Download - certification issuing in 2k3
-
7/29/2019 certification issuing in 2k3
1/25
PKWARE, the PKWARE Logo, and PKZIP are registered trademarks of PKWARE, Inc. SecureZIP is a trademark of PKWARE, Inc.Trademarks of other companies mentioned appear for identification purposes only and are the property of the respective companies.
1.7/12/05
Configure a PKI Using MicrosoftWindows
Server 2003fyoudonotalreadyhaveapublickeyinfrastructure(PKI)inplacewithin
yourorganizationandyouwouldliketotakeadvantageoftheSecureZIP
featuresthatusedigitalcertificates,hereshowtoconfigurethetoolsfor
creatingaPKIthatMicrosoftincludeswithWindowsServer2003.
Apublickeyinfrastructureisasystemtosupportissuing,using,andmanagingdigitalcertificatesthatusepublickeycryptographytovalidateandsecure
electronictransactions.
WithaPKI
in
place,
SecureZIP
can
use
digital
certificates
to
strongly
encrypt,
digitallysign,andauthenticatefiles.YoucanevenattachthefilestoMicrosoft
OutlookemailmessagesdirectlyfromSecureZIP.
TomakefulluseofSecureZIPscertificatebasedsecurityfeatureswith
WindowsServer2003,youmustfirstdeployMicrosoftActiveDirectoryor
anotherLDAPcompliantdirectoryservicetoprovideaccessiblelocationsfor
storingcertificates,andyoumustinstallCertificateServices.Certificate
Servicesenablesyoutosetupanenterprisecertificationauthorityfromwhich
torequestcertificates.CertificateServicesalsohelpsyoumanagecertificates.
Note : To access certificates stored in Active Directory, SecureZIP requiresthe Directory Integration module, a separately licensed add-on to
SecureZIP.
SecureZIP uses certificates stored on an Active Directory server only for
encrypting. SecureZIP does not use certificates in a directory to digitallysign files or to authenticate digital signatures.
ThisbriefguidedescribeshowtoinstallActiveDirectoryandCertificate
ServicesonWindowsServer2003,EnterpriseEdition,andhowtouse
CertificateServicestosetupyourowncertificationauthority(CA).Onceyou
havethe
CA
set
up,
you
can
begin
making
certificate
requests.
ThisguideassumesthatyouhavetheIISWebserverinstalled.Youmusthave
IISinstalledtousetheWebenrollmentfeaturesofMicrosoftCertificate
Services.
I
-
7/29/2019 certification issuing in 2k3
2/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
2
FormorecomprehensiveinformationaboutActiveDirectoryandCertificate
Services,seethetopleveltopicsActiveDirectoryandSecurityonthe
MicrosoftWindowsServer2003TechCenterWebsite:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba1a0942b581c83ecca4ddde5e.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e.mspx -
7/29/2019 certification issuing in 2k3
3/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
3
Contents
Configure a PKI Using Microsoft
Windows Server 2003....................................1Install Microsoft Active Directory ............................................................................... 4Install Certificate Services as an Enterprise Root Certification Authority.................. 9
Request and Install User Certificates......................................................................14Use the Web Enrollment Form ................................................................................ 14Use the Certificate Management Console............................................................... 17
Configure SecureZIP for WindowsTo Access Your Certificates ......................... 21Point SecureZIP to Active Directory Certificate Stores ........................................... 21Specify Default Certificates in SecureZIP ............................................................... 23Turn On Encryption and/or Signing in SecureZIP ................................................... 24
-
7/29/2019 certification issuing in 2k3
4/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
4
Install Microsoft Ac tive Directory
ThefollowingstepsdescribehowtoinstallActiveDirectoryonWindows
Server2003,
Enterprise
Edition.
Active
Directory
provides
aplace
to
keep
the
publickeyportionofacertificatewhereitcanbeaccessedforasymmetric
encryption.Yourpersonalcertificate(s)withtheirprivatekeysareinstalledon
yourownmachine.
ThestepsbelowdescribehowtoinstallActiveDirectoryinanewdomain.
1. LogintotheWindows2003serverthatyouwanttomakethedomain
controllerforanewdomain.
2. OpentheActiveDirectoryInstallationwizard:FromtheStartmenu,
selectRun
.
Type:dcpromo
.
ClickOK
.
3. SelecttheoptionDomaincontrollerforanewdomain,asshownabove,andchooseNext.
-
7/29/2019 certification issuing in 2k3
5/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
5
Adialogopensinwhichtoselectatypeofdomain.
4. SelectDomaininanewforest,asshownabove,andchooseNext.Thisopensadialoginwhichtospecifyanameforthenewdomain.
5. Enteranameforthedomain.Microsoftrecommendsusing.localor
.domfor
internal
domains,
but
you
may
use
any
domain
name
you
like.ChooseNext.
-
7/29/2019 certification issuing in 2k3
6/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
6
AdialogopensinwhichtospecifyaNetBIOSnameforthedomain.
6. AccepttheproposedNetBIOSnameorenteradifferentoneand
chooseNext.
AdialogopensinwhichtospecifyfolderlocationsfortheActive
Directorydatabaseandlogfiles.
-
7/29/2019 certification issuing in 2k3
7/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
7
7. SelectlocationsfortheActiveDirectorydatabaseandlogfile.Choose
Nexttoopenadialoginwhichtospecifyafoldertobesharedasthe
systemvolume.
8. SpecifyalocationforthesharedsystemvolumeandchooseNext.
ThefollowingdialogappearsifDNSisnotalreadyinstalledonthe
localcomputer.
ToinstallDNS,selectInstallandconfiguretheDNSserver,asshowninthescreenshotabove,andchooseNext.
-
7/29/2019 certification issuing in 2k3
8/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
8
Adialogopensinwhichtospecifythetypeofpermissionsyouwant
ActiveDirectorytouse.
9. SelectwhethertoinstallActiveDirectorytousepermissions
compatiblewithpreWindows2000operatingsystems(mixedmode)
orpermissionscompatibleonlywithWindows2000orWindows
Server2003operatingsystems(nativemode).
MixedmodesupportspreWindows2000domaincontrollers;native
modedoesnot.Nativemodeispreferableifyoudonotneedto
supportprogramsrunningonpreWindows2000operatingsystems.
ChooseNexttodisplayasummaryofyoursettings.
-
7/29/2019 certification issuing in 2k3
9/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
9
10.ChooseNexttoinstallActiveDirectory.
AfterActiveDirectoryisinstalled,youarepromptedtoreboot.Youcanthen
logintothedomain.Atthispoint,youcanconfigureworkstationstojoinand
login
to
the
domain.
For clients to find the new domain, you must update any lookup zones on
your internal DNS servers to point to the new domain controller.Alternatively, you may point clients to the new domain controller for DNS.
If clients require Internet name resolution, you will need to configure this
on the forwarders tab on the new domain controllers internal DNS server.
FormoreinformationaboutworkingwithaDNSserver,seethetopic,DNS
serverrole:ConfiguringaDNSserver,ontheMicrosoftWindowsServer
2003TechCenterWebsite:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/4e1c7b1716ab4e7da33315befb15c82e.mspx
Install Cert ificate Services as an Enterprise Root Cert ificat ion
Authority
ThefollowingstepsdescribehowtoinstallCertificateServicesonWindows
Server2003,EnterpriseEdition,andhowtosetupanenterpriseroot
certificationauthority.CertificateServicesenablesyoutorequestandmanage
certificates.
ThesestepsassumethatActiveDirectoryisalreadydeployed.
1. Logintoadomaincontrollerormemberserverwithanaccountthatis
amemberofboththeEnterpriseAdminsgroupandtheDomain
Adminsgroup.
Note : If your organization has, or has ever had, any Windows 2000
Certificate Authorities, you must install the new Windows 2003 certificatetemplates before proceeding. See Install new templates and upgrade
existing templates on the Microsoft Windows Server 2003 TechCenter Website:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspx
2. OpentheAdd/RemoveProgramsapplicationintheControlPanel.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9944aee5-cd81-4f4a-8e4c-109e913a0d79.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspx -
7/29/2019 certification issuing in 2k3
10/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
10
3. SelectAdd/Remove Windows Components.
4. IntheWindowsComponentswizard,highlightCertificateServicesandchooseDetails.SelectboththeCertificateServicesCAandWebEnrollment
Support.
Choose
OK.
Adialog
appears
with
anote
cautioning
that
the
local
machine
name
anddomainmembershipwillbeboundtotheCAinformation.
-
7/29/2019 certification issuing in 2k3
11/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
11
5. ChooseYes.Adialogopensinwhichtoselectthetypeofcertification
authoritytosetup.
6. SelectEnterpriseRootCA.InstallinganenterpriserootCAallowsallcomputersthataremembers
ofthetargetdomaintoautomaticallytrusttheCA.
IfyouknowhowtoconfigureaCA,youcanalternativelyselecta
standalonerootorsubordinateCA.SecureZIPworkswitheitherof
these
as
well.
-
7/29/2019 certification issuing in 2k3
12/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
12
ChooseNexttoopenadialoginwhichtodefinetheCA.
7. SpecifyanameandvalidityperiodfortheCA.ChooseNext.
Adialogopensinwhichtoenterlocationsforthecertificatedatabase
andlog.
8. Specifythelocationsforthecertificatedatabase,databaselog,andthe
sharedfolder(defaultsareacceptable).Choose:Next.
IfIISisrunning,apromptinformsthatitneedstoberestarted.Choose
OK.
-
7/29/2019 certification issuing in 2k3
13/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
13
Setupnowcompletes.YoumayberequiredtoinsertyourWindows
2003Serverinstallationmediaortopointtheinstallertoa.cabfileon
thenetwork.
-
7/29/2019 certification issuing in 2k3
14/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
14
Request and Install User Cer t ificatesNowthatCertificateServicesisinstalledandreadytouse,userscanrequest
certificatesfromtheenterprisecertificationauthority(CA)setupintheprecedingsteps.
Userscanrequestcertificatesintwoways:
UsingtheCAsWebenrollmentform
UsingtheCertificateManagementconsole
Bothmethodsinstalltherequestedcertificatesprivatekeyintotheloggedin
userspersonalstore.IftheCAhasbeenconfiguredasanenterpriseCA,the
CAautomatically
publishes
keys
into
Active
Directory.
Bothmethodsinstalltherequestedcertificatewithitsprivatekeyonthelocal
WindowscomputerandpublishthecertificatespublickeytoActive
Directory.
Use the Web Enrollment Form
UserscanenrollforpersonalcertificatesthroughtheCertificateServicesWeb
enrollmentformlocatedattheURL:
http://servername/CertSrv
whereservernameisthenameoftheWebserverrunningWindowsServer
2003wheretheCAyouwanttoaccessislocated.
Thefollowingstepsshowastraightforwardwaytorequestausercertificate
throughWebenrollment.Astheaccompanyingscreensindicate,theprocess
canbecustomizedinvariousways.
FordetailedinstructionsonrequestingcertificatesovertheWeb,seethetopic,
Submit
a
user
certificate
request
via
the
Web
to
a
Windows
Server
2003
CA,
ontheMicrosoftWindowsServer2003TechCenterWebsite,here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/b105bc5ddb4a457090f1873819d3a5cf.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b105bc5d-db4a-4570-90f1-873819d3a5cf.mspx -
7/29/2019 certification issuing in 2k3
15/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
15
TheTechCenterWebsitealsocontainsawealthofinformationon
administeringaCAandonmanagingcertificates.
TouseWebenrollmenttorequestausercertificate:
1. InyourInternetExplorerbrowser,navigatetotheURLoftheWeb
formfortheCAfromwhichyouwanttorequestausercertificate.For
example,foraCAlocatedonWebserverabc-corp-ca,navigateto:
http://abc-corp-ca/certsrv/
2. OntheWelcomescreenshownabove,choosethelink,Requestacertificate,
to
open
the
page
shown
below.
-
7/29/2019 certification issuing in 2k3
16/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
16
3. Choosethelink,UserCertificate,toopenthepageshownbelow.
4. ChoosetheSubmitbuttontosubmityourrequest.Thefollowing
messagedisplays.
5. ChooseYestocompleteyourrequest.Thefollowingconfirmation
screen
displays.
-
7/29/2019 certification issuing in 2k3
17/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
17
6. ChooseInstallthiscertificatetoinstallthecertificatewithitsprivatekeyonthelocalmachineandtopublishthepublickeytoActiveDirectory
whereitcanbeaccessedbyotherusers.
Use the Cert ificate Management Console
AsanalternativetorequestingacertificatethroughaCAsWebenrollment
form,asdescribedabove,userscanusetheCertificateManagementconsoleto
requestacertificatefromanenterpriserootCA.TheCertificateManagement
consoleisaMicrosoftManagementConsole(MMC)snapinthatisincluded
withNT5.0andlaterversionsofWindows.ItusesLDAPtoqueryPKI
informationfromalocaldomaincontroller.
1. OpentheCertificateManagementconsole(certmgr):FromtheStart
menu,choose
Run.
Enter
certmgr.msc,
as
shown
below,
and
chooseOK.
-
7/29/2019 certification issuing in 2k3
18/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
18
2. RuntheCertificateRequestwizard:Inthecertmgrconsole,expandthe
Personalfolderintheconsoletree(lefthandpane).Rightclickthe
Certificatesfoldertoopenthecontextmenu.ChooseAll Tasks|
Request New Certificate,asshownbelow.
3. IntheCertificateRequestwizard,selectthetypeofcertificateyou
wanttorequest:SelectUser,asshownbelow,andchooseNext.
-
7/29/2019 certification issuing in 2k3
19/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
19
4. Asshownbelow,enterafriendlynameanddescriptionthatwillhelp
youidentifythecertificate.ChooseNext.
5. Inthefinalwizardscreen,reviewyoursettings.Iftheyareokay,
chooseFinishtocompletethewizard.
-
7/29/2019 certification issuing in 2k3
20/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
20
6. CheckintheCertificateManagementconsoletoconfirmthatyour
certificatehasbeenissuedandinstalledinyourpersonalcertificate
store.
-
7/29/2019 certification issuing in 2k3
21/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
21
Configure SecureZIP for Window sTo Access
Your Cert ificatesToconfigureSecureZIPforWindowstousecertificatesfor
encryption/decryptionandforworkingwithdigitalsignatures,youmustdo
thesethingsinSecureZIP:
AddtheActiveDirectorycertificatestore(s)tothelistofstoresthat
SecureZIPchecksforcertificates
Haveeachuserdesignateadefaultcertificatetousewhenhedoes
certificatebasedencryption
Turnon
encryption
or
signing
in
SecureZIP
to
have
SecureZIP
encrypt
orsignfiles
Point SecureZIP to Act ive Directory Cert ificate Stores
ForSecureZIPforWindowstoaccessyourActiveDirectorycertificatesto
encryptforthecertificatesowners,youmusttellSecureZIPwherethe
certificatesare.
Todothis,openSecureZIPanddothefollowing:
1.In
the
Tools
menu,
select
Options
to
open
the
SecureZIP
Options
dialog.
2. SelecttheSecuritycategory.
3. SelecttheCertificateStorestabtoseealistofcertificatestores
SecureZIPcansearch..
TheCertificateStoreslistcontainsanitemforeverycertificatestore
SecureZIPknowsabout.AstoreislabeledeitherLocalorLDAPinthe
Typecolumn,dependingonwhetherthestoreisonyourlocalsystem
oronanLDAPcompliantdirectoryserversuchasActiveDirectory.
LDAPis
aprotocol
used
by
Active
Directory
and
other
directory
servers.
-
7/29/2019 certification issuing in 2k3
22/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
22
4. ChoosetheAddbuttontoopenanewLDAPPropertiespage.
5.In
the
LDAP
Properties
dialog,
fill
in
the
fields
with
the
information
SecureZIPneedstoaccessthedirectory.Whendone,chooseOKto
returntotheCertificateStorestab.
ThefieldsintheLDAPPropertiesdialogaredescribedinthefollowing
table.ThefieldsmarkedOptionalmaybeleftblankunlesstheyare
requiredtoaccesstheserver.OnlytheNameandBasefieldsare
required.
-
7/29/2019 certification issuing in 2k3
23/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
23
Field Description
Name A label to identify the server in the Certificate Stores list. Forexample: Gamma
Server (Optional) The TCP/IP address of the LDAP server or a namethat resolves to such an address. For example: 192.172.0.1
Port (Optional) The TCP/IP port to use. Port 389 is customary and isentered as the default.
Base The name of the entry that SecureZIP should use as the base orroot of the LDAP search for certificates, analogous to a rootfolder or directory in a file system. For example:cn=users,dc=xyz,dc=com
The query string format for the LDAP base can vary betweenLDAP implementations. For example, a server may expect querystrings in the Internet domain-style format used by default byMicrosoft Active Directory (for example,cn=users,dc=xyz,dc=com), or it may expect them in X.500
naming format (for example, o=xyz,c=US). Check with yourLDAP or network administrator for the query string to use.
User (Optional) The user account with which to log in if the LDAPserver requires a login
Password (Optional) The password associated with the user account
6. OntheCertificatesStorestab,chooseOKorApplytosavethenew
certificatestoreforSecureZIPtouse.
Specify Default Cert ificates in SecureZIPUsersmayhaveoneormorepersonalcertificatesthattheyusetosignfilesor
to ensurethattheycandecryptfilesthattheyencryptforothers.Ifauserhas
onlyonecertificate,SecureZIPautomaticallyusesthatcertificate.Ifauserhas
morethanone,theusercantellSecureZIPwhichcertificatetousebydefault.
Tospecifyadefaultcertificatetousewhenencryptingforyourself:
1. InSecureZIP,intheToolsmenu,selectOptionstoopenthe
SecureZIPOptionsdialog.
2.Select
the
Security
category.
3. SelecttheEncryptiontab.
-
7/29/2019 certification issuing in 2k3
24/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
24
4. IntheMethoddropdown,selectoneofthetwoRecipientlistoptionstoenablethelistofpersonalcertificates.
Inthelist,avalidcertificatedisplayswithagreencheckmark; an
invalid
certificate
shows
a
red
X.
5. Selectacertificatetousebydefault.
Ifyouhaveonlyone,itisusedautomatically.
Tospecifyadefaultcertificatetousewhensigning:
1. InSecureZIP,intheToolsmenu,selectOptionstoopenthe
SecureZIPOptionsdialog.
2. SelecttheSecuritycategory.
3.
Select
the
Authentication
tab.
4. Selectacertificatetousebydefaultfromthelistofyourpersonal
certificates.
Ifyouhaveonlyonecertificate,itisusedautomatically.Avalid
certificatedisplayswithagreencheckmark; aninvalidcertificate
showsaredX.
Turn On Encrypt ion and/or Signing in SecureZIP
TousecertificatestoencryptorsignfilesinSecureZIP,thosefunctionsmust
beturned
on.
SecureZIP
then
routinely
encrypts
and/or
signs
files
until
you
turnthefunctionsoff.
Bydefault,encryptionisturnedonandsigningisturnedoff.
Toturnoncertificatebasedencryption:
1. OntheEncryptiontabofSecurityOptions,intheMethoddropdown
list,selectoneofthefollowing:
o Strong:RecipientList
o Strong:Recipient
List
or
Password
2. ChecktheboxEncryptfiles.SeetheSecureZIPhelpforother,moredirectwaystoturnonencryption.
-
7/29/2019 certification issuing in 2k3
25/25
HOW TO CONFIGURE A PKI USING MICROSOFT WINDOWS SERVER 2003
25
Toturnonsigning,chooseSign Files on/offfromtheActionsmenu.Again,
thereareother,moredirectways.
SecureZIPisnowsetuptodocertificatebasedencryptionandapplydigital
signatures.