Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | Enterprise certification policies and smart cards GOLD PARTNER:Hlavní odborný partner:
Everything can/must use private certificates User authentication –smart card logon => Kerberos PKININT –TLS client certificate authentication => HTTPS, VPN, WiFi, 802.1x Computer authentication –DirectAccess, IPSec, WiFi, 802.1x Server authentication –HTTPS, RDP, Kerberos, LDAPS, Hyper-V replication, VPN, DirectAccess, RADIUS, (SMTPS) Digital signatures –code signing Others –EFS, EFS recovery, BitLocker recovery, Key Recovery, (S/MIME)
Choosing public vs. internal certificates Public –payed –trusted by any device –manual management Internal –for free in any amounts –automatic management
CA hierarchy or not Root CA Leaf End entity Endpoint Certificate name constraints EKU constraints path length constrains Policy Subordinate Intermediate CA Policy Subordinate Intermediate CA Policy Subordinate Intermediate Issuing CA Policy Subordinate Intermediate Issuing CA Qualified Subordination ???
CA hierarchy or not single DC compromised whole forest compromised
Types of certificates (general) Signature –signature –logon Transport encryption –TLS, IPSec Storage encryption –EFS, S/MIME, BitLocker
Types of certificates (public/private key) Signature –I sign with my own private key Transport encryption –we both exchange symmetric keys (AES) –either encrypted (RSA-KE) with public key of the server –or signed (EC/DH) by private key of the server Storage encryption –I encrypt with the recipient party's public key
Types of certificates (backup) Signature –no private key backup necessary Transport encryption –no private key backup necessary Storage encryption –backup private keys
Types of certificates (validity period) Signature –cannot sign new data with expired certificates –signature is valid and can be verified indefinitely chained timestamping might be necessary Transport encryption –not usable after expiration Storage encryption –cannot encrypt new data with expired certificates –can decrypt indefinitely
Certificate requests Client generates public/private key locally –private key never leaves client –CA cannot control private key generation Request is signed –self-signed for new enrollment –previous-yet-valid-signed for renewal –RA-signed for enrollment agent issued certificates CA accepts anything in request and ignores most –except for public key –possibly the requester subject –other extensions if allowed in registry
AD CS enterprise AD integrated interfaces DCOM "online" AD authenticated SCEP (NDES) HTTP OTP authenticated –Intune vs. mobile phones –requires Microsoft Intune Certificate Connector Enrollment web services HTTP basic authenticated –non-domain machines
Certificate (policies) templates primary technical parameters Type of key –signature, encryption Crypto "driver" Validity EKU
Certificate (policies) templates primary policy parameters Who can upload (enroll) the request Subject –manual –from AD Any "approval" requested Renewal
Examples LDAP and DC –computer, automatic, software Web server –computer, manual subject, approval, software signature = ECDH IIS 2012 R2 automatic rebind Code signing –user, manual subject, on request by trusted account, smart card Smart card logon –user, on request, smart card, no renewal –user, by RA, smart card, no renewal Web server –computer, manual subject, by RA, software Smart card logon –user, on request, with attestation, attested renewal
Server admin for his OS CA admin approval Server$ local Admin issuing CA CA admin 1x Nx portal.gopas.cz
User for himself auto approval on CA Workstation user issuing CA Nx portal.gopas.cz
Enrollment agent (RA) for a user Workstation user issuing CA Nx enrollment agent 1 user Ax enrollment agent 2 user
Server admin for his OS approved locally by an enrollment agent Server$ local Admin issuing CA Nx portal.gopas.cz enrollment agent 3
Certificates on mobile devices (Win 8.1+, phones) Intune, SCCM –makes internal CA trusted Trusted certificate profile –force device to request certificate from SCEP/NDES NDES –Simple Certificate Enrollment Protocol (SCEP) –has RA (enrollment agent) certificate to issue for the devices SCEP certificate profile
Intune Trusted certificate policy profile
Intune Trusted certificate profile
NDES installation and certificate templates
Enable Intune Certificate connector + download ndesconnectorsetup.exe
NDES vs. Intune installation NDES installation – certificate-infrastructure Intune certificate profiles – certificate-profiles
NDES additional config Policy module –Intune - Certificate Connector installed on NDES –SCCM - policy module communicates with Certificate Registration Point (CRP) Client Authentication certificate to communicate with Intune/SCCM
Děkuji za pozornost! GOC173 - Enterprise PKI
Aktuální a navazující kurzy sledujte na DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!