Download presentation
Presentation is loading. Please wait.
1
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
2
Agenda Chapter 13: Configuring Active Directory Certificate Services Exercise Lab Quiz
3
Public Key Infrastructure Allow two parties to communicate securely, without any previous communication, through the use of public key cryptography Public key cryptography stores a public key for each participant in a PKI Each participant also possesses a private key By combining the public key with private key, one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand ▫A shared secret key is a secret piece of information that is shared between two parties
4
Shared Secret Key http://en.wikipedia.org/wiki/Public_key
5
Certificate Authority (CA) An entity that issues and manages digital certificates for use in a PKI ▫For Server 2008, it requires AD CS server role ▫CAs are hierarchical (One root and several subordinate CAs) ▫Three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers
6
Digital Certificate (certificate) The digital certificate contains ▫The certificate holder’s name ▫Public key ▫The digital signature of the Certificate Authority that issued the certificate ▫The certificate’s expiration date
7
Digital Signature Proves the identity of the entity that has signed a particular document A digital signature indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox
8
Certificate Practice Statement and Certificate Revocation List Certificate Practice Statement (CPS) ▫Provides a detailed explanation of how a particular CA manages certificates and keys Certificate Revocation List (CRL) ▫This list identifies certificates that have been revoked or terminated, corresponding user, computer, or service ▫Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date
9
Certificate Templates Templates used by a CA to simplify the administration and issuance of digital certificates
10
Self-Enrollment and Enrollment Agents Self-Enrollment ▫This feature enables users to request their own PKI certificates, typically through a Web browser Enrollment agents ▫These are used to request certificates on behalf of a user, computer, or service You can use either self-enrollment or enrollment agents
11
Auto-Enrollment Supported by Windows Server 2003 and later Allows users and computers to automatically enroll for certificates based on: ▫One or more certificate templates ▫Group Policy settings in Active Directory ▫Certificate templates that are based on Windows 2000 will not allow auto-enrollment to maintain backwards compatibility
12
Recovery Agent These agents are configured within a CA to allow users to recover private keys for users, computers, or services if their keys are lost
13
Key Archival This is the process by which private keys are maintained by the CA for retrieval by a recovery agent In a Windows PKI implementation, users’ private keys can be stored within AD
14
Windows Server 2008 and Certificate Services The AD CS server role consists of the following services and features: ▫Web enrollment ▫Online Responder Responds the requests from clients about the certificate status Online Certificate Status Protocol (OCSP) ▫Network Device Enrollment Service (NDES) To enroll the hardware-based routers and other network device for PKI certificates
15
Types of CAs When deploying a Windows-based PKI, two different types of CAs can be deployed: ▫Standalone CA Not integrated with AD It requires administrator intervention to respond to certificate requests ▫Enterprise CA Integrated with AD Can use certificate templates
16
Configuring Certificate Auto- enrollment for Wireless Networks You can control PKI in Public Key Policies area in the group policy ▫Encrypting File System (EFS) Recovery agents (In computer configuration node) ▫Automatic Certificate Request All computers to automatically submit a request for a certificate from an Enterprise CA
17
Configuring Certificate Auto- enrollment for Wireless Networks You can control PKI in Public Key Policies area in the group policy ▫Trusted Root Certificate Authorities It determines if uses can choose to trust root CAs ▫Enterprise Trust Allows an administrator to define and distribute a CTL for external root CAs ▫Certificate Services Client-Auto-Enrollment Allows an administrator to enable or disable the automatic enrollment Use auto-enrollment to write certificate information to the smart card through GPO
18
Infrastructure components for Auto- Enrollment of PKI Clients must be running XP, Vista Business or Ent., Server 2003, Server 2008 Enterprise CA running on Server 2003 or 2008
19
Extra materials http://networklore.com/components-of-pki/
20
Assignment Fill in the blank ▫1-10 Multiple Choice ▫1-10 Online Lab 13
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.