of the Certificate Server Administration Tools Web page is obsolete. The names of the links on the page are slightly revised in Beta 3, but correspond closely to the old names shown in the documentation. Similarly, topics for Web pages accessed by these links still have the old names. For example, see the Certificate Log Utility topic for information about the Web page accessed by clicking the Certificate Administration Log Utility link in the new Certificate Server Administration Tools Web page.
- In the Web Server Enrollment Page topic, the screenshot of the Web Server Enrollment Page incorrectly shows the Certificate Server Enrollment Page instead.
- The topics for Microsoft Internet Explorer Enrollment and Netscape Navigator Enrollment have obsolete information for the beginning of the process. Both of these processes are initiated by using the Request a Client Authentication Certificate link on the Certificate Enrollment Tools Web page. The page can now determine which browser is running and take the appropriate action.
© 1997 Microsoft Corporation
These materials are provided “as-is,” for informational purposes only.
Neither Microsoft nor its suppliers makes any warranty, express or implied with respect to the content of these materials or the accuracy of any information contained herein, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose. Because some states/jurisdictions do not allow exclusions of implied warranties, the above limitation may not apply to you.
Neither Microsoft nor its suppliers shall have any liability for any damages whatsoever including consequential incidental, direct, indirect, special, and loss profits. Because some states/jurisdictions do not allow exclusions of implied warranties, the above limitation may not apply to you. In any event, Microsoft’s and its suppliers’ entire liability in any manner arising out of these materials, whether by tort, contract, or otherwise shall not exceed the suggested retail price of these materials.