Download presentation
Presentation is loading. Please wait.
2
Microsoft TechDayshttp://www.techdays.ru Леонид Шапиро MCT, MVP ЦКО «Специалист» www.specialist.ru
3
Microsoft TechDayshttp://www.techdays.ru Файл capolicy.inf для издающего УЦ Установка Enterprise Subordinate CA Разработка пост установочного конфигурационного скрипта Как обеспечить отказоустойчивость и доступность? Подведем итоги…
4
Microsoft TechDayshttp://www.techdays.ru
5
Цели создания Содержимое Примеры
6
[Version] Signature= "$Windows NT$" [PolicyStatementExtension] Policies = Root-CA CPS [Root-CA CPS] URL = http://www.nwtraders.ru/certdata/cps.asp OID = 2.5.29.32.0 [certsrv_server] RenewalKeyLength = 2048 RenewalValidityPeriodUnits = 5 RenewalValidityPeriod = years CRLPeriodUnits = 5 CRLPeriod = days CRLOverlapUnits = 1 CRLOverlapPeriod = days CRLDeltaPeriodUnits = 12 CRLDeltaPeriod = hours DiscreteSignatureAlgorithm = 1
![[Version] Signature= $Windows NT$ [PolicyStatementExtension] Policies = Root-CA CPS [Root-CA CPS] URL = OID = [certsrv_server] RenewalKeyLength = 2048 RenewalValidityPeriodUnits = 5 RenewalValidityPeriod = years CRLPeriodUnits = 5 CRLPeriod = days CRLOverlapUnits = 1 CRLOverlapPeriod = days CRLDeltaPeriodUnits = 12 CRLDeltaPeriod = hours DiscreteSignatureAlgorithm = 1](http://images.slideplayer.com./17/5316202/slides/slide_6.jpg "[Version] Signature= $Windows NT$ [PolicyStatementExtension] Policies = Root-CA CPS [Root-CA CPS] URL = OID = [certsrv_server] RenewalKeyLength = 2048 RenewalValidityPeriodUnits = 5 RenewalValidityPeriod = years CRLPeriodUnits = 5 CRLPeriod = days CRLOverlapUnits = 1 CRLOverlapPeriod = days CRLDeltaPeriodUnits = 12 CRLDeltaPeriod = hours DiscreteSignatureAlgorithm = 1")
7
Microsoft TechDayshttp://www.techdays.ru Предварительные задачи Публикации в AD сертификата и списка отзыва корневого УЦ Развертывание службы Запрос и получение сертификата Безопасный перенос данных с помощью защищенного носителя Выполнение доверенным персоналом
8
Microsoft TechDayshttp://www.techdays.ru Место размещения УЦ Место хранения ключевой информации Длина ключа Время жизни Место хранения БД и файлов журналов
9
Microsoft TechDayshttp://www.techdays.ru Настройка УЦ Готовим пост. установочный скрипт (что внутри?) Проверка корректности установки Защита УЦ
10
md C:\CertData certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n65 :C:\CertData\SUB- CA01%8%9.crl\n2:http://www.nwtraders.msft/pki/SUB- CA01%8%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%1_%3%4.crt\n6: http://www.nwtraders.msft/pki/SUB-CA01%4.crt" ren %windir%\system32\CertSrv\CertEnroll\*.crt SUB- CA01.crt copy %windir%\system32\CertSrv\CertEnroll\SUB-CA01.crt C:\CertData
11
certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" certutil -setreg CA\CRLPeriodUnits 5 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" certutil -setreg CA\CRLOverlapPeriod "Days" certutil -setreg CA\CRLOverlapUnits 1 certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32" Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1
12
certutil -setreg CA\AuditFilter 127 certutil -setreg CA\DSConfig "CN=Configuration,DC=nwtraders,DC=msft" certutil -dspublish -f C:\CertData\SUB-CA01.crt Subca certutil -dspublish -f C:\CertData\SUB-CA01.crt NTAuthCA net stop certsvc && net start certsvc certutil -CRL
13
Microsoft TechDayshttp://www.techdays.ru Enterprise PKI (pkiview.msc)
14
Microsoft TechDayshttp://www.techdays.ru Леонид Шапиро MCT, MVP ЦКО «Специалист» www.specialist.ru
15
Microsoft TechDayshttp://www.techdays.ru
16
Резервное копирование Кластеризация
17
Microsoft TechDayshttp://www.techdays.ru Проектирование Capolicy.inf Развертывание службы Пост. установочный скрипт Обеспечение безопасности Отказоустойчивость PKI
18
Microsoft TechDayshttp://www.techdays.ru 2821 Designing and Managing a Windows Public Key Infrastructure 2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Microsoft Press Brian Komar «Windows Server 2008 PKI and Certificate Security» http://www.microsoft.com/pki http://technet.microsoft.com/en-us/magazine/2009.05.pki.aspx http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide- Part1.html
19
Microsoft TechDayshttp://www.techdays.ru © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
