Task 7.8: Certificate Backup and Management
Installing the right certificate on a single computer is only half the battle. As a security expert, you face more challenges because many users have more than one system. They may want their certificates installed on their laptops too.
Scenario
Your company is deploying laptops to the sales force and would like you to set up these laptops to use the existing digital certificates for the employees. Management would also like you to clear out any other certificates on the system and make a backup copy.
Scope of Task
Duration
This task should take about 15 minutes.
Setup
For this task, you’ll need a Windows computer, access to the Administrator account, and an Internet connection. You will also need to have completed Task 7.7.
Caveat
Certificates can be misused if stolen or acquired by attackers.
Procedure
In this task, you will work with digital certificates.
Equipment Used
For this task, you must have:
- Two Windows XP, Windows Vista, or Windows 7 computers
- Access to the Administrator account
- An Internet connection
Details
This task will show you how to make a backup copy of a digital certificate and how to clear out existing certificates to eliminate any that may have been accepted by accident.
Backing Up an Email Certificate
1. Start Internet Explorer and select Tools ⇒ Internet Options. In the Internet Options dialog box, select the Content tab and click the Certificates button.
2. In the Certificates dialog box, on the Personal tab click on the certificate you created in the previous task and click Export.
3. The Certificate Export Wizard launches. Select Yes, Export The Private Key, then click Next.
4. On the next wizard screen, select the options Include All Certificates In The Certification Path If Possible and Enable Strong Protection.
5. As the wizard continues, you will be asked to choose a password.
Make sure you will be able to remember the password later or you will not be able to access the exported certificate.
6. Select the save location—for example, a CD or USB thumb drive—and give the file a name such as the YourName-Cert. Leave the Type field set to Personal Information Exchange (*.pfx).
7. Once finished, the file and associated private key are saved as a PFX file.
Installing an Email Certificate
Now that you have saved the certificate to a CD or USB thumb drive, it is time to install it on a second system.
In real life, this would most likely be a laptop.
1. Start Internet Explorer and select Tools ⇒ Internet Options. In the Internet Options dialog box, select the Content tab and click the Certificates button.
2. Click the Import button.
3. The Certificate Import Wizard starts. Click Next.
4. Browse to select the saved certificate and then click Next. The saved location will be the CD or USB drive you saved the certificate to.
5. Enter the password you created for the certificate.
6. Allow Windows to automatically select certificate placement.
7. Click Finish, and you have successfully imported a certificate.
Checking for Certificate Revocation
Certificates are valid for only a fixed period of time. Even during this period, things can happen that might cause a certificate authority or the owner of the certificate to revoke it. Therefore, it is a good idea to check that certificates are valid before use. Internet Explorer has the ability to automatically check for certificate revocation.
1. Start Internet Explorer and select Tools ⇒ Internet Options. In the Internet Options dialog box, select the Advanced tab.
2. Scroll down to the Security section. You will notice that some items are already checked. Leave those as they are, and select the options Check For Publisher’s Certificate Revocation and Check For Server Certificate Revocation (Requires Restart).
3. Apply these changes and close the Internet Options dialog box. You have now configured Internet Explorer to check for invalid certificates before use.
Criteria for Completion
You have completed this task when you have backed up a certificate, installed a certificate onto a second system, and changed Internet Explorer’s settings to check for revoked certificates.