Certificate-Related Changes for Windows Vista

Applies To: Windows Vista

Windows Vista simplifies the process of administering, obtaining, and using certificates. This document describes several new and changed features that support these improvements.

The significant certificate-related changes in Windows Vista include:

  • Web enrollment updates

  • Credential roaming

  • Cryptography Next Generation support

  • CryptoAPI monitoring

Web enrollment updates

A number of changes have been made to certificate Web enrollment support in Windows Vista. These changes occur in part because the ActiveX enrollment control used in previous versions of Windows, XEnroll.dll, is being replaced with a new enrollment control, CertEnroll.dll, in Windows Vista and Windows Server 2008.

For the end user, the Web enrollment process appears to take place substantially as it has for Windows 2000, Windows XP, and Windows Server 2003. However, the changes in enrollment controls can impact compatibility when users or computers running Windows Vista or Windows Server 2008 attempt to request a certificate by using Web enrollment pages installed on those earlier versions of Windows.

Why XEnroll.dll is being replaced

XEnroll.dll has been a critical component of certificate enrollment in Windows operating systems for many years and software developers have written numerous enrollment-related applications based on this control. But there are compelling reasons to begin moving away from XEnroll.dll. XEnroll.dll is being retired because it was written before guidelines for more secure controls were developed. In addition, XEnroll.dll has one monolithic interface that exposes more than 100 methods and properties, which makes it very difficult to test and maintain.

In contrast, CertEnroll was designed and written to be more secure, easier to update, and easier to create scripts for.

Note

XEnroll.dll can continue to be used for Web enrollment on computers running Windows 2000, Windows XP, and Windows Server 2003.

How CertEnroll.dll differs from XEnroll.dll

The following client behaviors will be different from those in earlier versions of Windows:

  • The enrollment agent capability (also referred to as the smart card enrollment station) was removed from Web enrollment in Windows Server 2008 because Windows Vista provides its own enrollment agent capability. If you need to perform enrollment on behalf of another client with a Windows Server 2008 Web enrollment, you should use computers running Windows Vista as enrollment stations. Alternatively, you can use a server running Windows Server 2003 with Web enrollment installed as an enrollment agent to enroll certificates through a Windows Server 2008–based certification authority (CA).

  • Only users of Internet Explorer version 6.x or Netscape 8.1 Browser can submit certificate requests directly through the Web enrollment pages. Users of other Web browsers can still submit enrollment requests by using the Web enrollment pages, but they must first create a PKCS #10 request before submitting it through the Web enrollment pages.

  • Certificate Web enrollment cannot be used with version 3.0 certificate templates (which are being introduced in Windows Server 2008 to support the issuance of Suite B-compliant certificates).

  • Internet Explorer cannot run in the local computer's security context; therefore, users can no longer request computer certificates by using Web enrollment.

To configure a server for certificate Web enrollment support, the Certification Authority Web Enrollment role service needs to be added to the server role. If the Web enrollment support is installed on the same computer as the CA, no additional configuration steps are required. If the Web enrollment role service and the CA are installed on different computers, the CA needs to be identified as part of the Web enrollment installation. After the Web enrollment role service is installed, a new Web site named "CertSrv" is available through Internet Information Services (IIS).

Windows Server 2008–based CAs will continue to support certificate Web enrollment requests from users on Windows XP and Windows Server 2003 client computers. If you are enrolling certificates through the Windows Server 2008 Web enrollment pages from a computer running Windows XP, Windows Server 2003, or Windows 2000, the Web enrollment pages will detect this and use the Xenroll.dll file that was installed locally on the client computer.

Non-Microsoft Web enrollment pages will be heavily affected because XEnroll.dll is not available on Windows Server 2008 or Windows Vista. Administrators of these CAs will have to create alternate solutions to support certificate issuance and renewal for client computers that use Windows Server 2008 and Windows Vista, while continuing to use Xenroll.dll for earlier versions of Windows.

Administrators also need to plan the appropriate configuration of their servers running IIS. IIS can only run in either 64-bit mode or 32-bit mode. If you install IIS on a server running the 64-bit version of Windows Server 2008, you must not install any 32-bit Web applications, such as Windows Server Update Services (WSUS), on that computer. Otherwise, the Web enrollment role service installation fails.

For more information about how to update CAs installed on computers running Windows Server 2003, see How to use Certificate Services Web enrollment pages together with Windows Vista (https://go.microsoft.com/fwlink/?LinkID=85331).

Credential roaming

Credential roaming was first introduced with Windows Server 2003 Service Pack 1 (SP1) and implemented in an update for Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP1. Because of new core features in Windows Vista, credential management in Windows Vista has more capabilities than the software update for Windows XP SP2 or Windows Server 2003 SP1.

A user who uses computers running more than one of these versions of Windows will be able to use credential roaming from one system to another. However, some information, such as stored user names and passwords, might not be available on a client computer that runs on an earlier version.

The following table illustrates the differences between the credential roaming releases.

Roaming capability Windows Server 2003 SP1 Windows XP SP2 software update, Windows Server 2003 SP1 software update Windows Vista

Can roam Data Protection application programming interface (DPAPI) master keys

Yes

Yes

Yes

Can roam X.509 certificates

Yes

Yes

Yes

Can roam Digital Signature Algorithm (DSA) and Rivest-Shamir-Adleman (RSA) keys

Yes

Yes

Yes

Can roam keys made by other algorithms, for example, Elliptic Curve Cryptography (ECC)

No

If the Active Directory object of the current user contains keys other than RSA and DSA, those keys are ignored.

No

If the Active Directory object of the current user contains keys other than RSA and DSA, those keys are ignored.

Yes

Can roam stored user names and passwords

No

If the Active Directory object of the current user contains any stored user names and passwords, they are ignored.

No

If the Active Directory object of the current user contains any stored user names and passwords, they are ignored.

Yes, but only with other Windows Vista client computers.

Includes logic for resolving conflicts

Yes

Yes

Yes (both Windows Vista and Windows Server 2008)

Configurable (lenient or strict) conflict resolution

Yes

No

No

"Last writer wins" conflict resolution

No

Yes

Yes

Part of the Winlogon service

Yes

Yes

No

Windows Management Instrumentation (WMI) process (taskeng.exe)

No

No

Yes

Credential management services depend on a properly configured network infrastructure, and the implementation will depend on whether you have an Active Directory infrastructure that runs on Windows 2000, Windows Server 2003, or a more recent Windows Server operating system.

For more information, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (https://go.microsoft.com/fwlink/?LinkID=85332).

Cryptography Next Generation support

Cryptography Next Generation (CNG) is the long-term replacement for CryptoAPI. CNG provides a set of APIs that are used to:

  • Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data.

  • Create, store, and retrieve cryptographic keys.

  • Install and use additional cryptographic providers.

CNG has the following capabilities:

  • CNG allows customers to use their own cryptographic algorithms or implementations of standard cryptographic algorithms. They can also add new algorithms.

  • CNG supports cryptography in kernel mode. The same API is used in both kernel mode and user mode to fully support cryptography features. Secure Sockets Layer/Transport Layer Security (SSL/TLS) and Internet Protocol security (IPsec), in addition to startup processes that use CNG, operate in kernel mode.

  • The plan for CNG includes acquiring Federal Information Processing Standards (FIPS) 140-2 level 2 certification together with Common Criteria evaluations.

  • CNG complies with Common Criteria requirements by using and storing long-lived keys in a highly secure process.

  • CNG supports the current set of CryptoAPI 1.0 algorithms.

  • CNG provides support for ECC algorithms. A number of ECC algorithms are required by the United States government's Suite B effort.

  • Any computer with a Trusted Platform Module (TPM) will be able to provide key isolation and key storage in TPM.

In Windows Vista and Windows Server 2008, the following certificate-enabled applications can handle certificates that use cryptographic algorithms that are registered in the CNG provider.

Application name Verify a certificate chain that contains certificates with algorithms that are registered in a CNG provider Use algorithms that are not supported by CryptoAPI

Encrypting File System (EFS)

Yes

No

IPsec

Yes

Yes

Kerberos

No

No

S/MIME

Outlook 2003: no

Outlook 2007: yes

Outlook 2003: no

Outlook 2007: yes

Smart card logon

No

No

SSL

Yes

Yes

Wireless

Yes

Yes

For more information, see Cryptography API: Next Generation (https://go.microsoft.com/fwlink/?LinkID=74141).

CryptoAPI monitoring

CryptoAPI 2.0 Diagnostics is a feature in Windows Vista that uses event logging and Event Viewer to provide better logging and troubleshooting capabilities for public key infrastructure (PKI) applications based on the CryptoAPI 2.0 API. The event reporting and tracing system in Windows Vista allows applications, components, and drivers to publish schematized events, query log files, and subscribe to events. This system unifies the event logging system and the event tracing framework. Event logging provides the necessary functionality to allow applications to structure and classify their events so that they can be easily organized and viewed by an administrator. The events are logged in XML format and can be viewed in Event Viewer. By logging diagnostics information in XML, it is easier to write automated troubleshooting tools. Event Viewer provides the necessary user interface to view the events and enables filtering the events based on parameters such as source, level, and keywords.

For more information, see Troubleshooting PKI Problems on Windows Vista.