Transcription
MCSA Guide to Identity with Windows Server2016, Exam 70-742Chapter 8Implementing Active Directory Certificate Services 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for useas permitted in a license distributed with a certain product or service or otherwise on a password-protected website forclassroom use.1
Objectives8.1 Describe the components of a PKI system8.2 Deploy the Active Directory Certificate Services role8.3 Configure a certification authority8.4 Maintain and manage a PKI 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certainproduct or service or otherwise on a password-protected website for classroom use.
Introducing Active Directory CertificateServices Active Directory Certificate Services (ADCS) is a server role in Windows Server2016 Provides the services for creating a Public Key Infrastructure (PKI) Adds a level of security for a variety of applications, such as VPNs, EFS, smartcards, and Secure Sockets Layer/Transport Layer Security (SSL/TLS) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.3
Public Key Infrastructure Overview A Public Key Infrastructure is a security system that binds a user’s or device’sidentity to a cryptographic key PKI provides the following services to a network: on Without adequate security, communications can be tampered with, causingwebsites to be redirected or other unwanted behaviors. 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.4
PKI Terminology (1 of 2) List of components that compose a PKI: PlaintextCiphertextKeySecret keyPrivate keyPublic keySymmetric cryptographyAsymmetric cryptographyDigital certificateDigital signatureCertification authority (CA) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.5
PKI Terminology (2 of 2) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.6
AD CS Terminology Terms related to Active Directory Certificate Services (ADCS): Certificate revocation list (CRL)Certificate templateCertificate distribution point (CDP)Delta CRLEnterprise CAStand-alone CAEnrollment agentCA hierarchyOnline responderCertificate enrollmentKey managementAuthority Information Access (AIA) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.7
Deploying the Active Directory CertificateServices Role Some AD CS options you should be aware of before deploying this server roleinclude: Stand-alone and enterprise CAsOnline and offline CAsCA hierarchyCertificate practice statements 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.8
Stand-alone and Enterprise CAs (1 of 2) An enterprise CA is a server running Windows Server with the AD CS roleinstalled A standalone CA is a server running Windows Server with the AD CS roleinstalled, but with little Active Directory integration A network with non-Windows devices needs at least one standalone CA 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.9
Stand-alone and Enterprise CAs (2 of 2)Stand-alone CA serverEnterprise CA serverActive Directory not requiredActive Directory required; server must be amember server (preferred) or domaincontrollerMust operate onlineCan operate offlineCertificate requests must be approvedmanuallyNo certificate templates availableCertificate requests approved manually orautomatically by using Active DirectoryinformationCertificate templates availableCertificates not published in Active DirectoryCertificates published in Active DirectoryRequester must enter identifying informationin certificate request manuallyCA’s certificate distributed to clients manuallyIdentifying information taken from ActiveDirectoryCA’s certificate distributed to clientsautomaticallyCRL published automatically to ActiveDirectoryCRL optionally published to Active Directory 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.10
Online and Offline CAs If a CA is compromised, all certificates the CA has issued are also compromised,and must be revoked immediately Offline CAs aren’t connected to the network All certificates and CRLs must be distributed with removable media Root CA is the server most typically configured for offline operation Offline CAs must be standalone CAs 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.11
CA Hierarchy (1 of 2) The root CA is the first CA installed in a network Two-level hierarchy involves the root CA issuing certificates to subordinate CAscalled issuing CAs Three-level hierarchy involves the root CA issuing certificates to intermediateCAs (sometimes called “policy CAs”, which then issue certificates to other CAs Multilevel CA hierarchies are commonly used to distribute certificate-issuingload in organizations with multiple locations 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.12
CA Hierarchy (2 of 2) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.13
Certificate Practice Statements A certificate practice statement (CPS) is a document describing how a CA issuescertificates Not a required component of a PKI, but should be developed as part of theplanning process when an organization is designing its PKI ACPS usually contains: Identification of the CASecurity practices used to maintain CA integrityTypes of certificates usedPolicies and procedures usedCryptographic algorithms usedCertificate lifetimesCRL-related policies, including where CRL distribution points are locatedRenewal policy of the CA’s certificate Installed by creating a CAPolicy.inf file and placing it into the CA’s%systemroot% directory 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.14
Installing the AD CS Role (1 of 2) Best practices dictate that the AD CS role shouldn’t be installed on a domaincontroller Ideally, AD CS should be the only installed role. Enterprise CAs must be installed on a member server running Windows ServerStandard or Datacenter Edition AD CS is installed by adding the AD CS role in Server Manager 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.15
Installing the AD CS Role (2 of 2) During installation, you have the option to install several role services, includingthe following: Certification AuthorityCertificate Enrollment Policy Web ServiceCertificate Enrollment Web ServiceCertification Authority Web EnrollmentNetwork Device Enrollment ServiceOnline Responder 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.16
Configuring a Certification Authority After installing AD CS on a server, you must perform several configuration tasksbefore the CA can be used properly: Configure certificate templatesConfigure enrollment optionsConfigure the online responderCreate a revocation configuration 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.17
Configuring Certificate Templates (1 of 4) If you install an Enterprise CA, a number of predefined certificate templates canbe configured to generate certificates Windows Server 2016 supports four versions of certificate templates: Version 1 templates - supported by Windows Server 2003 Standard Edition andWindows 2000 Server Version 2 templates - supported by Windows Server 2003 Enterprise Edition and later Version 3 templates - supported by Windows Server 2008/Vista and later Version 4 templates - supported by Windows Server 2012/R2 and Vista and later 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.18
Configuring Certificate Templates (2 of 4) Certificate templates are created and modified in the Certificate Templatessnap-in 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.19
Configuring Certificate Templates (3 of 4) A common certificate type is one used for EFS Allows users to encrypt and decrypt files on a hard drive The Basic EFS template is used to issue certificates to users so they can protectfiles with EFS The EFS Recovery Agent template is used to issue certificates to users who aredesignated as recovery agents So that EFS-encrypted files can be recovered if a user’s EFS certificate becomesunusable for some reason 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.20
Configuring Certificate Templates (4 of 4) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.21
Configuring Certificate Enrollment Options Certificate enrollment occurs when a user or device requests a certificate, andthe certificate is granted Enrollment can occur with several methods AutoenrollmentCertificates MMCWeb enrollmentNetwork Device Enrollment ServiceSmart card enrollment 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.22
Configuring Certificate Autoenrollment (1 of 5) When autoenrollment is configured, users and devices don’t have to makeexplicit certificate requests to be issued certificates Most commonly used for EFS Autoenrollment is enabled in the Computer Configuration or User Configurationnode of the Group Policy Management Console Autoenrollment is configured for certificate templates in the Request Handling,Issuance Requirements, and Security tabs of a template’s Properties dialog box 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.23
Configuring Certificate Autoenrollment (2 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.24
Configuring Certificate Autoenrollment (3 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.25
Configuring Certificate Autoenrollment (4 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.26
Configuring Certificate Autoenrollment (5 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.27
Requesting a Certificate with the CertificatesSnap-in (1 of 2) Users can request certificates that aren’t configured for autoenrollment byusing the Certificates snap-in This method for requesting certificates can be used only with enterprise CAs Autoenrollment is preferred over manual requests You might want to use manual requests if the following is true: You want users to know their certificate information You have specialized templates that only a few users require 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.28
Requesting a Certificate with the CertificatesSnap-in (2 of 2) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.29
Configuring Web Enrollment Requires installing the Certification Authority Web Enrollment role service Web enrollment is the main method for accessing CA services on a standaloneCA To access the Certification Authority Web Enrollment role service, users simplyopen a browser and browse to the server’s page Server configured for Web enrollment is called a registration authority or a CAWeb proxy 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.30
Using the Network Device Enrollment Service Network Device Enrollment Service (NDES) - allows network devices, such asrouters and switches, to obtain certificates by using Simple CertificateEnrollment Protocol (SCEP), a Cisco proprietary protocol Cisco devices can request and obtain certificates to run IPsec, even if they don’thave domain credentials Follow steps in the text to install and configure NDES 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.31
Using Smart Card Enrollment Takes place through Web enrollment at a smart card station A user supplies credentials to request the smart card certificate and presentshis or her card, then the certificate information is embedded in the car A user designated as an enrollment agent can enroll smart card certificates onbehalf of users Enrollment agents must be issued an Enrollment Agent certificate to perform this task AD CS offers restricted enrollment agents Administrators can configure smart card certificate templates to specify which usersor groups an enrollment agent can enroll in the certificate 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.32
Configuring the Online Responder An online responder enables clients to check a certificate’s revocation statuswithout having to download the CRL To use, the Online Responder role service must be installed with the CA role orlater Requires the Web Server role service Follow the steps in the text to configure the Online Responder 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.33
Creating a Revocation Configuration A revocation configuration tells the CA what methods are available for clients toaccess CRLs To create a revocation configuration, you use the Active Directory CertificateServices snap-in, under the Roles node in Server Manager 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.34
Maintaining and Managing a PKI By default, administrators can perform all tasks on a CA server After roles have been assigned, administrators can perform only tasks related totheir assigned roles Four key roles must be filled to administer a CA and its components: CA AdministratorCertificate ManagerBackup OperatorAuditor 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.35
CA Backup and Restore Regular backup of all servers in a network is mandatory Full backup or system state backup on a CA server automatically backs up thecertificate store along with other data The CA console includes a simple wizard-based backup utility you can use toperform backups with the following options: Private key and CA Certificate database and certificate database log CA Backups and restores can be done with the certutil command as well 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.36
Key and Certificate Archival andRecovery (1 of 5) If a user’s private key is lost or damaged, he or she might lose access to systemsor documents By using key archival, private keys can be locked away and then restored if theuser’s private key is lost Two methods for archiving private keys: Manual- Involves exporting the certificate Automatic- Uses a key recovery agent (KRA) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.37
Key and Certificate Archival andRecovery (2 of 5) The Certificate Export Wizard exports the certificate and can export the privatekey if allowed You’re prompted to select the format for the certificate export The only format supported for exporting the private key along with the certificate isPersonal Information Exchange 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.38
Key and Certificate Archival andRecovery (3 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.39
Key and Certificate Archival andRecovery (4 of 5) Automatic key archival uses a key recovery agent (KRA), which is a designateduser with the right to recover archived keys KRA has a lot of power, choose user carefully Designated user must enroll for a Key Recovery Certificate after the KRAtemplate has been configured to allow the designated user to enroll The KRA certificate is then added to the Recovery Agents tab of the CA server’sProperties dialog box 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.40
Key and Certificate Archival andRecovery (5 of 5) 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.41
Using Windows PowerShell to Manage AD ATemplateAdds a CRL distribution point path indicating where the CApublishes certification revocationsAdds a certificate template to the CABackup-CARoleServiceBacks up the CA database and all private key dataGet-CACrlDistributionPointGets all the locations set on the CRLGet-CATemplateRemove-CACrlDistributionPointGets the list of templates the C A can use to issuecertificatesRemoves the CRL distribution pointRemove-CATemplateRemoves the templates the CA can use to issue certificatesRestore-CARoleServiceRestores the CA database and all private key dataInstall-AdcsCertificationAuthorityConfigures the Certification Authority role nstall-AdcsOnlineResponderConfigures the Network Device Enrollment ServiceInstall-AdcsWebEnrollmentConfigures the Certification Authority Web Enrollment roleserviceConfigures the Online Responder role service 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.42
Chapter Summary (1 of 3) Active Directory Certificate Services (AD CS) provides services for creating a PKIin a Windows Server 2012/R2 environment A PKI binds the identity of a user or device to a cryptographic key Some key terms for describing a PKI and AD CS include private and public keys,digital signature, certification authority, certificate revocation list, onlineresponder, and certificate enrollment An enterprise CA integrates with Active Directory, a standalone CA does not A CA can be online or offline. An offline CA is more secure and usually used in aCA hierarchy with one or more online issuing CAs 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.43
Chapter Summary (2 of 3) The AD CS role is installed in Server Manager and should not be installed on adomain controller Configuring a CA involves configuring certificate templates, enrollment options,and an online responder as well as creating a revocation configuration Certificate enrollment occurs when a user or device requests a certificate andthe certificate is granted. Enrollment can occur with autoenrollment, theCertificates MMC, Web enrollment, NDES, and smart cards An online responder allows clients to check a certificates revocation statuswithout having to download the CRL periodically Role-based administration limits the PKI tasks a domain administrator accountcan perform 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.44
Chapter Summary (3 of 3) When a full backup or system state backup is performed on a CA server, thecertificate store is backed up along with other data When users’ private keys are lost or damaged, they could lose access to systemsor documents. 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a licensedistributed with a certain product or service or otherwise on a password-protected website for classroom use.45
MCSA Guide to Identity with Windows Server 2016, Exam 70-742 Chapter 8 Implementing Active Directory Certificate Services . Version 3 templates - supported by Windows Server 2008/Vista and later Version 4 templates - supported by Windows Server 2012/R2 and Vista and later
