• Caesar_v roztin
• Calendar chips
• Blood tests
• Sleepy period
• Preparing for the fall

Where computer certificates are installed. Manage Windows certificates.

Certification Services is a component of the underlying OS that allows the Certification Authority (CA) or CA to override functionality, including issuing digital certificates and certifying them. Windows XP Professional supports variant CA archiving and multiple CAs with overlapping trusted CAs, as well as isolated and interactive CAs.

Collections of certificates from open keys

Windows XP Professional saves certificates with hard keys in a special certificate directory. The stinks are being saved with text, oskіlki tse zhalno available information. Certificates may have a digital signature of the CA to prevent changes.

Certificates of the correspondent can be found in the folder Documents and Settings\<имя_пользователя>\ApplicationData\Microsoft\
SystemCertificates\My\Certificates for the koristuvach profile. Qi certificates are recorded in the local registry for an hour of skin entry to the computer. For profiles that are moved, the certificates are saved in the first place (not on the computer) and "followed" by the password when you log in to the system of any computer in the domain.

Protecting private keys

Cryptographic service provider (CSP) - both Base CSP and Enhanced CSP, save private keys in the koristuvach profile in the folder %SystemRoot%\Documents and Settings\<имя_пользователя>\
Application Data\Microsoft\Crypto\RSA. In the profiles of the correspondents that are being moved, the closing key is found in the RSA folder on the controller of the domain and is taken to the computer only for an hour of work.

The keys of the private keys need to be protected, all files in the RSA folder are automatically encrypted with a vipadkovy symmetric key - the main key of the core (user's master key).

When saved to disk, the master key is protected by the Triple DES algorithm from the capture of the key created on the basis of the password. The main key is set for automatic encryption of all files in the RSA folder in the world.

Automatic request for a koristuvach certificate

Windows 2000 had a feature to automatically enroll the koristuvach certificate. Automatic request for a computer certificate and a domain controller is supported by the Microsoft Active Directory group policy. The automatic request for a computer certificate is supersigned for easy connection via IPSec or L2TP / IPSec VPN to servers running Windows XP with the Routing service and Remote Access and other servers.

This function reduces the total number of volunteers and makes it easier to manage the life cycle of certificates for employees and administrators. Automatic request for a smart card certificate and a CA with self-signed certificates will secure additional protection for business owners, de needing security.

Ask for validated and renewed certificates

Automatic request for a certificate of renewal in Windows XP Professional is also safe to request for validation and renewal of certificates. After requesting a certificate manually or automatically on the Windows .NET Server CA certificate server, the administrator was allowed to issue a certificate, or the verification process was completed. After the certificate is released, the auto-enrollment mechanism will automatically install the certificate.

The process of updating the certificates of the coristuvacha with the line dії also has a mechanism for automatic filing. Certificates are automatically updated according to the name of the correspondent, and the procedure is determined by the parameters of the Active Directory certificate templates.

For promotional certificates and keys are protected. For additional protection, you can zastosovuvat dodatkovі come in safely, including exporting private keys and saving them from the stolen place.

Instruction

To view all installed certificates, select "Vikonati" from the "Start" menu and enter certmgr.msc at the command line. At the "Certificates" console, open the child nodes, so that you can check the information about the certificates.

To view data about the skin document, place the cursor on the new one and right-click on the mouse. At the menu that you see, select the command "Open". At the “Warehouse” tab, press “Vlastivosti” and at the “Show” list, select the “All” item, so that the system displays report information about this document.

Browsers also have information about the installed certificate. To win IE, select the "Browser power" command from the "Service" menu and go to the "Settings" tab. Press the "Certificate" button. To navigate through the tabs, click the arrows directly "Right" and "Left" at the top right corner.

If you have Mozilla Firefox installed, under the "Tools" menu, select the "Settings" option. Go to the tab "Additional" and "Encryption". Press "Revision of certificates". The retailers of this browser did not see the certificate, as they could not trust, until the end of the group.

To look at the certificates in Opera, select “General Settings” from the “Settings” menu and go to the “Extensions” tab. In the left part of the screen, click on the “Security” item and click on “Certificate Management”.

The “Skhvaleni” depositor has a list of installed certificates. Press "Look" to see detailed information about the skin certificate.

sertifіkatіv system znayoma cutaneous koristuvachevі smartphone dozvolyaє operatsіynіy sistemі tsogo korisnogo mobіlnogo Pristrom kontrolyuvati software zabezpechennya scho zapuskaєtsya koristuvachem, of one side, oberіgayuchi pristrіy od aktivatsії vіrusіv that іnshih shkіdlivih programs and of іnshogo - od rashness Act reasonably very koristuvacha, zdatnih poshkoditi programa and danim, what to know in smartphones.

There are three main types of certificates that are awarded to the largest operating system for smartphones – Symbian OS. Koristuvalnicki, or global certificates, allow the installation of the signing of their supplements, be it a coristuvach; personal or special certificates allow the program to have wider access to the API functions of the operating system, however, such a program can only be launched on one phone; "LicensePlatform" certificates, which give the add-on the best access to the system's capabilities.

To install unsigned programs, it is necessary to turn on the certificates, the installation fragments behind the locks to protect the programs installed in the smartphone, the reliability of which is not verified. For whom you sing:

1. Open Program Manager.


2. Sequentially select the menu items Options - Settings - Prog. ustan - All, Verification certificate. - included. Now certificates are included, and therefore, on the one hand, you can install programs without a valid signature, and from the other side, you can not re-verify the certificate through the Internet, I will include the connection, it will be included in the connection.

The appearance of a notification about the pardon "Invalid certificate" or "Installed fenced" signals about those that the cancellation of the re-verification of certificates was not made. It is important to repeat the proponated instructions from the cob itself.

At times, there are such reminders about pardons, like “The term of the certificate has expired”, “The term of the certificate has not yet set” is not obov'yazkovo

Sobi cryptographic protection of information

For the implementation of cryptographic document protection, special software products are used, which are called cryptographic information protection devices (SKZI). SKZI give all the functions necessary for the implementation of cryptographic protection.

Deyakі SKZI є independent programs or software complexes, scho mayut vlasny іinterfeys. All the work from the protection of information, from the creation of keys and certificates to the generation / verification of the signature and encryption / decryption, will be carried out within the framework of such a universal software package. This SKZI is not seen by any helper.

Other SKZI give cryptographic functions of coristuvacha addenda. Such products are called cryptographic providers (or CSPs like Cryptographic Service Providers).

Crypto providers

All crypto providers use the fundamental principles described above. The skin crypto provider has the authority to select algorithms and authorities to the format of keys and certificates.

Cryptoprovider - ce program zasib, insurance for the robot in the first operational environment and in cooperation with the programs that work with that environment.

For additional functions that a crypto-provider can rely on, you can:

• Create cryptographic keys. These keys will be recognized for algorithms implemented by this crypto provider;
• To vibrate and re-verify the electronic signature on documents;
• Encryption and decryption of documents.

With the help of crypto-providers, the robot from the certificates of the company will be carried out for the help of system benefits. Such a work is described in the upcoming sections. It is also possible to work with certificates for additional additional scripts and utilities, which are supported by various postal workers for consumption.

Verification/verification of the signature and encryption/decryption are carried out in the interface of the authorities. At the present time, there are a lot of programs for insurance coverage for crypto providers. A description of the methods for protecting information in programs can be found in the documentation for the previous programs.

Anonymous crypto-providers have been disassembled in this hour. Crypto providers are at the warehouse of the OC Windows distribution kit. In addition, additional crypto providers can be installed in the operating system.

Various programs, in which they are interfacing with cryptographic providers, can be used to work with different cryptographic providers, "instructing" them, which cryptographic provider they should apply for the given cryptographic functions.

The choice of crypto-provider is dictated by us, as it may be up to cryptographic algorithms, as it will be chosen for the protection of documents.

Cryptographic providers enter the warehouse of the Windows OS distribution kit, which provide cryptographic functions for add-ons, including mail programs. Alec cryptoproviders use algorithms that comply with foreign standards (zocrema, widely used algorithms RSA, DSA, etc.)

Crypto providers, which win algorithms, which are approved by Russian GOSTs, are not available at the warehouse of the Windows distribution kit. Moreover, crypto-providers use and can be installed in the system. Such a cryptographic provider, for example, is the cryptographic provider MagPro CSP.

Certificates in Windows

For some of the upcoming divisions, the robot is described with certificates for additional Windows system benefits.

A number of operations, the installation of certificates, may not be more important for additional system features of the Windows OS, or for additional additional software features (scripts or utilities), especially in cases where non-standard robot scripts are transferred (the certificate is installed on the wrong computer ) , For which application is being made, etc.) A description of the work with certificates in case of such software applications is introduced in the documentation of these software applications.

Keep in mind that with certificates for various software applications, which are included in the standard set of Windows OS, the above descriptions of the principles of work with certificates are also supplemented.

Recognition of certificates

The certificates of the victorious master are obtained by the programs for the completion of the most ambitious tasks. The succession of the task, for which victors this certificate is awarded, is recognized by the recognition of the certificate.

For example, certificates can be recognized as follows:

• All possible recognition - universal certificate;
• Certificate of Authenticity of the client - to win in order to reconsider, which client, which is sent to the server, is the very one whom you call yourself;
• Certificate of e-mail submission - to be awarded for e-mail submission;
• Server Authentication Certificate - to win in order for the client to redirect, so that it can be successfully transferred to the required server;
• Certificate of electronic signature - validated for signing documents

The purpose of the certificate is indicated on the hour of the application for a certificate.

Koristuvachevі trace of the nobility, which recognition certificate is required for work. This information can be taken away, for example, at the center, which you can see.

If you need a copy of certificates of various recognition, you can easily create a universal certificate (as a center, which vouches for, supports the creation of such certificates).

Application for a certificate

Windows does not have system tools to apply for a certificate. The standard way to create requests is to create requests through a web interface. On the server center, scho zasvіdchuє, є vіdpovіdna storіnka, scho vengeance forms for the introduction of the necessary information.

As a rule, the formation of an application for a certificate is done after the keys have been created (although it is not necessary, it is possible to create an application for a certificate on an already created key).

After the introduction of the necessary information, a special script forms a request for a certificate and it is sent directly to the server center, which is worth it. In the center, which is confirmed, the information is verified and a certificate is issued.

As an alternative option, koristuvachs can use data to create keys and apply for a certificate of special utility programs (for example, the genkey.exe program is recognized for work with the cryptographic provider MagPro CSP).

The collection of information that is indicated when forming the request, as well as the methods of transferring the request to the center, which are considered, and the procedure for rechecking the information that is needed, will be determined by the regulations of the responsible center.

Transferring certificates for files

After issuing the certificate, the center, which vouchadchuє, is obliged to give yoga to the coristuvachi, including the sergeant-major.

For this, it is necessary to form a file to remove all the information in order to create a certificate; In addition, this file is due to a special format, so that the koristuvach can instantly install a certificate on the system.

Such files are called certificate files.

Independently according to the regulations of the procedure for filing and downloading certificate files, certificate files are usually issued only in the same standard formats.

The file of certificates can be taken away by the CA server (without intermediary transfers by e-mail or captures from the CA server) or from another CA server.

If it is necessary to send a certificate to another correspondent, install a new one in the system (for example, a certificate for your own key for the listing hour), it is necessary to export the certificate to a file.

Format files in certificates

Standards have defined a number of acceptable formats for files, as a way to remove certificates:

• A file in X.509 format, which can only replace a certificate (files with extensions .crt, .cer);
• PKCS#7 file. This destination format for choosing encrypted and signed signatures is updated at once from the necessary certificates. A file of this format can also be hacked to transfer only a set of certificates. In this document, the choice of format is seen only in the transfer of English certificates and lists of recommendations (files with extensions .p7r, .p7b);
• PKCS#12 file. Such a file can cover the entire languay of adding the certificate of the koristuvach to the root certificate of the certificate, which is verified, and the list of certificates of the koristuvach (CRL), as well as the closing key, which validates the certificate of the koristuvach. Mayzhe be-if there are victorious transfers of certificates (Crimea for rare specialty certificates), tk. the transfer of the private key to other persons to cause violation of the most important rule of cryptography - access to the private key is only possible.

Files in X.509 format can be used in two different encodings - DER and Base64. Numbers of coding are used for consistency with other operating systems. For Windows koristuvach there is no difference between the robot with files for these two codings.

If you are exporting the certificate file installed in the system, you can choose whether to create the file in X.509 or PKCS#7 format. As a rule, koristuvachі transfer okremі certificates in files format X.509; Files in PKCS#7 format Hand-in-hand transfer of all certificates, warehouse lanyards, which should be more appropriate. Exporting a certificate to a file in the PKCS#12 format for the most important issues is simply blocked.

File format PKCS # 7, in fact, a set of decal files in X.509 format. Once the file is in the PKCS#7 format, the first processing will be done with each file in the X.509 format.

General principles for the establishment of certificates

In order to take away the possibility of victorizing a certificate, removing it from the center, as you can see, for victoring cryptographic operations, this certificate must first be installed in the operating system.

The Windows operating system sets system tools for installing certificates from certificate files—the so-called Master of Certificates.

In addition, the installation of a certificate for the entry of the key of the koristuvach can be done with a script, we will take it from the server to the center, which will prove that such a script has been installed on the server; or with special utilities, such as those for vikoristovuvanom SKZD.

In all cases, one is to blame for the main principles of establishing a certificate:

• We are rechecking the system, if the certificate is installed already, for which it is necessary to recheck the certificate to be installed (to be the certificate of the acknowledgment center). The culprit from this rule is the root certificate to the center, which is verified (trust the root certificate).
• If such a certificate is not found, the system checks that it cannot be installed required certificate support center. This certificate is often given to coroners at once from certificates that are recognized for installation. If it is possible to install a certificate to the center, which is worthy, the system will propagate it to be installed. When vodmovі koristuvacha vіdbuvaє skasuvannya zagalі installation (because it is not possible to install a non-correcting certificate).
• Whether it is a certificate for a successful center, for evidence or for successful installations, the system rechecks the certificate of the coristuvach on the basis of the certificate of installation. If the certificate of the coristuvach is not correct, the system will notify you about it and interrupt the installation. In this situation, it is necessary to take the correct certificate and repeat the installation.
• If the certificate is restored to be correct, the system will install it in the certificate directory.

Trust root certificates

It is obvious that the system is to blame for the installation of one or more root certificates to the center, which is verified (it can also be installed certificates of the verification center, signed on the root one).

At the hour when the root certificate is installed in the operating system, a digital password of the certificate will be displayed on the screen of the language. Yogo needs to be compared with the paper rosette. When creating a digital bitcoin with a paper manager, the root certificate is considered correct, and it can be installed. In case of rozbіzhnostі installation it is necessary to casuvati and yaknaishvidshe povіdomiti in the center of svіdchennya.

If it is not a digital password, but the key itself, it is necessary to match the original key, which is located in the certificate, with the key from the distribution, before the start of the certificate. When reviewing the certificate, you can find the key that is included in the certificate. When zbіgu vіdkritnogo key z paperwork rozdruk root certificate is considered correct, it can be installed as a trust without additional revisions. If it is broken, it is not possible to install a certificate, it is necessary to know the center, which will help.

The system installs root certificates, the correctness of which is confirmed by the root certificate, at the special site “Trust Root Certificates of the Certification Center”.

After a successful installation, the operating system is aware that the certificates installed at the site can be trusted, if the system is not able to perform the verification using available methods. That is why certificates are called "Trust".

decline in trust

Windows wins the concept of "certificate of decline to trust as a postal worker". Tse ponyattya peredbachaє scho korektnіst sertifіkata on vіdkrity key perevіryaєtsya on sertifіkatі postachalnika (tobto, napriklad, posvіdchuyuchogo center.) Yakscho sertifіkat posvіdchuvalnogo center Je dovіrenim, i perevіrka іnshogo sertifіkata, pіdpisanogo on dovіrenomu sertifіkatі can dovіryati (tobto vіn Je spravzhnіm that korektno) . Tobto. The term “trust decay” conveys the transfer of trust from a root certificate to non-root certificates based on electronic verification.

Alternative є obvious vkazіvka entrust the certificate to vіdkriy key. For whom it is necessary to develop a digital bitcoin.

You can also explicitly state that this certificate is not to be trusted. So repair, for example, at the time of compromise of a viable private key. In my case, the system needs a certificate that is invalid.

Collections of certificates

When installing a certificate, it will be passed to the so-called collection of certificates. Skin such a collection is recognized for certificates of singing functions and recognition. So, the collection of "Specialties", where there is a special certificate of a koristuvach; є collection for requesting a certificate of a koristuvach; є collections “Trust Center for Certification”, “Other Koristuvach”, “Third Party Center for Certification”, “Trust for Koristuvach” too.

Most often, the stories are written:

• "Entrust the center of certification" - for the collection of root certificates of the CA; Dovira to certificates, scho zberigayutsya here, is clearly pronounced by the koristuvach.
• "Industrial Certification Center" - for obtaining non-root CA certificates (signed on other CA certificates).
• "Specialties" - for obtaining certificates for open keys what to lie with this koristuvachev; as a rule, such certificates are given to closed keys, as they are for a koristuvach. Cі sertifіkati uspadkovuyut dovіru korіnіh sertifikatіv.
• “Other koristuvachs” — take a certificate for open keys that belong to other koristuvachs. Cі sertifіkati uspadkovuyut dovіru korіnіh sertifikatіv.

When installing the certificate, it is placed at the certificate collection, as it confirms its recognition. The choice of a meeting for the installation of certificates is carried out automatically, depending on the date of the designated recognition of the certificate, or the correspondent can choose the necessary meeting himself. Automatically certif_kat schvidshe for all will be installed in one of the fortune-telling collections. If you need to install a certificate in another place (for example, “Trust the coristuvach” - for certificates of a coristuvach, dovira until such a reason not to decline in the certificate of the CA, but to deafen the coristuvach especially) - next. Such a situation is blamed rarely.

Ringing of special certificates of the koristuvach іz by private keys

Yakschko Korirth Korhisch є Scrimilation Key, Shaho Vіdpovіda, Posant Sartifіkat (Tobto Sartifіkat є FEATSISTING CERTIFIKATE OF DANY CORRIVOVACH), then when the key is inserted in the Systems of Maud Bethoi, Vіdpovіdnіtnіkіkata ІЗ is spatted by the key - Systems of Potterbno Didomiti, SHO Vіdcriste Key Clear View This certificate, and the final closing key are combined into a key pair. Such an established identity is called linking a certificate from a private key.

Ring out, by system means, such a call is made automatically. Ale automatically zv'yazuvannya certifikat іz zakritimnym klyuchiv less when vikonannі sevnyh vymog. Zocrema, in the system, the request for the installation of a certificate is responsible (this is the responsibility of the creations on this computer and in this operating system). You can add additional information (so, in case of taking the keys at the “V'yuga” annex, I will add such an additional mental є zbіg serial number I will add, for which the keys are read at the hour of the installation of the certificate, that serial number will be added, in which key the keys will be recorded at the hour of the meeting zapitu; serial numbers of different copies will be added to "V'yuga" are unique, which means that in both cases one and the same copy is to blame).

Even if one of the necessary minds is not defeated, when the certificate is installed, the certificate is not associated with the private key (if the certificate itself can be successfully installed with a number of successful installations). In such cases, there are special scripts or utilities that solve this problem, as in SKZI they have scripts or utilities. As it is not possible, it is necessary to carefully try the minds, for which it is necessary to automatically link the certificate from the private key, otherwise it will be impossible to complete the cryptographic operations.

Certificate Review Lists

On Windows, the lists of certificates to be clicked are installed in a special folder designated for the collection of certificates to be clicked on.

The reverification of the fact that the inclusion certificate is up to the list of certifiers is checked by the programs that go up to the certificates every hour of work, as such a reverification is embedded in them. For rich programs (for example, mail programs), you can change the list of certificates to be checked or canceled.

Іsnuyut different ways of rozpodіlu and distribution of lists of acknowledgment of certificates, two of them are the most common:

• Placement of the list of certificates in the local store

  When vikoristannі tsogo varіanta rozpodіlu spiskіv vіdklikannya sertifіkatіv scho posvіdchuє center rozpodіlyaє lists vіdklikannya in viglyadі faylіv, podіbnih to format faylіv sertifіkatіv (format X.509) abo vklyuchaє lists vіdgukіv The file scho mіstyat lantsyuzhki sertifіkatіv (PKSC format # 7 abo PKSC # 12 ). Koristuvachi install lists of certificates to click on in the relevant local directory of their operating system.

  Placement of the list of certificates on the server

  If you choose this option, I will split the list of certificates to the center, which will check, put the list of recommendations on the server, where the list of recommendations becomes available for the same address (URL), the name of the point of expansion of the lists of certificates. The addresses of the certified center are included in the skin certificate that is issued as the value of the Width Point parameter. The presence of this parameter in the certificate, as the ith value, can be used to review the certificate on the side of the Warehouse.

Choose the method of rozpovsyudzhennya lists of otklikannya certifikativ є part of the regulations of the center, scho zasvіdchuє.

Under the hour of re-verification of the signature, or the decryption of the program is sent to a local repository and re-verifies there the presence of a valid list of certificates issued by this center, which is worth seeing. For the presence of such a list, the program checks the presence of a certificate in the list, which is checked.

If the certificate does not specify a reopening point, the program can search the list of certificates to return to the reopening point. Chi bude tse robiti chi nі, lie in vіd nalashtuvan programs.

The correct list of certificates to be clicked, manifestations at the point of discovery, is automatically saved in the operating system, and not installed at the link, but saved from the catalog

%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5

In case of further revisions, as the list of references was not installed at the main meeting, the program will again be changed to the point of re-opening. If the correct list of suggestions is not displayed at the point of the day, the program is speeded up by the list of suggestions, which is taken from the suggested catalog (as a rule, there are no stitches).

Keep in mind that due to the fact that the list of clicks on certificates at the local store is obvious, the list of clicks on the server is not reverified. Tobto. The next time the program will return to the point of reopening, if the term ends, the list of certificates will be deleted, or the list of certificates will be deleted from the system.

Revision and review of installed certificates

Certificates can be viewed for additional system benefits. You can also see the installed certificates.

In Windows 98/SE/Me/NT operating systems, access to certificates is possible through the browser authority ("Start" - "Setup" ~--- "Certification Panel" - "Browser authority"). In Windows 2000/XP operating systems, access to certificates is provided by the additional program Microsoft Management Console (equipped with "Certificates").

You can also look at certificates for an hour of work with programs that win certificates. With such a review, it is possible to remove more new information about the certificate, due to the interdependence of certificates, supplements and other documents installed in the system.

Exchange of certificates with other koristuvachs

There are a lot of situations, if it is necessary for the correspondents to transfer certificates on the hard keys one to one. Even if the certificate that is being transmitted is not rooted, be it a coristuvach, which may be a certificate of a valid CA, you can check the correctness of the removed certificate when you install it in your system. For this reason, the transfer of certificates of a coristuvach from a coristuvacha to a coristuvacha is a correct operation from the point of view of cryptography.

To transfer the certificate installed in the system to another correspondent, it is necessary to take the certificate as a file, tobto. export certificate for file.