IT:Network:Applications

 Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of data ◦ How do you get the key across the network? ◦ Ex: AES, DES, DES3  Dual key (or Asymmetric or public key) encryption ◦ Two mathematically related keys ◦ Public – used to encrypt / verify signature ◦ Private – used to decrypt / sign ◦ Slower functioning – not applicable for entire files ◦ Ex: RSA, DSA

 Server keeps private key  Gives out public key to anyone  Want to communicate- ◦ Get server’s public key ◦ Encrypt my data/request ◦ Send to server  Only server has private key – Only server can decrypt request!

 “Bad” server could claim to be web server for my bank ◦ “Here’s by public key, encrypt your account and send it to me”  How did you know to listen to me on 1 st day? ◦ NWTC said so – you trusted NWTC so you trusted me  NWTC is the authority we both trust

 Digital construct (X.509) that contains my public key and other info ◦ Subject: who owns this key ◦ Valid dates: start and expire ◦ Issuer of certificate ◦ etc  Issuer is someone we both trust ◦ Browser recognized issuer, accepts cert ◦ Browser doesn’t recognize issuer, rejects cert  Usually asks User what to do

 VeriSign, DigiCert, Thawte, GoDaddy etc ◦ Pay them and they give you cert ◦ Usually underwritten by big bank – TRUST ◦ Recognized by most browsers – good for outside  Gen your own ◦ e.g., Microsoft Certertificate Server (this is what we will do)  Microsoft CA (Certificate Authority) ◦ e.g., OpenSSL – comes with Linux

 Issues certificates for you – Acts as Certificate Authority (CA)  Can implement a CA hierarchy ◦ Root server is at top – issues certs for other CA’s ◦ Subordinate CA  Gets cert from “higher” CA – sort of like introducing it  Issues certs for “lower” CA’s & end servers  Can be Enterprise or Standalone ◦ Enterprise requires a Domain Controller/Active Directory (Domain Member?)  Can automate issuing of some certs ◦ Stand-alone can be on any Microsoft Server  Must do “issuing” yourself

 Installation ◦ Add/Remove Windows Components-2003 ◦ Add Role-2008  Certificate Services  mmc – Add “Certificate Authority” ◦ Certificate Templates – used to build rules for auto- issuing of certs by Enterprise CA ◦ Certificates – used to control certs issued to this entity (user, server,…)

 Properties of specific Web Site > Directory Security > Server Certificate button  Create new certificate  Prepare but send later ◦ as opposed to asking Enterprise CA  Give name (this can be anything) ◦ Org and Org Unit  Don’t confuse with LDAP Naming  Common Name – Must be fully qualified domain name of web site (acct.abccompany.local) ◦ State and City  C:\certreq.txt

 Right click on Server name ◦ All Tasks ◦ Submit New Request  Read file (certreq.txt)  Shows up in Pending Requests ◦ REAL CA would look at request, and verify it’s correct – valid machine, paid bill, …  Right click on the specific pending request ◦ All Tasks ◦ Issue  Moves to Issued Certificates ◦ Right click and Export Binary Data to a file ◦ IIS Manager expects file with.cer extension

 Directory Security > Server Certificate button ◦ Process Pending Request and Install…  SSL port 443  After completing install (click OK to close props), SSL enabled 