Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification."— Presentation transcript:

1 Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification Authorities  Planning Enrollment and Distribution of Certificates

2 Copyright line. Slide 2 Planning a Windows Server 2008 Certificate-Based PKI  A PKI combines public key cryptography with digital certificates to create a secure environment where network traffic such as authentication packets can travel safely.  Public keys and private keys always come in pairs. If the public key is used to encrypt data, only the matching private key can decrypt it.  When public key-encrypted data is encrypted again by a private key, that private key encryption is called a digital signature.  Digital signatures provided by ordinary users aren’t very trustworthy, so a trusted authority is needed to provide them. The authority (which can be Windows-based) issues certificates, which are basically digitally signed containers for public keys and other information.  Certificates are used to safely exchange public keys, and provide the basis for applications such as IPSec, EFS, and smart card authentication.

3 Copyright line. Slide 3 Implementing Certification Authorities  Certificate needs are based on which applications and communications an organization uses and how secure they need to be. Based on these needs, CAs are created by installing certificate services and are managed using the Certification Authority snap-in.  A CA hierarchy is structured with a root and one or more level of subordinates—three levels are common. The bottom level of subordinates issues certificates. The intermediate level controls policies.  Enterprise CAs require and use Active Directory to issue certificates, often automatically. Stand-alone CAs can be more secure, and need an administrator to manually issue or deny certificate requests.  CAs need to be backed up consistently and protected against attacks. Keys can be archived and later retrieved if they are lost. This is a new feature for Windows Server 2008.  CAs can revoke as well as issue certificates. Once a certificate is revoked, it needs to be published to a CRL distribution point. Clients check the CRL periodically before they can trust a certificate.

4 Copyright line. Slide 4 Planning Enrollment and Distribution of Certificates  Templates control how a CA acts when handed a request, and how to issue certificates. There are a quite a few built-in templates, or you can create your own using the Certificate Template snap-in. Templates must be enabled before a CA can use them.  Certificates can be requested with the Certificates snap-in or by using Internet Explorer and pointing to http://servername/certsrv on the CA.  Machine and user certificates can be requested with no user intervention requirement by using autoenrollment. Autoenrollment for user certificates is new to Windows Server 2008.  Role-based administration is recommended for larger organizations. Different users can be assigned permissions relative to their positions, such as certificate manager.

5 Copyright line. Slide 5 FAQ  Q: In what format do CAs issue certificates?  A: Microsoft certificate services use the standard X.509 specifications for issued certificates and the Public Key Cryptography Standard (PKCS) #10 standard for certificate requests. The PKCS #7 certificate renewal standard is also supported. Windows Server 2003 also supports other formats, such as PKCS #12, DER encoded binary X.509, and Base64 Encoded X.509, for exporting certificates to computers running non-Windows operating systems.

6 Copyright line. Slide 6 FAQ  Q: If certificates are so important in a PKI, why don’t I see more of them?  A: Many portions of a Windows PKI are hidden to the end user. Thanks to features such as autoenrollment, some PKI transactions can be completely done by the operating system. Most of the work in implementing a PKI comes in the planning and design phase. Operations such as encrypting data via EFS use certificates, but the user does not “see” or manually handle the certificates.

7 Copyright line. Slide 7 FAQ  Q: I’ve heard that I can’t take my laptop overseas because it uses EFS. Is this true?  A: Maybe. The backbone of any PKI-enabled application such as EFS is encryption. Although the U.S. government now permits the exporting of “high encryption” standards, some countries still do not allow their import. The Windows Server 2008 PKI can use high encryption, and so the actual answer depends on the country in question. For information on the cryptographic import and export policies of a number of countries, see http://www.rsasecurity.com/rsalabs/faq/6-5-1.html.

8 Copyright line. Slide 8 FAQ  Q: Can I create my own personal digital signature and use it instead of a CA?  A: Not if you need security. The purposes behind digital signatures are privacy and security, and a digital signature at first glance seems to fit the bill. The problem, however, is not the signature itself, but the lack of trust in a recipient. Impersonations become a looming security risk if you can’t guarantee that the digital signatures you receive came from the people with whom they were supposed to have originated. For this reason, a certificate issued by a trusted third party provides the most secure authentication.

9 Copyright line. Slide 9 FAQ  Q: Can I have a CA hierarchy that is five levels deep?  A: Yes, but that’s probably overkill for most networks. Microsoft’s three-tier model of root, intermediate, and issuing CAs will more than likely meet your requirements. Remember that your hierarchy can be wide instead of deep.

10 Copyright line. Slide 10 FAQ  Q: Do I have to have more than one CA?  A: No. Root CAs have the ability to issue all types of certificates and can assume responsibility for your entire network. In a small organization, a single CA might be sufficient for your purposes. For a larger organization, however, this structure would not be suitable.

11 Copyright line. Slide 11 FAQ  Q: How can I change the publishing interval of a CRL?  A: From the Certification Authority console, right-click the Revoked Certificates container and choose Properties. The CRL Publishing Parameters tab allows you to change the default interval for full and Delta CRLs.

12 Copyright line. Slide 12 FAQ  Q: Why can’t I seem to get autoenrollment for user certificates to work?  A: Remember that autoenrollment for machines is a feature that has been around since Windows 2000, but autoenrollment for user certificates is new to Windows Server 2003. In order to use this feature, you need to be running either a Windows Server 2003 or XP client and you must log on to a Windows Server 2003 domain. Finally, autoenrollment must be enabled through Active Directory’s group policy. Also, you won’t be able to autoenroll a user unless the user account has been assigned an e-mail address.

13 Copyright line. Slide 13 FAQ  Q: What is the default validity period for a new certificate?  A: The default, which can be changed on the General tab of a new template’s Property sheet, is one year. Other important settings, such as minimum key size and purpose of the certificate, can be found on the sheet’s other tabs.

14 Copyright line. Slide 14 FAQ  Q: If my smart card is lost or stolen, can I be reissued one?  A: Yes. The enrollment agent can enroll a new card for you at the enrollment station. Although most smart card providers allow cards to be reused (such as when they are found), a highly secure company may require old cards to be destroyed. For similar security reasons, PINs should not be reused on a newly issued card although it is possible. Remember that a card is only good to a thief if the corresponding PIN is obtained as well.

15 Copyright line. Slide 15 FAQ  Q: When setting up smart cards for my company, can I use the MS-CHAP or MS-CHAP v2 protocols for authentication?  A: No. EAP is the only authentication method you can use with smart cards. It is considered the pinnacle of the authentication protocols under Windows Server 2003. MS-CHAP v2 is probably the most secure of the password-based protocols, but still does not provide the level of protection that smart cards using EAP do. This is because EAP is not really an authentication protocol by itself. It interfaces with other protocols such as MD5-CHAP, and is therefore extremely flexible. As a result it has been widely implemented by many different vendors. MS-CHAP and MS-CHAP v2 are Microsoft proprietary, and do not enjoy the same popularity or scrutiny applied to EAP. It is this scrutiny over the last several years that gives EAP the reputation of a highly secure protocol.

16 Copyright line. Slide 16 FAQ  Q: How can I determine the length of time for which a certificate should be valid?  A: It is important to plan out your PKI implementation before it goes into production. In the case of certificate validity, you’ll want to choose a time period that will cover the majority of your needs without being so long as to open your environment up to compromise. If you are planning a certificate to support a traveling workforce that only connects to the corporate infrastructure once a quarter, it would be detrimental to expire certificates once a month. At the same time, specifying a certificate to be valid for 20 years might open your business up to compromise by an ex-employee long after his employment has been terminated. Finally, you will want to ensure that your certificate lifetime is less than the lifetime for the lifetime of the CA’s own cert. If the issuing CA will only be valid for a year, having a subordinate cert that is good for 5 years will lead to problems when the parent authority is revoked.

17 Copyright line. Slide 17 FAQ  Q: My domain has been active for some time, but I have only recently implemented a Certificate Authority in my domain. I am now getting messages that my Domain Controllers do not have appropriate certificates. What should I do?  A: Make sure that you have enabled auto enrollment on your Domain Controller certificate templates. This step is often missed and can lead to a number of secondary problems, the least of which is annoying messages in the Event Logs.

18 Copyright line. Slide 18 Test Day Tip On the day of the test, do not concern yourself too much with what the different standard numbers are. It is important to understand why they are in place and what PKCS stands for.

19 Copyright line. Slide 19 Exam Warning  In a Windows Server 2008 PKI, a user’s public and private keys are stored under the user’s profile. For the administrator, the public keys would be under Documents and Settings\Administrator\System Certificates\My\Certificates and the private keys would be under Documents and Settings\Administrator\Crypto\RSA (where they are double encrypted by Microsoft’s Data Protection API, or DPAPI). Although a copy of the public keys is kept in the registry, and can even be kept in Active Directory, the private keys are vulnerable to deletion. If you delete a user profile, the private keys will be lost!

20 Copyright line. Slide 20 Test Day Tip  Pay special attention to the above exercise as you may be asked questions about the distinguished name of the CA.

21 Copyright line. Slide 21 Test Day Tip  Certificates are at the very core of the Windows PKI. Make certain that you understand what certificates are, and why they are needed when using public keys. Also, be familiar with the types of certificates listed in this section and the differences between them.

22 Copyright line. Slide 22 Test Day Tip  The order of component installation can be important when dealing with CAs. If you install certificate services before you install IIS, a client will not be able to connect as in the exercise below until you run the following from the command line: certutil –vroot. This establishes the virtual root directories necessary for Web enrollment.

23 Copyright line. Slide 23 Test Day Tip  Remember that autoenrollment is only available for user certificates if the client is Windows XP, Windows Server 2003, or Windows Server 2008.

24 Copyright line. Slide 24 Exam Warning  Certificate expiration is different from certificate revocation. A certificate is considered revoked if it is terminated prior to the end date of the certificate.

25 Copyright line. Slide 25 Test Day Tip  On the day of the test, be clear as to which types of CRLs are consistently made available to users in Windows Server 2008. Since Server 203, Delta CRLs have been used to publish only the changes made to an original CRL for the purposes of conserving network traffic.

26 Copyright line. Slide 26 Exam Warning  Many different types of certificates can be used together within a single Public Key Infrastructure. It is the Certificate Templates that allow the certificates to differentiate themselves for different purposes ensuring that the appropriate information is stored in the cert.

27 Copyright line. Slide 27 Exam Warning  In an environment that has been upgraded from a previous version of Windows Server into the Server 2008 platform, an update to the certificate templates may be required to bring the templates into compliance. This should be done before the domain is upgraded to ensure continuity with the active directory.

Download ppt "Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification."

Similar presentations

Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google