Extended Validation support for websites using internal certificates

Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates.

So for those of you who do not know, this means that you will get a shaded green bar within Internet Explorer proving that a site is ‘extra trustworthy’. If you want to learn more about extended validation click here. The feature works on the following operating system / IE Versions:

• Windows XP SP3/ 2003 SP2 – Internet Explorer 8.
• Windows Vista SP1/Windows Server 2008 – Internet Explorer 7 and 8.
• Windows 7/2008R2 – Internet Explorer 8.

Enabling this feature is a two step process to configure:

Create a new “Issuance Policy” on a certificate template to support EV certificates:

The below steps require you to be logged in as an Enterprise Admin unless you have modified the permissions on your certificate templates.

1. Open the Certificate Templates MMC (CertTmpl.msc).

2. Create a new Version 2 or Version 3 template (or modify an existing v2/v3 template).

3. Click on the Extensions tab.

4. Select Issuance Policies, and click on the Edit button.

5. Click the Add… button.

6. Click New… button.

7. Type in a name for the new Extended Validation Policy. The name for the policy can be anything you like. In my example I used “Contoso Extended Validation (EV) ” as the name.

8. Type in the URL to the Certificate Practice Statement (CPS) for your extended validation policy.

NOTE: When you create a certificate policy you should have a practice statement defining how the certificate type is to be used, how the certificate type is approved to be issued, and what the requirements are to be fulfilled before issuance. CPS’s are beyond the scope of this blog however and you should do your due diligence in crafting a CPS.

9. The Object Identifier field will be filled out. You can of course replace this with an custom OID (that you obtained) from an internet authority that manages OIDs. Be sure to document and copy this OID for later use.

10. Click OK

11. Highlight the Issuance Policy you just created and click OK.

12. Do not check “Make this extension critical” and click OK.

13. Click “OK” to close the certificate template dialog box.

Create / modify a Group Policy to support the feature:

It’s actually pretty easy to setup, you will need either a Windows Server 2008R2 / Windows 7 client with RSAT tools (GPMC) installed, or a 2008R2 server with the Group Policy Management feature added .

It is important to note, that it is not required that you have a Windows Server 2008 R2 domain controller, you only need the ability to manage group policies from the newer operating system.

1. Launch Group Policy Management (GPMC.MSC).

2. Edit an existing policy / create a new policy.

3. Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

4. Right click on Trusted Root Certification Authorities and select Import

5. You need to import your internal Root Certification Authority certificate using the import wizard.

6. Once the Root Certification Authority certificate has been imported, right click on the certificate and select “Properties”

7. Click on the Extended Validation tab.

8. Paste in the OID from Issuance Policy you created above.

9. Click the Add OID button.

10. Click OK.

Have fun with Extended Validation and enjoy your green validated address bar in Internet Explorer.

- Rob ‘OID vey!’ Greene

Comments

• Anonymous
  December 02, 2009
  Hi, I tried this instructions exactly, yet I don't get any EV bars. I tested my browser with my bank and it does show the green bar. Has this been tested? I have server 2008 R2 as domain controller.

• Anonymous
  December 03, 2009
  Sorry, after hours of playing with the settings, it worked. Much appreciated. :)

• Anonymous
  February 04, 2010
  once the imported root CA's certificate will expire ... will it still work?

• Anonymous
  February 04, 2010
  Hey RuNCo, So if the Root CA's certificate expires, then the websites certificate would be expired.  So you would not be able to connect to the website wether Extended Validation was in play or not. But, to answer your question it would no longer work.  You would need to set this up on the new Root CA Certificate and set this up again. Rob Greene

• Anonymous
  June 24, 2010
  Hello everybody, Could enable an EV in CA "Enterprise Root."

• Enterprise Root (Online) (Laboratory for testing of EV) [Tested and OK] But my structure is different. For security has two servers. I can not enable EV when the server is subordinate. (SubCA)
• Standallone Root (Offline)
• Enterprise Subordinate (Online) - (use this server to distribute certificates) [Does not work] Why will it not work on the structure subordinate?

• Anonymous
  June 24, 2010
  Hi Samy, This blog was actually created to help clarify a documentation bug in the help file, and did not go into how to setup EV certificates in a multi-tier hierarchy.   As the help file states that the sub CA's have to allow all issuances on them or allow at least the EV OID assigned on the sub CA's for issuance to be able to issue an EV certificate further down the CA Hierarchy.  Only the Root CA by default allows this. If you did not account for this, you can modify your Sub CA's CAPolicy.inf file to get this working.  Or use the KB article listed below that, if you do not even ahve a CAPlicy.inf file at all on your CA. [PolicyStatementExtension] Policies = AllIssuancePolicy Critical = FALSE [AllIssuancePolicy] OID = 2.5.29.32.0 You can find out detailed information on how to do this by looking at the below KB article: 842010 How to permit all issuing policies on intermediate CAs in Windows Server 2003 support.microsoft.com/default.aspx NOTE:  This process will have to be done for each Sub CA in the hierarchy.  If you have a policy then issuing CA, then add the lines to the CAPolicy.inf and renew the CA on the Policy then move down to the issuing CA. Hope this helps. Rob Greene

• Anonymous
  January 25, 2011
  Thanks for the info, it's nice to have a green bar inside your network, but I have one question: How can I export the root certificate without loosing the OID (for workgroup computers). I tried many times but every single time I export the root certificate the OID is lost, so the green bar goes away. Thnaks

• Anonymous
  January 25, 2011
  Thanks for the info, it's nice to have a green bar inside your network, but I have one question: How can I export the root certificate without loosing the OID (for workgroup computers). I tried many times but every single time I export the root certificate the OID is lost, so the green bar goes away. Thanks

• Anonymous
  January 25, 2011
  Hey Adispy Now I am not sure if this will work for you or not, but that is how you can get the value over to other computers outside of group policy functionality, but here are the steps. Alright the only way to do this is the following:

1.  Launch the local computer Certificate store.
2.  Import your root CA certificate into the store. (VERY IMPORTANT).
3.  Write down the CA's thumbprint.
4.  Double click on the Root CA certificate, and select the Details tab.
5.  Click the Edit Properties button.
6.  Add your Extended Validation OID to the certificate.
7.  Run Regedit.
8.  Navigate to:  HKLMSoftwareMicrosoftSystemCertificatesROOTCertificates
9.  Export the key that coresponds to the CA thumbprint value from step 3.
10.  Import the ".reg" file on the standalone computer. Thanks Jonanthan Stephens for the tip. Rob Greene