Presentation is loading. Please wait.

Presentation is loading. Please wait.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations


Presentation on theme: "CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+"— Presentation transcript:

1 CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

2 Agenda Chapter 13: Configuring Active Directory Certificate Services Exercise Lab Quiz

3 Public Key Infrastructure Allow two parties to communicate securely, without any previous communication, through the use of public key cryptography Public key cryptography stores a public key for each participant in a PKI Each participant also possesses a private key By combining the public key with private key, one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand ▫A shared secret key is a secret piece of information that is shared between two parties

4 Shared Secret Key http://en.wikipedia.org/wiki/Public_key

5 Certificate Authority (CA) An entity that issues and manages digital certificates for use in a PKI ▫For Server 2008, it requires AD CS server role ▫CAs are hierarchical (One root and several subordinate CAs) ▫Three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers

6 Digital Certificate (certificate) The digital certificate contains ▫The certificate holder’s name ▫Public key ▫The digital signature of the Certificate Authority that issued the certificate ▫The certificate’s expiration date

7 Digital Signature Proves the identity of the entity that has signed a particular document A digital signature indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox

8 Certificate Practice Statement and Certificate Revocation List Certificate Practice Statement (CPS) ▫Provides a detailed explanation of how a particular CA manages certificates and keys Certificate Revocation List (CRL) ▫This list identifies certificates that have been revoked or terminated, corresponding user, computer, or service ▫Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date

9 Certificate Templates Templates used by a CA to simplify the administration and issuance of digital certificates

10 Self-Enrollment and Enrollment Agents Self-Enrollment ▫This feature enables users to request their own PKI certificates, typically through a Web browser Enrollment agents ▫These are used to request certificates on behalf of a user, computer, or service You can use either self-enrollment or enrollment agents

11 Auto-Enrollment Supported by Windows Server 2003 and later Allows users and computers to automatically enroll for certificates based on: ▫One or more certificate templates ▫Group Policy settings in Active Directory ▫Certificate templates that are based on Windows 2000 will not allow auto-enrollment to maintain backwards compatibility

12 Recovery Agent These agents are configured within a CA to allow users to recover private keys for users, computers, or services if their keys are lost

13 Key Archival This is the process by which private keys are maintained by the CA for retrieval by a recovery agent In a Windows PKI implementation, users’ private keys can be stored within AD

14 Windows Server 2008 and Certificate Services The AD CS server role consists of the following services and features: ▫Web enrollment ▫Online Responder  Responds the requests from clients about the certificate status  Online Certificate Status Protocol (OCSP) ▫Network Device Enrollment Service (NDES)  To enroll the hardware-based routers and other network device for PKI certificates

15 Types of CAs When deploying a Windows-based PKI, two different types of CAs can be deployed: ▫Standalone CA  Not integrated with AD  It requires administrator intervention to respond to certificate requests ▫Enterprise CA  Integrated with AD  Can use certificate templates

16 Configuring Certificate Auto- enrollment for Wireless Networks You can control PKI in Public Key Policies area in the group policy ▫Encrypting File System (EFS)  Recovery agents (In computer configuration node) ▫Automatic Certificate Request  All computers to automatically submit a request for a certificate from an Enterprise CA

17 Configuring Certificate Auto- enrollment for Wireless Networks You can control PKI in Public Key Policies area in the group policy ▫Trusted Root Certificate Authorities  It determines if uses can choose to trust root CAs ▫Enterprise Trust  Allows an administrator to define and distribute a CTL for external root CAs ▫Certificate Services Client-Auto-Enrollment  Allows an administrator to enable or disable the automatic enrollment  Use auto-enrollment to write certificate information to the smart card through GPO

18 Infrastructure components for Auto- Enrollment of PKI Clients must be running XP, Vista Business or Ent., Server 2003, Server 2008 Enterprise CA running on Server 2003 or 2008

19 Extra materials http://networklore.com/components-of-pki/

20 Assignment Fill in the blank ▫1-10 Multiple Choice ▫1-10 Online Lab 13


Download ppt "CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+"

Similar presentations


Ads by Google