1. Deploying and Managing Active Directory Certificate Services
Presentation: 80 minutes
Lab: 90 minutes
After completing this module, students will be able to:
Deploy CAs.
Administer CAs.
Troubleshoot, maintain, and monitor CAs.
Required materials
To teach this module, you need the Microsoft Office PowerPoint file 10969A_07.pptx.
Important: We recommended that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations.
Practice performing the labs.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.
Module 7
Deploying and Managing Active Directory Certificate Services

2. Troubleshooting, Maintaining, and Monitoring CAs
Module Overview
7: Deploying and Managing Active Directory Certificate Services
Troubleshooting, Maintaining, and Monitoring CAs
Ask students how much experience they have with public key infrastructure (PKI) and certification authorities (CAs) in general. If they are experienced already, you have the opportunity to save some time teaching this module.

3. Demonstration: Deploying an Enterprise Root CA
Lesson 1: Deploying CAs
7: Deploying and Managing Active Directory Certificate Services
Demonstration: Deploying an Enterprise Root CA
This lesson is very important, especially for students who do not have previous experience with PKI or CAs. Make sure that you spend enough time explaining all the necessary details.

4. AD CS in Windows Server 2012 CA CA Web Enrollment Online Responder
7: Deploying and Managing Active Directory Certificate Services
Firewall
Enrollment
Linux
Proxy
Windows 7
or newer
Policy CA
CA Web Enrollment
Introduce AD CS and explain the purpose of each role service. Spend some time describing the role services that are new to Windows Server 2008 R2 and Windows Server 2012.
Online Responder
Network Device Enrollment Service
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service

5. What Is Certification Authority?
7: Deploying and Managing Active Directory Certificate Services
Firewall
Explain what a CA is and how it operates. CAs are the key components of the PKI environment. In a simple PKI environment, a single CA can provide all of the PKI services. CA
Root CA issues a self-signed certificate for itself
Issues certificates to users, computers, and services
Manages certificate revocation
Verifies the identity of the certificate requestor

6. Public vs. Private CAs External public CAs: Internal private CAs:
7: Deploying and Managing Active Directory Certificate Services
External public CAs:
Are trusted by many external clients, such as web browsers, operating systems
Are slower compared to internal CAs
Have higher cost
Internal private CAs:
Require greater administration than external public CAs
Cost less than external public CAs and provide greater control over certificate management
Are not trusted by external clients by default
Offer advantages such as customized templates and autoenrollment
Start by explaining that a CA solution can be implemented as an internal private CA, or an organization can use an external public CA. Many organizations use both: an external public CA for public-facing services, and an internal private CA for internal corporate requirements.
You also can discuss a newer hybrid approach that some organizations use. In this scenario, the root CA is an externally trusted root CA, and the internal CAs that issue certificates are subordinates. With the hybrid approach, companies can issue certificates that are trusted by virtually all computers. The module documentation goes into more detail about this method in upcoming slides. Therefore, keep the discussion at a high-level because subsequent topics provide more detail.
Remind students that a public CA is trusted by virtually all modern computers and applications, while an internal private CA usually is not trusted outside of the organization that runs it. Ask students which type of CA they use in their environments today, and what the limitations are with that type.

7. Stand-alone vs. Enterprise CAs
7: Deploying and Managing Active Directory Certificate Services
Standalone CAs
Enterprise CAs
Must be used if any CA (root/intermediate/policy) is offline because a standalone CA is not joined to an AD DS domain
Requires the use of AD DS and stores information in AD DS
Can use Group Policy to propagate certificates to the trusted root CA certificate store
Users must provide identifying information and specify the type of certificate
Publishes user certificates and CRLs to AD DS
Does not support certificate templates
Issues certificates based on a certificate template
All certificate requests are kept pending until administrator approval
Supports autoenrollment for issuing certificates
Discuss the following:
Standalone and enterprise CAs, and their differences
CAs that issue certificates to clients over the Internet
A root CA typically is configured as a stand-alone CA
Mention that business requirements often dictate the types of CAs that students might use. For example, autoenrollment requires an enterprise CA.

8. Options for Implementing CA Hierarchies
7: Deploying and Managing Active Directory Certificate Services
Root CA
Policy CAs
Issuing CA
Issuing CAs
Policy CA
Policy CA Usage
Two-Tier Hierarchy
Cross-Certification Trust
Highlight various usage scenarios for CAs. This should help students understand the typical scenarios that are found in an enterprise environment. Contrast these scenarios with a typical usage scenario in a small environment, such as a single-server PKI. Make sure that students understand that a single CA does not represent a CA hierarchy, although it is still a fully functional PKI.

9. Considerations for Deploying a Root CA
7: Deploying and Managing Active Directory Certificate Services
Computer name and domain membership cannot change
When you plan private key configuration, consider the following:
CSP
Key character length with a default of 2,048
The hash algorithm that is used to sign certificates issued by a CA
When you plan a root CA, consider the following:
Name and configuration
Certificate database and log location
Validity period
Describe the key points related to considerations for installing a root CA. When discussing the private key configuration, mention that any provider that contains a number sign (#) in its name is a Cryptography Next Generation (CNG) provider.
CNG, which was first introduced in Windows Vista, is enhanced in Windows Server 2008 and Windows Server The CNG application programming interface (API) is the long-term replacement for the CryptoAPI of previous versions of the Windows operating system.

10. Considerations for Deploying a Subordinate CA
7: Deploying and Managing Active Directory Certificate Services
Root
Subordinate
RAS
EFS
S/MIME
Certificate Uses
Load Balancing
India
Canada
USA
Locations
Employee
Contractor
Partner
Discuss the scenarios for deploying a subordinate CA. Ask students if they have PKI deployed in their environments, and whether they are using only root CAs, or if they also have deployed subordinate CAs as well.
Organizational Divisions

11. How to Use the CAPolicy.inf File for Installing a CA
7: Deploying and Managing Active Directory Certificate Services
The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA
The CAPolicy.inf file defines the following:
Certification practice statement
Object identifier
CRL publication intervals
CA renewal settings
Key size
Certificate validity period
CDP and AIA paths
Describe the CAPolicy.inf file and explain its structure and uses. Also, point students to the syntax examples in the Workbook.

12. Demonstration: Deploying an Enterprise Root CA
7: Deploying and Managing Active Directory Certificate Services
In this demonstration, your instructor will show you how to deploy the enterprise root CA
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-SVR1 virtual machines. Log on as Adatum\Administrator with the password of Pa$$w0rd.
After you are done with the demo, leave virtual machines running for the next demonstration.
Demonstration Steps
Deploy an enterprise root CA
On LON-SVR1, in Server Manager, click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, click Next.
On the Select destination server page, click Next.
On the Select server roles page, select Active Directory Certificate Services. In the Add Roles and Features Wizard, click Add Features, and then click Next.
On the Select features page, click Next.
On the Active Directory Certificate Services page, click Next.
On the Select role services page, ensure that Certification Authority is selected, and then click Next.
On the Confirm installation selections page, click Install.
On the Installation progress page, after the installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server.
In the AD CS Configuration wizard, on the Credentials page, click Next.
On the Role Services page, select Certification Authority, and then click Next.
On the Setup Type page, select Enterprise CA, and then click Next.
(More notes on the next slide)

13. 7: Deploying and Managing Active Directory Certificate Services
On the CA Type page, click the Root CA option, and then click Next.
On the Private Key page, ensure that Create a new private key is selected, and then click Next.
On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.
On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click Next.
On the Validity Period page, click Next.
On the CA Database page, click Next.
On the Confirmation page, click Configure.
On the Results page, click Close.
On the Installation progress page, click Close.

14. Lesson 2: Administering CAs
7: Deploying and Managing Active Directory Certificate Services
Demonstration: Configuring CA Properties

15. For managing CA hierarchy, you can use:
7: Deploying and Managing Active Directory Certificate Services
For managing CA hierarchy, you can use:
CA Management console
Windows PowerShell
Certutil command-line utility
Certutil provides an interface for advanced CA and PKI configuration and management
PKI options are manageable through Group Policy, if you use the following:
Credential roaming
Autoenrollment of certificates
Certificate path validation
Certificate distribution
Discuss methods and tools that you can use to manage CA hierarchy. Make sure that you explain that is important to learn to use certutil. Also, discuss options in Group Policy for managing PKI, CAs, and certificates.

16. Configuring CA Administration and Security
7: Deploying and Managing Active Directory Certificate Services
You can establish role-based administration for CA hierarchy by defining the following roles:
CA Administrator
Certificate Manager
Backup Operator
Auditor
Enrollees
You can assign the following permissions on the CA level:
Read
Issue and Manage Certificates
Manage CA
Request Certificates
Certificate Managers can be restricted to a template
Define and discuss role-based administration for the CA hierarchy. Discuss each role and its rights and permissions. Explain a relationship between role-based administration and security permissions that are defined on the CA level.

17. Configuring CA Policy and Exit Modules
7: Deploying and Managing Active Directory Certificate Services
The policy module determines the action that is performed after the certificate request is received
The exit module determines what happens with a certificate after it is issued
Each CA is configured with default policy and exit modules
The FIM 2010 Certification Management deploys custom policy and exit modules
The exit module can send or publish a certificate to a file system
You have to use certutil to specify these settings, as they are not available in the CA the administrator console
Define policy and exit modules on the CA. Most students probably will not be familiar with these settings, as they are used rarely. Use FIM CM to provide real life examples of custom policy and exit modules. Spend some time explaining how to configure default exit modules to perform some tasks.

18. Configuring CRL Distribution Points and AIA Locations
7: Deploying and Managing Active Directory Certificate Services
The AIA specifies where to retrieve the CA's certificate
The CDP specifies from where the CRL for a CA can be retrieved
Publication locations for AIA and CDP:
AD DS
Web servers
File Transfer Protocol FTP servers
File servers
Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs
Ensure that the CRL for an offline root CA does not expire
This is an important topic. Make sure that you spend enough time explaining the importance of the authority information access (AIA) and certificate revocation list distribution point (CDP) locations. Use the offline root CA as an example. Discuss the publication points and when to use each one of them.

19. Demonstration: Configuring CA Properties
7: Deploying and Managing Active Directory Certificate Services
In this demonstration, you will see how to configure CA properties
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-SVR1 virtual machines. Log on as Adatum\Administrator with the password of Pa$$w0rd. After you are done with the demo, you can revert virtual machines to their initial snapshot.
Demonstration Steps
On LON-SVR1, open Server Manager, click Tools, and then click Certification Authority.
In the Certsrv console, right-click AdatumRootCA, and then select Properties.
On the General tab, click View Certificate. When the Certificate window opens, review the data on the General, Details, and Certification Path tabs, and then click OK.
On the Policy Module tab, click Properties. Review the settings available for the Default policy module, and then click OK.
On the Exit Module tab, click Properties. Show the Publication Settings available in the default Exit module, and then click OK.
On the Extensions tab, review the options available for the CDP and AIA locations.
On the Security tab, review the available options on the access control list (ACL), and also review the default permissions.
On the Certificate Managers tab, review the options and explain how to restrict security principals to specific certificate templates, and then click Cancel.
Close the Certsrv console.

20. Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs
7: Deploying and Managing Active Directory Certificate Services
Monitoring and Maintaining CA Hierarchy

21. Tools for managing CAs:
Troubleshooting CAs
7: Deploying and Managing Active Directory Certificate Services
Tools for managing CAs:
Certificates snap-in
PKIView tool
CA snap-in
Certutil.exe
Certificate Templates snap-in
AD CS common issues:
Client autoenrollment issues
Unavailable enterprise CA option
Error accessing CA web pages
Enrollment agent restriction
Discuss which tools you can use to troubleshoot and manage CAs. Also, discuss some of the most common AD CS issues and ways how to resolve them. Refer to the Workbook for different methods of troubleshooting.

22. Renewing a CA Certificate
7: Deploying and Managing Active Directory Certificate Services
The CA certificate needs to be renewed when the validity period of the CA certificate is close to its expiration date
The CA will never issue a certificate that has a longer validity time than its own certificate
Considerations for renewing a root CA certificate:
Key length
Validity period
Considerations for renewing a certificate for an issuing CA:
New key pair
Smaller CRLs
Procedure for CA certificate renewal
Discuss the renewal of CA certificates. Students might be familiar with the renewal procedure, but they are probably not aware of potential side effects of renewal. Be sure that you explain and discuss all the considerations for renewing a root CA certificate and for renewing a certificate for an issuing CA.

23. Moving a Root CA to Another Computer
7: Deploying and Managing Active Directory Certificate Services
To move a CA from one computer to another, you have to perform backup and restore:
To back up a computer, follow this procedure:
Record the names of the certificate templates
Back up a CA in the CA admin console
Export the registry subkey
Uninstall the CA role
Confirm the %Systemroot% folder locations
Remove the old CA from the domain
To restore, follow this procedure:
Install AD CS
Use the existing private key
Restore the registry file
Restore the CA database and settings
Restore the certificate templates
Discuss the procedure for moving a CA to another computer. First, make sure that you define scenarios for this and discuss each step. Use the Workbook for detailed steps. This slide provides only high-level steps for this procedure.

24. Monitoring and Maintaining CA Hierarchy
7: Deploying and Managing Active Directory Certificate Services
For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing
With the PKIView, you can:
Access and manage AD DS PKI-related containers
Monitor CAs and their health state
Check the status of CA certificates
Check the status of AIA locations
Check the status of CRLs
Check the status of CRL distribution points
Evaluate the state of the online responder
CA auditing provides logging for various events that happen on the CA
Discuss the tools that students can use to maintain and monitor the status of a CA hierarchy. If time permits, demonstrate the usage of the PKIView utility. It should be available on LON-SVR1 if you completed the previous demonstrations successfully. Also, you can briefly show events that you can log with CA auditing.

25. Lab: Deploying and Configuring a Two-Tier CA Hierarchy
7: Deploying and Managing Active Directory Certificate Services
Exercise 2: Deploying an Enterprise Subordinate CA
Exercise 1: Deploying an Offline Root CA
A. Datum wants to use certificates for various purposes. You need to install the appropriate CA infrastructure. Because A. Datum uses Windows Server 2012 AD DS, you decided to implement the AD CS role. When you reviewed the available designs, you decided to implement a stand-alone root CA. This CA will be taken offline after it issues a certificate for a subordinate CA. After installation, you must make sure that you configured the CDP and AIA locations correctly. You also must make sure that you have a Domain Name System (DNS) record for the offline root CA so that it is accessible from the network.
Exercise 2: Deploying an Enterprise Subordinate CA
After deploying the stand-alone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because root CA is a stand-alone CA, you want to publish its certificate to all clients.
Logon Information
Virtual machines: A-LON-DC1,
10969A-LON-SVR1,
10969A-CA-SVR1
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 60 minutes

26. 10969A
Lab Scenario
7: Deploying and Managing Active Directory Certificate Services
As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.
As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.

27. 10969A
Lab Review
7: Deploying and Managing Active Directory Certificate Services
What are some reasons that an organization would use an Enterprise root CA?
Question
Why is it not recommended to install only an enterprise root CA?
Answer
For security reasons, a root CA should be taken offline and should not have any network access. Since the enterprise root CA cannot be offline, you cannot provide maximum protection for its key and identity.
What are some reasons that an organization would use an Enterprise root CA?
If an organization wants to use only one CA, and it wants to use certificate templates and autoenrollment, an enterprise root CA is the only choice.

28. Module Review and Takeaways
7: Deploying and Managing Active Directory Certificate Services
Common Issues and Troubleshooting Tips
Review Questions
Question
What are some reasons that an organization would use a PKI?
Answer
Some reasons are to improve security, to increase identity control, and to sign code digitally.
Why would you deploy a custom policy and exit modules?
If you have an additional application for certificate management, such as FIM CM, you will have to install a custom policy and exit modules so that you can integrate your application with CA.
Tools
CA admin console
Certutil command-line utility
Windows PowerShell command-line interface
PKIView.msc
Server Manager
Best Practice: When deploying a CA infrastructure, deploy a stand-alone (nondomain-joined) root CA and an enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from the root CA, take the root CA offline.
Review the validation time of root CA certificate revocation lists (CRLs).
Provide more than one location for AIA and CRL.
(More notes on the next slide)

29. 7: Deploying and Managing Active Directory Certificate Services
Common Issues and Troubleshooting Tips
Common Issue: The location of the CA certificate that is specified in the AIA extension is not configured to include the certificate name suffix. Clients might not be able to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation might fail.
Troubleshooting Tip: Use the Certification Authority snap-in to configure the AIA extension to include the certificate name suffix in each location.
Common Issue: The CA is not configured to include CRL distribution point locations in the extensions of issued certificates. Clients might not be able to locate a CRL to check the revocation status of a certificate, and certificate validation might fail.
Troubleshooting Tip: Use the Certification Authority snap-in to configure the CRL distribution point extension and to specify the network location of the CRL.