1. Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek.com | www.sevecek.com Enterprise certification policies and smart cards GOLD PARTNER:Hlavní odborný partner:

2. Everything can/must use private certificates  User authentication –smart card logon => Kerberos PKININT –TLS client certificate authentication => HTTPS, VPN, WiFi, 802.1x  Computer authentication –DirectAccess, IPSec, WiFi, 802.1x  Server authentication –HTTPS, RDP, Kerberos, LDAPS, Hyper-V replication, VPN, DirectAccess, RADIUS, (SMTPS)  Digital signatures –code signing  Others –EFS, EFS recovery, BitLocker recovery, Key Recovery, (S/MIME)

3. Choosing public vs. internal certificates  Public –payed –trusted by any device –manual management  Internal –for free in any amounts –automatic management

4. CA hierarchy or not Root CA Leaf End entity Endpoint Certificate name constraints EKU constraints path length constrains Policy Subordinate Intermediate CA Policy Subordinate Intermediate CA Policy Subordinate Intermediate Issuing CA Policy Subordinate Intermediate Issuing CA Qualified Subordination ???

5. CA hierarchy or not single DC compromised whole forest compromised

6. Types of certificates (general)  Signature –signature –logon  Transport encryption –TLS, IPSec  Storage encryption –EFS, S/MIME, BitLocker

7. Types of certificates (public/private key)  Signature –I sign with my own private key  Transport encryption –we both exchange symmetric keys (AES) –either encrypted (RSA-KE) with public key of the server –or signed (EC/DH) by private key of the server  Storage encryption –I encrypt with the recipient party's public key

8. Types of certificates (backup)  Signature –no private key backup necessary  Transport encryption –no private key backup necessary  Storage encryption –backup private keys

9. Types of certificates (validity period)  Signature –cannot sign new data with expired certificates –signature is valid and can be verified indefinitely chained timestamping might be necessary  Transport encryption –not usable after expiration  Storage encryption –cannot encrypt new data with expired certificates –can decrypt indefinitely

10. Certificate requests  Client generates public/private key locally –private key never leaves client –CA cannot control private key generation  Request is signed –self-signed for new enrollment –previous-yet-valid-signed for renewal –RA-signed for enrollment agent issued certificates  CA accepts anything in request and ignores most –except for public key –possibly the requester subject –other extensions if allowed in registry

11. AD CS enterprise AD integrated interfaces  DCOM "online" AD authenticated  SCEP (NDES) HTTP OTP authenticated –Intune vs. mobile phones –requires Microsoft Intune Certificate Connector  Enrollment web services HTTP basic authenticated –non-domain machines

12. Certificate (policies) templates primary technical parameters  Type of key –signature, encryption  Crypto "driver"  Validity  EKU

13. Certificate (policies) templates primary policy parameters  Who can upload (enroll) the request  Subject –manual –from AD  Any "approval" requested  Renewal

14. Examples  LDAP and DC –computer, automatic, software  Web server –computer, manual subject, approval, software signature = ECDH IIS 2012 R2 automatic rebind  Code signing –user, manual subject, on request by trusted account, smart card  Smart card logon –user, on request, smart card, no renewal –user, by RA, smart card, no renewal  Web server –computer, manual subject, by RA, software  Smart card logon –user, on request, with attestation, attested renewal

15. Server admin for his OS CA admin approval Server$ local Admin issuing CA CA admin 1x Nx portal.gopas.cz

16. User for himself auto approval on CA Workstation user issuing CA Nx portal.gopas.cz kamil@gopas.cz

17. Enrollment agent (RA) for a user Workstation user issuing CA Nx enrollment agent 1 user Ax enrollment agent 2 user kamil@gopas.cz julie@gopas.cz

18. Server admin for his OS approved locally by an enrollment agent Server$ local Admin issuing CA Nx portal.gopas.cz enrollment agent 3

19. Certificates on mobile devices (Win 8.1+, phones)  Intune, SCCM –makes internal CA trusted Trusted certificate profile –force device to request certificate from SCEP/NDES  NDES –Simple Certificate Enrollment Protocol (SCEP) –has RA (enrollment agent) certificate to issue for the devices SCEP certificate profile

20. Intune Trusted certificate policy profile

22. Intune Trusted certificate profile

23. NDES installation and certificate templates

25. Enable Intune Certificate connector + download ndesconnectorsetup.exe

26. NDES vs. Intune installation  NDES installation –https://docs.microsoft.com/en-us/intune/deploy-use/configure- certificate-infrastructure  Intune certificate profiles –https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune- certificate-profiles

27. NDES additional config  Policy module –Intune - Certificate Connector installed on NDES –SCCM - policy module communicates with Certificate Registration Point (CRP)  Client Authentication certificate to communicate with Intune/SCCM

28. Děkuji za pozornost! GOC173 - Enterprise PKI

29. Aktuální a navazující kurzy sledujte na www.gopas.cz www.gopas.cz DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, 18. 5. 2016 Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!