1. Creating and Managing Digital Certificates Chapter Eleven

2. Exam Objectives in this Chapter:  Configure Active Directory directory service for certificate publication.  Plan a public key infrastructure (PKI) that uses Certificate Services. Identify the appropriate type of certificate authority to support certificate issuance requirements. Plan the enrollment and distribution of certificates. Plan for the use of smart cards for authentication.

3. Lessons in this Chapter:  Introducing Certificates  Designing a Public Key Infrastructure  Managing Certificates

4. Certificates  To provide this protection, Windows Server 2003 includes the components needed to create a PKI.  We need to understand: The secret key encryption The contents of a certificate The function of a certification authority

5. The Public Key Infrastructure  A public key infrastructure is a collection of software components and operational policies that govern the distribution and use of public and private keys, using digital certificates.

6. Understanding Secret Key Encryption  Encryptiona system in which one character is substituted for another  Encryption is essentially a system in which one character is substituted for another.  If you create a key specifying that the letter A should be replaced by Q, the letter B by O, the letter C by T, and so forth, any message you encode using that key can be decoded by anyone else who has that key. secret key encryption  This is called secret key encryption, because you must protect the key from compromise.

7. Public Key Encryption  For encryption on a data network to be both possible and practical, computers typically use a form of public key encryption. public key encryption  In public key encryption, every user has two keys, a public key and a private key.

8. Note:  It is usually not practical to encrypt an entire message for the purpose of digitally signing it.  Instead, most PKI systems create a hash from the message and then encrypt the hash using the private key.  A hash is a digital summary of the message created by removing redundant bits according to a specialized hashing algorithm.

9. Using Certificates digital certificates  To distribute public keys, Windows Server 2003 and most other systems supporting a PKI use digital certificates. digital certificate  A digital certificate is a document that verifiably associates a public key with a particular person or organization.

10. Digital Certificate  Contains: The public key for a particular entity Information about the entity About the certification authority (CA) that issued the certificate.

11. X.509 “The Directory: Public-key and Attribute Certificate Frameworks,” which defines the format of the certificates used by most PKI systems, including Windows Server 2003. every digital certificate contains these attributes:  Version  Serial number  Signature algorithm identifier  Issuer name  Validity period  Subject name

12. Using Public Key Encryption certification authority (CA)  To use public key encryption, you must obtain a certificate from an administrative entity called a certification authority (CA). CA A CA can be a third-party company that is trusted to verify the identities of all parties involved in a digital transaction, or It can be a piece of software on a computer running Windows Server 2003 or another operating system.

13. Obtaining a certificate from a CA  Two ways to obtain a certificate: can be manual or automatic  The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s computer in encrypted form, and The public key is issued as part of a certificate.

14. Using Internal and External CAs  For a certificate to be useful in securing a digital transaction, it must be issued by an authority that both parties to the transaction trust to verify each other’s identities.  If you want to ensure that internal communications in your organization are secure, you would be best served by installing your own CAs.  For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority.

15. Understanding PKI Functions  Network administrators can perform the following tasks: Publish certificates Enroll clients Use certificates Renew certificates Revoke certificates

16. Practice:  Viewing a Certificate Page 11-7

17. Designing a Public Key Infrastructure  Defining Certificate Requirements Digital signatures Encrypting File System user and recovery certificates Internet authentication IP Security Secure e-mail Smart card logon Software code signing Wireless network authentication

18. Creating a CA Infrastructure  If you trust a particular root CA, you should also trust any lowerlevel CAs that are authenticated and validated by that root CA.  Trusts between CAs flow downward through the hierarchy, just as file system permissions do. Root CA Trust Intermediate CA Issuing CA Trust

19. Using Internal or External CAs  The choice depends on the needs and capabilities of your organization.  The advantages and disadvantages of using internal and external CAs are summarized in Table 11-2. internal CAsinternal communications  Use internal CAs to secure their internal communications and external CAs outside parties  Use external CAs when you must secure communications with outside parties, such as customers.

20. How Many CAs?  A single CA running on Windows Server 2003 can support as many as 35 million certificates, issuing two million or more a day.  Factors affect the performance and number of a CA: Number and speed of processors Key length Disk performance

21. Creating a CA Hierarchy  Root CAs  Root CAs are the only CAs that do not have a certificate issued by a higher authority. root CAself-signed certificate  A root CA issues its own self-signed certificate, which functions as the top of the certificate chain for all the certificates issued by all the CAs subordinate to the root.

22. Creating a CA Hierarchy cont.  Subordinate CAs root CA subordinate CA Every CA in a PKI is either a root CA or a subordinate CA. A root CA is the parent that issues certificates to the subordinate CAs beneath it. If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA.

23. Creating a CA Hierarchy cont.  Subordinate CAs can also issue certificates to other subordinate CAs.  Every certificate issued by every CA in the hierarchy can trace its trust relationships back to a root CA. certificate chain  This hierarchy of relationships is called a certificate chain.

24. Understanding Windows Server 2003 CA Types  Enterprise Enterprise CAs are integrated into the Active Directory directory service.  They use certificate templates, publish their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically.

25. Understanding Windows Server 2003 CA Types cont.  Stand-alone Stand-alone CAs do not use certificate templates or Active Directory; they store their information locally.  By default, stand-alone CAs do not automatically respond to certificate enrollment requests, as enterprise CAs do.  Requests wait in a queue for an administrator to manually approve or deny them.  Stand-alone CAs are intended for situations in which users outside the enterprise submit requests for certificates.

26. Smart Card Certificates  If you plan to use smart cards to authenticate users on your network, you must create enterprise CAs,

27. Exam Tip enterprise root subordinatestand-alone root subordinate  Be sure to understand the differences between enterprise root CAs, enterprise subordinate CAs, stand-alone root CAs, and stand-alone subordinate CAs.

28. Configuring Certificates  Criteria to consider when planning certificate configurations are as follows: Certificate type Encryption key length and algorithm Certificate lifetime Renewal policies

29. Installing Certificate Services  Add/Remove Programs

30. Installing Certificate Services  Components for Certificate Services

31. Installing Certificate Services  Choose the CA Type

32. Installing Certificate Services  Information

33. Installing Certificate Services  Location of the Certificate Logs

34. Installing Certificate Services  Certificate Services will now install

35. Installing Certificate Services  Must have IIS installed

36. Practice:  Installing a Windows Server 2003 Certification Authority Page 11-16

37. Managing Certificates

38. Understanding Certificate Enrollment and Renewal  The actual process by which CAs issue certificates to clients varies, depending on the types of CAs you have installed. auto-enrollment  If you have installed enterprise CAs, you can use auto-enrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request.

39. Exam Tip  Be sure to understand the circumstances in which clients use auto-enrollment and manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used to manage certificates and certification authorities

40. Using Auto-Enrollment  Auto-enrollment enables clients to automatically request and receive certificates from a CA with no manual intervention from administrators.

41. Using Auto-Enrollment  Auto-enrollment enables clients to automatically request and receive certificates from a CA with no manual intervention from administrators.  To use auto-enrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional.  You control the auto-enrollment process using a combination of group policy settings and certificate templates

42. Auto-Enrollment  In a GPO

43. Using Manual Enrollment  Stand-alone CAs cannot use auto- enrollment, so when a stand-alone CA receives a certificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate.

44. Manually Requesting Certificates  Using the Certificates Snap-in

45. Manually Requesting Certificates  Using Web Enrollment  To function properly, this module requires you to have IIS installed on the computer first, along with support for ASP.  The Web Enrollment Support interface is intended to give internal or external network users access to stand-alone CAs.

46. Revoking Certificates  If a private key is compromised, or  An unauthorized user has gained access to the CA, or  If you want to issue a certificate using different parameters, such as longer keys, you must revoke the certificates that are no longer usable.

47. Revoking Certificates  By selecting the Revoked Certificates folder in the Certification Authority console and then displaying its Properties dialog box, you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs.

48. Practice:  Requesting a Certificate Exercise 1: Requesting a Certificate Exercise 2: Issuing a Certificate  Page 11-26 Exercise 3: Retrieving a Certificate Exercise 4: Viewing a Certificate  Page 11-27

49. Summary  Case Scenario Exercise Page 11-29  Troubleshooting Lab Page 11-30  Exam Highlights Key Points Key Terms  Page 11-32