copyright line. configuring certificate services and pki exam objectives planning a windows server...

Copyright line.

Configuring Certificate Services and Configuring Certificate Services and PKIPKI

Exam ObjectivesExam Objectives

Planning a Windows Server 2008 Planning a Windows Server 2008 Certificate-Based Certificate-Based PKIPKIImplementing Certification AuthoritiesImplementing Certification AuthoritiesPlanning Enrollment and Distribution of Planning Enrollment and Distribution of CertificatesCertificates

Copyright line. Slide 2

Planning a Windows Server Planning a Windows Server 2008 Certificate-Based PKI2008 Certificate-Based PKI

A PKI combines public key cryptography with digital certificates A PKI combines public key cryptography with digital certificates to create a secure environment where network traffic such as to create a secure environment where network traffic such as authentication packets can travel safely.authentication packets can travel safely.

Public keys and private keys always come in pairs. If the public Public keys and private keys always come in pairs. If the public key is used to encrypt data, only the matching private key can key is used to encrypt data, only the matching private key can decrypt it.decrypt it.

When public key-encrypted data is encrypted again by a private When public key-encrypted data is encrypted again by a private key, that private key encryption is called a digital signature.key, that private key encryption is called a digital signature.

Digital signatures provided by ordinary users aren’t very Digital signatures provided by ordinary users aren’t very trustworthy, so a trusted authority is needed to provide them. trustworthy, so a trusted authority is needed to provide them. The authority (which can be Windows-based) issues The authority (which can be Windows-based) issues certificates, which are basically digitally signed containers for certificates, which are basically digitally signed containers for public keys and other information.public keys and other information.

Certificates are used to safely exchange public keys, and Certificates are used to safely exchange public keys, and provide the basis for applications such as IPSec, EFS, and provide the basis for applications such as IPSec, EFS, and smart card authentication. smart card authentication.


Implementing Certification Implementing Certification AuthoritiesAuthorities

Certificate needs are based on which applications and communications Certificate needs are based on which applications and communications an organization uses and how secure they need to be. Based on these an organization uses and how secure they need to be. Based on these needs, CAs are created by installing certificate services and are managed needs, CAs are created by installing certificate services and are managed using the Certification Authority snap-in.using the Certification Authority snap-in.

A CA hierarchy is structured with a root and one or more level of A CA hierarchy is structured with a root and one or more level of subordinates—three levels are common. The bottom level of subordinates subordinates—three levels are common. The bottom level of subordinates issues certificates. The intermediate level controls policies.issues certificates. The intermediate level controls policies.

Enterprise CAs require and use Active Directory to issue certificates, Enterprise CAs require and use Active Directory to issue certificates, often automatically. Stand-alone CAs can be more secure, and need an often automatically. Stand-alone CAs can be more secure, and need an administrator to manually issue or deny certificate requests.administrator to manually issue or deny certificate requests.

CAs need to be backed up consistently and protected against attacks. CAs need to be backed up consistently and protected against attacks. Keys can be archived and later retrieved if they are lost. This is a new Keys can be archived and later retrieved if they are lost. This is a new feature for Windows Server 2008.feature for Windows Server 2008.

CAs can revoke as well as issue certificates. Once a certificate is CAs can revoke as well as issue certificates. Once a certificate is revoked, it needs to be published to a CRL distribution point. Clients revoked, it needs to be published to a CRL distribution point. Clients check the CRL periodically before they can trust a certificate. check the CRL periodically before they can trust a certificate.


Planning Enrollment and Planning Enrollment and Distribution of CertificatesDistribution of Certificates

Templates control how a CA acts when handed a request, and Templates control how a CA acts when handed a request, and how to issue certificates. There are a quite a few built-in how to issue certificates. There are a quite a few built-in templates, or you can create your own using the Certificate templates, or you can create your own using the Certificate Template snap-in. Templates must be enabled before a CA can Template snap-in. Templates must be enabled before a CA can use them. use them.

Certificates can be requested with the Certificates snap-in or by Certificates can be requested with the Certificates snap-in or by using Internet Explorer and pointing to using Internet Explorer and pointing to http://servername/certsrvhttp://servername/certsrv on the CA.on the CA.

Machine and user certificates can be requested with no user Machine and user certificates can be requested with no user intervention requirement by using autoenrollment. intervention requirement by using autoenrollment. Autoenrollment for user certificates is new to Windows Server Autoenrollment for user certificates is new to Windows Server 2008.2008.

Role-based administration is recommended for larger Role-based administration is recommended for larger organizations. Different users can be assigned permissions organizations. Different users can be assigned permissions relative to their positions, such as certificate manager. relative to their positions, such as certificate manager.


FAQFAQ

Q: In what format do CAs issue certificates?Q: In what format do CAs issue certificates? A: Microsoft certificate services use the standard A: Microsoft certificate services use the standard

X.509 specifications for issued certificates and X.509 specifications for issued certificates and the Public Key Cryptography Standard (PKCS) the Public Key Cryptography Standard (PKCS) #10 standard for certificate requests. The PKCS #10 standard for certificate requests. The PKCS #7 certificate renewal standard is also supported. #7 certificate renewal standard is also supported. Windows Server 2003 also supports other Windows Server 2003 also supports other formats, such as PKCS #12, DER encoded binary formats, such as PKCS #12, DER encoded binary X.509, and Base64 Encoded X.509, for exporting X.509, and Base64 Encoded X.509, for exporting certificates to computers running non-Windows certificates to computers running non-Windows operating systems.operating systems.


FAQFAQ

Q: If certificates are so important in a PKI, why Q: If certificates are so important in a PKI, why don’t I see more of them?don’t I see more of them?

A: Many portions of a Windows PKI are hidden to A: Many portions of a Windows PKI are hidden to the end user. Thanks to features such as the end user. Thanks to features such as autoenrollment, some PKI transactions can be autoenrollment, some PKI transactions can be completely done by the operating system. Most completely done by the operating system. Most of the work in implementing a PKI comes in the of the work in implementing a PKI comes in the planning and design phase. Operations such as planning and design phase. Operations such as encrypting data via EFS use certificates, but the encrypting data via EFS use certificates, but the user does not “see” or manually handle the user does not “see” or manually handle the certificates.certificates.


FAQFAQ

Q: I’ve heard that I can’t take my laptop overseas Q: I’ve heard that I can’t take my laptop overseas because it uses EFS. Is this true? because it uses EFS. Is this true?

A: Maybe. The backbone of any PKI-enabled A: Maybe. The backbone of any PKI-enabled application such as EFS is encryption. Although application such as EFS is encryption. Although the U.S. government now permits the exporting of the U.S. government now permits the exporting of “high encryption” standards, some countries still “high encryption” standards, some countries still do not allow their import. The Windows Server 2008 do not allow their import. The Windows Server 2008 PKI can use high encryption, and so the actual PKI can use high encryption, and so the actual answer depends on the country in question. For answer depends on the country in question. For information on the cryptographic import and export information on the cryptographic import and export policies of a number of countries, see policies of a number of countries, see http://www.rsasecurity.com/rsalabs/faq/6-5-1.html.http://www.rsasecurity.com/rsalabs/faq/6-5-1.html.


FAQFAQ

Q: Can I create my own personal digital signature Q: Can I create my own personal digital signature and use it instead of a CA?and use it instead of a CA?

A: Not if you need security. The purposes behind A: Not if you need security. The purposes behind digital signatures are privacy and security, and a digital signatures are privacy and security, and a digital signature at first glance seems to fit the digital signature at first glance seems to fit the bill. The problem, however, is not the signature bill. The problem, however, is not the signature itself, but the lack of trust in a recipient. itself, but the lack of trust in a recipient. Impersonations become a looming security risk if Impersonations become a looming security risk if you can’t guarantee that the digital signatures you can’t guarantee that the digital signatures you receive came from the people with whom you receive came from the people with whom they were supposed to have originated. For this they were supposed to have originated. For this reason, a certificate issued by a trusted third reason, a certificate issued by a trusted third party provides the most secure authentication.party provides the most secure authentication.


FAQFAQ

Q: Can I have a CA hierarchy that is five Q: Can I have a CA hierarchy that is five levels deep?levels deep?

A: Yes, but that’s probably overkill for A: Yes, but that’s probably overkill for most networks. Microsoft’s three-tier most networks. Microsoft’s three-tier model of root, intermediate, and issuing model of root, intermediate, and issuing CAs will more than likely meet your CAs will more than likely meet your requirements. Remember that your requirements. Remember that your hierarchy can be wide instead of deep.hierarchy can be wide instead of deep.


FAQFAQ

Q: Do I have to have more than one CA?Q: Do I have to have more than one CA? A: No. Root CAs have the ability to issue A: No. Root CAs have the ability to issue

all types of certificates and can assume all types of certificates and can assume responsibility for your entire network. In a responsibility for your entire network. In a small organization, a single CA might be small organization, a single CA might be sufficient for your purposes. For a larger sufficient for your purposes. For a larger organization, however, this structure organization, however, this structure would not be suitable.would not be suitable.


FAQFAQ

Q: How can I change the publishing Q: How can I change the publishing interval of a CRL?interval of a CRL?

A: From the Certification Authority A: From the Certification Authority console, right-click the Revoked console, right-click the Revoked Certificates container and choose Certificates container and choose Properties. The CRL Publishing Properties. The CRL Publishing Parameters tab allows you to change the Parameters tab allows you to change the default interval for full and Delta CRLs.default interval for full and Delta CRLs.


FAQFAQ

Q:Q: Why can’t I seem to get autoenrollment for user Why can’t I seem to get autoenrollment for user certificates to work?certificates to work?

A:A: Remember that autoenrollment for machines is a Remember that autoenrollment for machines is a feature that has been around since Windows 2000, feature that has been around since Windows 2000, but autoenrollment for user certificates is new to but autoenrollment for user certificates is new to Windows Server 2003. In order to use this feature, Windows Server 2003. In order to use this feature, you need to be running either a Windows Server you need to be running either a Windows Server 2003 or XP client and you must log on to a Windows 2003 or XP client and you must log on to a Windows Server 2003 domain. Finally, autoenrollment must be Server 2003 domain. Finally, autoenrollment must be enabled through Active Directory’s group policy. Also, enabled through Active Directory’s group policy. Also, you won’t be able to autoenroll a user unless the user you won’t be able to autoenroll a user unless the user account has been assigned an e-mail address.account has been assigned an e-mail address.


FAQFAQ

Q:Q: What is the default validity period for a What is the default validity period for a new certificate?new certificate?

A:A: The default, which can be changed on the The default, which can be changed on the GeneralGeneral tab of a new template’s tab of a new template’s PropertyProperty sheet, is one year. Other important settings, sheet, is one year. Other important settings, such as minimum key size and purpose of the such as minimum key size and purpose of the certificate, can be found on the sheet’s other certificate, can be found on the sheet’s other tabs.tabs.


FAQFAQ

Q:Q: If my smart card is lost or stolen, can I be reissued If my smart card is lost or stolen, can I be reissued one?one?

A:A: Yes. The enrollment agent can enroll a new card Yes. The enrollment agent can enroll a new card for you at the enrollment station. Although most smart for you at the enrollment station. Although most smart card providers allow cards to be reused (such as card providers allow cards to be reused (such as when they are found), a highly secure company may when they are found), a highly secure company may require old cards to be destroyed. For similar security require old cards to be destroyed. For similar security reasons, PINs should not be reused on a newly reasons, PINs should not be reused on a newly issued card although it is possible. Remember that a issued card although it is possible. Remember that a card is only good to a thief if the corresponding PIN is card is only good to a thief if the corresponding PIN is obtained as well.obtained as well.


FAQFAQ

Q:Q: When setting up smart cards for my company, can I use the When setting up smart cards for my company, can I use the MS-CHAP or MS-CHAP v2 protocols for authentication?MS-CHAP or MS-CHAP v2 protocols for authentication?

A:A: No. EAP is the only authentication method you can use with No. EAP is the only authentication method you can use with smart cards. It is considered the pinnacle of the authentication smart cards. It is considered the pinnacle of the authentication protocols under Windows Server 2003. MS-CHAP v2 is protocols under Windows Server 2003. MS-CHAP v2 is probably the most secure of the password-based protocols, but probably the most secure of the password-based protocols, but still does not provide the level of protection that smart cards still does not provide the level of protection that smart cards using EAP do. This is because EAP is not really an using EAP do. This is because EAP is not really an authentication protocol by itself. It interfaces with other protocols authentication protocol by itself. It interfaces with other protocols such as MD5-CHAP, and is therefore extremely flexible. As a such as MD5-CHAP, and is therefore extremely flexible. As a result it has been widely implemented by many different result it has been widely implemented by many different vendors. MS-CHAP and MS-CHAP v2 are Microsoft proprietary, vendors. MS-CHAP and MS-CHAP v2 are Microsoft proprietary, and do not enjoy the same popularity or scrutiny applied to EAP. and do not enjoy the same popularity or scrutiny applied to EAP. It is this scrutiny over the last several years that gives EAP the It is this scrutiny over the last several years that gives EAP the reputation of a highly secure protocol.reputation of a highly secure protocol.


FAQFAQ

Q:Q: How can I determine the length of time for which a certificate should How can I determine the length of time for which a certificate should be valid?be valid?

A:A: It is important to plan out your PKI implementation before it goes into It is important to plan out your PKI implementation before it goes into production. In the case of certificate validity, you’ll want to choose a production. In the case of certificate validity, you’ll want to choose a time period that will cover the majority of your needs without being so time period that will cover the majority of your needs without being so long as to open your environment up to compromise. long as to open your environment up to compromise. If you are planning a certificate to support a traveling workforce that If you are planning a certificate to support a traveling workforce that only connects to the corporate infrastructure once a quarter, it would be only connects to the corporate infrastructure once a quarter, it would be detrimental to expire certificates once a month. At the same time, detrimental to expire certificates once a month. At the same time, specifying a certificate to be valid for 20 years might open your specifying a certificate to be valid for 20 years might open your business up to compromise by an ex-employee long after his business up to compromise by an ex-employee long after his employment has been terminated.employment has been terminated.Finally, you will want to ensure that your certificate lifetime is less than Finally, you will want to ensure that your certificate lifetime is less than the lifetime for the lifetime of the CA’s own cert. If the issuing CA will the lifetime for the lifetime of the CA’s own cert. If the issuing CA will only be valid for a year, having a subordinate cert that is good for 5 only be valid for a year, having a subordinate cert that is good for 5 years will lead to problems when the parent authority is revoked. years will lead to problems when the parent authority is revoked.


FAQFAQ

Q:Q: My domain has been active for some time, but I My domain has been active for some time, but I have only recently implemented a Certificate have only recently implemented a Certificate Authority in my domain. I am now getting messages Authority in my domain. I am now getting messages that my Domain Controllers do not have appropriate that my Domain Controllers do not have appropriate certificates. What should I do?certificates. What should I do?

A:A: Make sure that you have enabled auto enrollment Make sure that you have enabled auto enrollment on your Domain Controller certificate templates. This on your Domain Controller certificate templates. This step is often missed and can lead to a number of step is often missed and can lead to a number of secondary problems, the least of which is annoying secondary problems, the least of which is annoying messages in the Event Logs.messages in the Event Logs.


Test Day TipTest Day Tip

On the day of the test, do not concern On the day of the test, do not concern yourself too much with what the yourself too much with what the different standard numbers are. It is different standard numbers are. It is important to understand why they are in important to understand why they are in place and what PKCS stands for. place and what PKCS stands for.


Exam WarningExam Warning

In a Windows Server 2008 PKI, a user’s public and In a Windows Server 2008 PKI, a user’s public and private keys are stored under the user’s profile. For private keys are stored under the user’s profile. For the administrator, the public keys would be under the administrator, the public keys would be under Documents and Settings\Administrator\System Documents and Settings\Administrator\System Certificates\My\CertificatesCertificates\My\Certificates and the private keys and the private keys would be under would be under Documents and Settings\Documents and Settings\Administrator\Crypto\RSAAdministrator\Crypto\RSA (where they are double (where they are double encrypted by Microsoft’s Data Protection API, or encrypted by Microsoft’s Data Protection API, or DPAPI). Although a copy of the public keys is kept in DPAPI). Although a copy of the public keys is kept in the registry, and can even be kept in Active Directory, the registry, and can even be kept in Active Directory, the private keys are vulnerable to deletion. If you the private keys are vulnerable to deletion. If you delete a user profile, the private keys will be lost!delete a user profile, the private keys will be lost!



Pay special attention to the above exercise Pay special attention to the above exercise as you may be asked questions about the as you may be asked questions about the distinguished name of the CA. distinguished name of the CA.



Certificates are at the very core of the Certificates are at the very core of the Windows PKI. Make certain that you Windows PKI. Make certain that you understand what certificates are, and why understand what certificates are, and why they are needed when using public keys. they are needed when using public keys. Also, be familiar with the types of certificates Also, be familiar with the types of certificates listed in this section and the differences listed in this section and the differences between them. between them.



The order of component installation can be The order of component installation can be important when dealing with CAs. If you important when dealing with CAs. If you install certificate services install certificate services beforebefore you install you install IIS, a client will IIS, a client will notnot be able to connect as in be able to connect as in the exercise below until you run the following the exercise below until you run the following from the command line: from the command line: certutil –vrootcertutil –vroot. This . This establishes the virtual root directories establishes the virtual root directories necessary for Web enrollment. necessary for Web enrollment.



Remember that autoenrollment is only Remember that autoenrollment is only available for user certificates if the client is available for user certificates if the client is Windows XP, Windows Server 2003, or Windows XP, Windows Server 2003, or Windows Server 2008. Windows Server 2008.



Certificate expiration is different from Certificate expiration is different from certificate revocation. A certificate is certificate revocation. A certificate is considered revoked if it is terminated prior to considered revoked if it is terminated prior to the end date of the certificate. the end date of the certificate.



On the day of the test, be clear as to which On the day of the test, be clear as to which types of CRLs are consistently made types of CRLs are consistently made available to users in Windows Server 2008. available to users in Windows Server 2008. Since Server 203, Delta CRLs have been Since Server 203, Delta CRLs have been used to publish only the changes made to an used to publish only the changes made to an original CRL for the purposes of conserving original CRL for the purposes of conserving network traffic. network traffic.



Many different types of certificates can be Many different types of certificates can be used together within a single Public Key used together within a single Public Key Infrastructure. It is the Certificate Templates Infrastructure. It is the Certificate Templates that allow the certificates to differentiate that allow the certificates to differentiate themselves for different purposes ensuring themselves for different purposes ensuring that the appropriate information is stored in that the appropriate information is stored in the cert. the cert.



In an environment that has been upgraded In an environment that has been upgraded from a previous version of Windows Server from a previous version of Windows Server into the Server 2008 platform, an update to into the Server 2008 platform, an update to the certificate templates may be required to the certificate templates may be required to bring the templates into compliance. This bring the templates into compliance. This should be done before the domain is should be done before the domain is upgraded to ensure continuity with the active upgraded to ensure continuity with the active directory. directory.

copyright line. configuring certificate services and pki exam objectives planning a windows server...

Documents

digital certificates

user certificates

certificates snap

cas issue certificates

certificatebased pki

certificate manager

certificate requests

public keys