Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Active Directory Certificate Services Lesson 13.

Similar presentations


Presentation on theme: "Configuring Active Directory Certificate Services Lesson 13."— Presentation transcript:

1 Configuring Active Directory Certificate Services Lesson 13

2 Skills Matrix Technology SkillObjective DomainObjective # Installing Active Directory Certificate Services Install Active Directory Certificate Services 6.1 Configuring CA Server Settings Configure CA server settings 6.2 Configuring Certificate Templates Manage certificate templates 6.3

3 Skills Matrix Technology SkillObjective DomainObjective # Managing Certificate Enrollments Manage enrollments6.4 Configuring Certificate Revocation Manage certificate revocations 6.5

4 Lesson 13 Installing Active Directory Certificate Services Log on to the CA member server as the default administrator of the lucernepublishing.com domain. If the Server Manager console does not appear automatically, click the Start button. Select Server Manager from the Start menu.

5 Lesson 13 Installing Active Directory Certificate Services (cont.) Expand the Server Manager console to full screen, if necessary. In the left pane, click the Roles node. In the right pane, click Add Role. Click Next to bypass the initial welcome screen.

6 Lesson 13 Installing Active Directory Certificate Services (cont.) Place a checkmark next to Active Directory Certificate Services, and click Next. Read the information presented, and click Next. Place a checkmark next to Certification Authority, and click Next. Select the Enterprise radio button, and click Next.

7 Lesson 13 Installing Active Directory Certificate Services (cont.) Select the Root CA type radio button, and click Next. Select the Create a new private key radio button, and click Next. Accept the default values, and click Next. Accept the default value, and click Next.

8 Lesson 13 Installing Active Directory Certificate Services (cont.) Accept the default value of 5 years, and click Next. Accept the default values, and click Next. Verify that your selections are correct, and click Install. Click Close to complete the installation.

9 Lesson 13 Configuring Certificate Revocation Part A: Install the Online Responder Log on to CA as the default administrator of the lucernepublishing.com domain. Click the Start button, and then select Server Manager. Drill down to Roles  Active Directory Certificate Services.

10 Lesson 13 Configuring Certificate Revocation (cont.) Right-click Active Directory Certificate Services, and select Add Role Services. Place a checkmark next to Online Responder. Click Add Required Role Services, and then click Next to continue. Read the informational message concerning the installation of the Web Server role, and click Next.

11 Lesson 13 Configuring Certificate Revocation (cont.) Accept the default IIS features to install, and click Next. Click Install to install the Online Responder role service. Click Close when prompted.

12 Lesson 13 Configuring Certificate Revocation (cont.) Part B: Configure the CA to support the Online Responder In the left pane within Server Manager, drill down to Roles  Active Directory Certificate Services  Certificate Templates.

13 Lesson 13 Configuring Certificate Revocation (cont.) Right-click the OCSP Response Signing template. Click Properties. Click the Security tab, and click Add. Click Object Types.

14 Lesson 13 Configuring Certificate Revocation (cont.) Place a checkmark next to Computers, and then click OK. Key CA, and then click OK. Place a checkmark next to Enroll and Autoenroll in the Allow column, and then click OK.

15 Lesson 13 Configuring Certificate Revocation (cont.) Drill down to Roles  Active Directory Certificate Services  lucernepublishing-CA-CA  Certificate Templates. Right-click the Certificate Templates folder, and click New  Certificate Template to Issue. Select the OCSP Response Signing certificate template, and click OK.

16 Lesson 13 Configuring Certificate Revocation (cont.) Part C: Establish a revocation configuration for the Certification Authority In the left pane of Server Manager, navigate to Roles  Active Directory Certificate Services  Online Responder: CA  Revocation Configuration. Right-click Revocation Configuration, and click Add Revocation Configuration.

17 Lesson 13 Configuring Certificate Revocation (cont.) Read the information on the Getting Started screen, and then click Next. Key LUCERNEPUBLISHING-CA-REV, and click Next. Verify that the Select a certificate for an Existing enterprise CA radio button is selected, and then click Next.

18 Lesson 13 Configuring Certificate Revocation (cont.) Verify that the Browse CA certificates published in Active Directory screen option is selected, and then click Browse. Confirm that the lucernepublishing-CA-CA certificate is selected, and then click OK. Click Next to continue.

19 Lesson 13 Configuring Certificate Revocation (cont.) Verify that the Automatically select a signing certificate radio button is selected. Verify that a checkmark is next to Auto-enroll for an OCSP signing certificate. Click Next, and then click Finish to configure the revocation configuration.

20 Lesson 13 Configuring Certificate Revocation (cont.) Navigate to lucernepublishing-CA-CA  Issued Certificates. Confirm that an OCSP Response Signing Certificate has been issued to the certification authority.

21 Lesson 13 Configuring Certificate Templates Log on to CA as the default administrator of the lucernepublishing.com domain. Click Start, and then select Server Manager. In the left pane, expand the Roles node, the Active Directory Certificate Services node, and the Certificate Templates node.

22 Lesson 13 Configuring Certificate Templates (cont.) To create a new certificate template to allow user autoenrollment, right-click the User template. Click Duplicate Template. Select Windows Server 2008, Enterprise Edition, and click OK.

23 Lesson 13 Configuring Certificate Templates (cont.) On the General tab, key LUCERNEPUBLISHING- User-Cert in the Template Display Name text box. Verify that a checkmark is next to the Publish certificate in Active Directory option.

24 Lesson 13 Configuring Certificate Templates (cont.) Click the Security tab. Click Domain Users, and then place a checkmark next to Read, Enroll, and Autoenroll. Click the Subject Name tab. Remove the checkmark next to the Include e-mail name in subject name option.

25 Lesson 13 Configuring Certificate Templates (cont.) In the Include this information in the alternate subject name section, remove the checkmark next to E-mail name. Click the Superseded Templates tab, and click Add. Select the built-in User certificate template, and then click OK twice to continue.

26 Lesson 13 Configuring Certificate Templates (cont.) Right-click the Computer template, and click Duplicate Template. Select Windows Server 2008, Enterprise Edition, and click OK. On the General tab, key LUCERNEPUBLISHING-Computer-Cert in the Template Display Name text box.

27 Lesson 13 Configuring Certificate Templates (cont.) Verify that a checkmark is next to the Publish certificate in Active Directory option. Click the Security tab. Click Domain Computers, and then place a checkmark next to Read, Enroll, and Autoenroll.

28 Lesson 13 Configuring Certificate Templates (cont.) Click the Superseded Templates tab, and click Add. Select the built-in Computer certificate template, and then click OK twice to continue. Right-click the Web server template, and click Duplicate Template.

29 Lesson 13 Configuring Certificate Templates (cont.) Select Windows Server 2008, Enterprise Edition, and click OK. On the General tab, key LUCERNEPUBLISHING-WebServer-Cert in the Template Display Name text box. Verify that a checkmark is next to the Publish certificate in Active Directory option.

30 Lesson 13 Configuring Certificate Templates (cont.) Click the Security tab, and click Add. Click Object Types. Place a checkmark next to Computers, and then click OK. Key CA, and then click OK.

31 Lesson 13 Configuring Certificate Templates (cont.) Place a checkmark next to Enroll and Autoenroll in the Allow column. Click the Superseded Templates tab, and click Add. Select the built-in Web Server certificate template, and then click OK twice to continue.

32 Lesson 13 Configuring Certificate Templates (cont.) Drill down to Roles  Active Directory Certificate Services  lucernepublishing-CA-CA  Certificate Templates. Right-click the Certificate Templates folder, and click New  Certificate Template to Issue.

33 Lesson 13 Configuring Certificate Templates (cont.) Click LUCERNEPUBLISHING-User-Cert, and click OK. Repeat the previous two steps to configure the CA to issue the LUCERNEPUBLISHING- Computer-Cert and LUCERNEPUBLISHING- WebServer-Cert certificate templates.

34 Lesson 13 Managing Certificate Enrollment Part A: Configure Certificate Autoenrollment in the LUCERNEPUBLISHING.COM domain Log on to RWDC01 as the default administrator of the lucernepublishing.com domain. Click the Start button, Administrative Tools, and then Group Policy Management.

35 Lesson 13 Managing Certificate Enrollment (cont.) Drill down to Forest: lucernepublishing.com  Domains  Domain: lucernepublishing.com  Group Policy Objects  Default Domain Policy. Right-click the Default Domain Policy, and then click Edit.

36 Lesson 13 Managing Certificate Enrollment (cont.) Drill down to the following node: User Configuration  Policies  Windows Settings  Security Settings  Public Key Policies. In the right pane, double-click Certificate Services Client – Auto-Enrollment. In the Configuration model dropdown box, select Enabled.

37 Lesson 13 Managing Certificate Enrollment (cont.) Place a checkmark next to the following items:  Renew expired certificates, update pending certificates, and remove revoked certificates.  Update certificates that use certificate templates. Click OK.

38 Lesson 13 Managing Certificate Enrollment (cont.) Drill down to the following node: Computer Configuration  Policies  Windows Settings  Security Settings  Public Key Policies. In the right pane, double-click Certificate Services Client – Auto-Enrollment. In the Configuration model dropdown box, select Enabled.

39 Lesson 13 Managing Certificate Enrollment (cont.) Drill down to the following node: Computer Configuration  Policies  Windows Settings  Security Settings  Public Key Policies. In the right pane, double-click Certificate Services Client – Auto-Enrollment. In the Configuration model dropdown box, select Enabled.

40 Lesson 13 Managing Certificate Enrollment (cont.) Place a checkmark next to the following items:  Renew expired certificates, update pending certificates, and remove revoked certificates.  Update certificates that use certificate templates. Click OK, and then close the Group Policy Management Editor.

41 Lesson 13 Managing Certificate Enrollment (cont.) Open a command-prompt window. Key gpupdate/force, and then close the command-prompt window. Log on to CA as the default administrator of the lucernepublishing.com domain.

42 Lesson 13 Managing Certificate Enrollment (cont.) Open a command-prompt window. Key gpupdate/force, and then close the command-prompt window. Reboot the CA computer to force both user and computer autoenrollment to take place.

43 Lesson 13 Managing Certificate Enrollment (cont.) Part B: Install the Certification Authority Web Enrollment role service Log on to CA as the default administrator of the lucernepublishing.com domain. Click the Start button, and then select Server Manager.

44 Lesson 13 Managing Certificate Enrollment (cont.) Drill down to Roles  Active Directory Certificate Services. Right-click Active Directory Certificate Services, and select Add Role Services. Place a checkmark next to Certification Authority Web Enrollment.

45 Lesson 13 Managing Certificate Enrollment (cont.) Click Add Required Role Services. Click Next to continue. Read the informational message concerning the installation of the Web Server role, and click Next.

46 Lesson 13 Managing Certificate Enrollment (cont.) Accept the default IIS features to install, and click Next. Click Install to install the Certification Authority Web Enrollment role service. Click Close when prompted.

47 Lesson 13 Managing Certificate Enrollment (cont.) Part C: Request a Web Server Certificate for the CA IIS installation Click the Start button. Click Administrative tools, and then select Internet Information Services (IIS) Manager. In the left pane, double-click the CA node.

48 Lesson 13 Managing Certificate Enrollment (cont.) Scroll down to the IIS section, and double-click the Server Certificates icon. In the right pane, click Create Domain Certificate. Enter the appropriate information as prompted, and click Next.

49 Lesson 13 Managing Certificate Enrollment (cont.) Click Select next to the Specify Online Certification Authority text box. Click lucernepublishing-CA-CA, and click OK. In the Friendly Name text box, key ca.lucernepublishing.com. Click Finish.

50 Lesson 13 Managing Certificate Enrollment (cont.) Part D: Enable Secure Connections to the CA IIS server In the left pane of IIS Manager, expand the Sites node. Right-click Default Web Site, and click Edit Bindings. Click Add.

51 Lesson 13 Managing Certificate Enrollment (cont.) In the Type dropdown box, select https. In the SSL Certificate dropdown box, select ca.lucernepublishing.com. Click OK, and then click Close.

52 Lesson 13 Managing Certificate Enrollment (cont.) In the left pane of IIS Manager, drill down to the Default Web Site  CertSrv node. Double-click CertSrv. In the middle pane in the IIS section, double- click SSL Settings. Place a checkmark next to Require SSL, and then click Apply in the Action pane.

53 Lesson 13 Maintaining a Windows Server 2008 CA CA Administrator Certificate Managers Backup Operators Auditors

54 Lesson 13 You Learned The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows public key infrastructure (PKI) for authentication and authorization of users and devices.

55 Lesson 13 You Learned (cont.) A PKI allows two parties to communicate securely, without any previous communication with each other, through the use of a mathematical algorithm called public key cryptography. PKI certificates are managed through certificate authorities that are hierarchical, which means that many subordinate CAs within an organization can chain upward to a single root CA.

56 Lesson 13 You Learned (cont.) Certificate templates are used by a certificate authority to simplify the administration and issuance of digital certificates. A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

57 Lesson 13 You Learned (cont.) Autoenrollment is a feature of PKI that is supported by Windows Server 2003 and later, which allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory. Key archival is the process by which private keys are maintained by the CA for retrieval by a recovery agent.

58 Lesson 13 You Learned (cont.) Web enrollment enables users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up- to-date CRL. The Network Device Enrollment Service (NDES) enables network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

59 Lesson 13 You Learned (cont.) When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.

60 Lesson 13 You Learned (cont.) An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow autoenrollment of digital certificates, as well as storing digital certificates within the Active Directory database for easy retrieval by users and devices.


Download ppt "Configuring Active Directory Certificate Services Lesson 13."

Similar presentations


Ads by Google