Digital Certificates

Technical Staff: Key things to know about digital certificates

Helping your users

Information in the Before You Begin section of the Help pages may be useful if you have faculty and staff members who have questions about the Digital Certificates service. In addition, there are two other documents that you may find useful.

• Use the Making Sense of Digital Certificates document as a leave-behind handout or download for those who want to know more about certificates.
• Use the Digital Certificates Checklist as a leave-behind paper when assisting your users with the certificate download and setup process. It will tell them exactly what you have done.

Preparing for certificates in managed environments

• In managed environments, you may have to assist your users in downloading and installing digital certificates. When using Internet Explorer, any combination of
  the following settings may cause the user to be unable to complete the download process:
  • "certificates.austin.utexas.edu" is not listed in the Trusted Sites zone
  • Trusted Sites zone settings are changed from the default settings
  • ActiveX controls are not set to allow downloads from a Trusted Site

If you currently prevent your users from modifying their Trusted Sites zone, ITS recommends that you add "certificates.austin.utexas.edu" to your users' list of trusted sites through group policy.

Even if you do not prevent them from modifying their own settings, adding the download URL for your users will make the process easier for them because they will not have to add it themselves.

• UPDATED: Outlook Web Access (OWA) supports viewing of signed messages even if the recipient doesn't have a certificate on that machine. Senders who use Outlook and Exchange must send their signed messages in clear text. You do not have to run the S/MIME control for this to work.
• On shared computers, message recipients will not be able to view encrypted messages using OWA. In order for OWA to read a message that has been encrypted, the recipient's private keys must be installed on the computer, which is not something that you want to allow on a shared machine. For this reason, users who do not have a dedicated computer are not good candidates for the Digital Certificates service.
• The VeriSign ActiveX control that is used in Internet Explorer to download the certificate is unsigned.
• If your user receives an error message saying, "The software you are using has not passed the Windows Logo testing to verify its compatibility with Windows XP," there may be a problem with running unsigned drivers. For a description of this problem, refer to Microsoft KB 822798. The following two options are possible solutions for specifying a policy that allows unsigned drivers to be installed:
  • Incorporate the driver installation into Setup by using the DriverSigningPolicy=ignore setting. (Consult Microsoft documentation.)
  • Implement a driver signing policy in a Windows 2000 or Windows Server 2003 domain by using Group Policy (Note: This policy is a domain-wide policy):
    1. Under Administrator Tools, in the Active Directory Users and Computers snap-in, right-click the domain root, click Properties, and then click the Group Policy tab.
    2. Click the default domain policy, and then click Edit.
    3. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Local Policies, expand Security Options, and then modify Device: Unsigned driver installation Behavior to the setting that you want to use.

Shared Computers

In both Windows and Mac OS X, the certificate stores and Keychain are stored with the user profile. This means that it is OK for users to store their certificates on a shared machine where they have a user profile.

With that said, for users to make maximum use of certificates, the certificates need to be on each machine that someone uses. While it will be possible for people without certificates to read signed e-mail messages, if messages are encrypted or are not sent in clear text, users without certificates will not be able to read them. In a lab environment or for users that do not have a primary computer, certificates may not be a good choice.

The certificate download process

Certificate acquisition consists of several steps. Users will:

1. Be authorized to download certificates by a departmental account sponsor in TRAC.
2. Receive an e-mail with instructions on downloading certificates with a Web browser.
3. Download the certificate using either Internet Explorer or Firefox.
4. Import their encryption certificates into the operating system certificate store.
5. Set up their e-mail programs to use certificates for signing and encryption.

UPDATED: In both Web browsers, the signing certificate is installed in the Web browser's certificate store. The certificate stores are associated with the users' profiles.

Both browsers save the encryption certificate as a download that requires a password. Users must then import it into the operating system certificate store. Please help your users understand the importance of saving the password that is provided when they download the encryption certificate.

Managing certificates for your users

• UPDATED: Do NOT create an escrow of signing keys for your users. This is against state policy and poses a significant security issue because of the potential for identity abuse. You can help your users create backups to which only they will have access. Signing keys cannot be recovered (they can be revoked), so it is important for users to be able to back up their own keys.
• Certificates are issued for one year. The departmental account sponsor will receive a notice 30 days before a certificate is due to expire that it is eligible to be reauthorized. If reauthorization is not completed in TRAC before the certificate expires, users will begin to experience errors with encrypting and signing.
• Please ensure that users do not delete expired certificates from the certificate store after new certificates are reauthorized. If expired certificates are deleted, users can no longer decrypt messages and files encrypted with the old certificate.

Interactions with other systems

• The university's Group E-mail system will reject messages that have attachments. (Signature and encryption files are attachments.) If you are sending through the university's Group E-mail system, do NOT sign or encrypt the files.
• It is possible that some ticketing or listserv applications may send blank replies or attachments when they receive a signed message. ITS has tested UT Lists and our internal tracking systems, and they do not generate errors.
• Please refer to these topics for information about interactions with various mobile and Web applications:
  • Using Outlook Web Access (OWA)
  • Using certificates in Web-based e-mail programs
  • Using certificates on your BlackBerry or other mobile device

Backing up and Rebuilding Computers

If you are rebuilding a computer for someone with a certificate, you will have to deal with the question of whether creating a backup means that you have created an escrow of the signing certificate. You should absolutely ensure that your users' certificates are copied from one computer to the next and that they have their own backup copy securely under their control. While encryption keys can be recovered, remember that signing certificates cannot be recovered. They can only be revoked and then a new certificate pair issued. A properly stored backup copy makes it more likely that users do not have to use the revocation process for rebuilding a machine.

Help your users store their own certificate backups properly, but do not store those backups for them. WebSpace, USB drives or CDs stored in locked cabinets, and other mechanisms are appropriate. Help them understand the risks to their security if they ask you to store their signing certificates.

In both Windows and Mac OS X, the certificate stores and Keychain are stored with the user profile. If you are using the User State Migration Tool to copy user profiles from one computer to another, certificates stored in the Windows Certificate Store will be copied as well.

Cost and Licensing

Digital Certificates are centrally funded by the university. The cost to the university is approximately $6 for each issued certificate, up to 6,500. Every time a certificate is revoked and reissued because it is lost or compromised, another license is consumed. We encourage technical support staff and users to test, back up, and become comfortable with certificates within the first 30 days they are issued to a user to help minimize the cost to the university.