Windows Active Directory Certificate Services

Transcription

Windows Active Directory Certificate ServicesTable of ContentsWindows Active Directory Certificate Services ( AD CS). 2Windows AD CS Advantages . 3AD CS Server Roles -1 . 4AD CS Server Roles -2 . 6Windows AD CS Certificate Authority. 7Windows AD CS CA Types . 12Windows AD CS Root CA . 13AD CS CA Private Keys . 17AD CS CA Public Keys . 20Root CA Self-Signed Certificate . 21Windows AD CS User Certificates . 23Installing AD CS . 24Windows AD CS Configuration. 25Installing with PowerShell . 26Notices . 27Page 1 of 27

Windows Active Directory Certificate Services ( AD CS)Windows Active Directory Certificate Services(AD CS)As of Server 2008, Certificate Service are known as ActiveDirectory Certificate Services.AD CS is the server functionality that allows a Public KeyInfrastructure (PKI) to be built within an organization.AD CS allows the creation and management of public keycertificates.42**042 So, active directory certificateservices, ADCS, runs on a server.We're going to talk about running iton the Server 2012 platform.Page 2 of 27

Windows AD CS AdvantagesWindows AD CS AdvantagesCan be deployed without an AD forestCan establish Certificate Policy from the AD server and thenfollowed as users request new certificatesCan be deployed and managed using PowerShell in Server201243**043 Typically, we deploy it withinour domain, within an activedirectory forest. But I don't have todeploy it within a forest. So, thereason that I bring that up is becauseof small businesses. Not allorganizations are going to have anentire forest. So, I can deploy it evenin a smaller infrastructure if I like.One of the things to note about PKI,I said this, it is ninety-five percentprocess. And so, before we ever sitdown at a machine and we startactually doing this work, we ought toplan out what we're trying toaccomplish with our public keyinfrastructure and with our certificatePage 3 of 27

services because once we can plan itout, then we can go ahead andimplement those policies in thatparticular service. Just like everythingelse--AD CS Server Roles -1AD CS Server Roles -1Certificate Authority Issues digital certificatesWeb enrollment Use a web browser to request certificates and retrieve CRLOnline responder Evaluates certificate status and responds to revocation statusrequests44**044 I can configure this withPowerShell, as well. So, what are thecomponents, what are the roles thatwe're going to find in our certificateservices? We have a certificateauthority. The certificate authority isresponsible for the publishing of thecertificates. So, it provides a serverwhere, once a certificate is created,we publish it there. And then a thirdPage 4 of 27

party-- when I want to verify yourpublic key, I can go get that publickey from the server.There's also a registration authority.We'll talk about that as kind of asubset of the certificate authority.There is a web enrollment service.That's how you and I as individualswill request a certificate. So, I wantto have a certificate so I can sign myemails. I want it signed off by atrusted third party, let's say mybusiness. So, I can use a webinterface to say my name is Mark.Please verify my identity, and thenpublish his certificate on my behalf.The online responder is dealing withwhat is known as OCSP, onlinecertificate statuses protocol. It'sdealing with certificate revocation.We'll talk a little bit about certificaterevocation in just a moment.Page 5 of 27

AD CS Server Roles -2AD CS Server Roles -2Network Device Enrollment Service Allows routers and other network devices that do not have a domainaccount to obtain certificatesCertificate Enrollment Policy Web Service Provides users and computers with certificate policy informationCertificate Enrollment Web Service Allows users and computers to enroll certificates via HTTPS45**045 Network device enrollment, ifI have routers and switches anddevices that don't actually participatein the domain, they're not domain-they don't have domain accounts,well I can still have those enrolledwithin my certificate services throughthe network device enrollmentservice.Where can users find the policy? Acertificate authority publishes adocument known as a certificatepractices statement. The certificatepractices statement is basically theirpolicies about how they'remaintaining their CA, how they goabout verifying your identity andPage 6 of 27

those types of things. So, certificateenrollment policy web serviceprovides users with that type ofinformation. And then we alreadymentioned the web serviceenrollment, allows users to enroll, inthis case, via HTTPS.Windows AD CS Certificate AuthorityWindows AD CS Certificate AuthorityCost effective, efficient, and secure method for managingpublic key certificatesAllows for the establishment of a Certificate Authority (CA) The CA is used to create and manage Public Key Certificates.— Issuing certificates— Revoking certificates46**046 They say it's a cost effective,efficient. It's-- doesn't cost you anyextra. If you have Server 2012, youhave the ability to run your own PKI,public key infrastructure, in yourorganization. So, I can create myown certificate authority. I don't haveto pay third parties for a certificate.Page 7 of 27

The only issue with that is, doesanybody trust me? Verisign, Entrust,Thawte, Baltimore, those are allreputable-- Microsoft fits into thatcategory, all well known, reputableorganizations that run certificateauthorities.So, if I were to download a certificatesigned by Verisign, I'd feel safe thatthat certificate does belong to who Ibelieve it to have belong to, Joe orBob. But if I download a certificate,and it was signed by Billy Bob's autoparts certificate authority, well maybeI don't know who they are. I don'tknow what kind of reputable businessthey are. Maybe I don't trust that.You can run your own CA, but will itbe trusted outside of yourorganization? Chances are it will betrusted within. But will it be trustedwidely outside of your organization.Maybe, maybe not. Sir.Student: So, is there a service that'sout there to allow your CA to be anintermediate CA of their approvedCA, so that they can pass on theauthenticity?Mark Williams: So, I think you'reasking could I possibly contractVerisign to--Student: I know for sure Verisignwon't do it.Mark Williams: Huh?Student: I know for sure Verisigndoesn't run that business model. ButPage 8 of 27

I'm asking if you're aware if anyonewill do it?Mark Williams: I don't know of anyspecifically that do it, but I know thatthere are some that will. You can paythem, and they will make youbasically an intermediate CA beneaththem. I do not believe Baltimore will.I do not believe Thawte will. You'reprobably going to be looking at someof the-- certainly won't be any of thebig five. It will certainly be some ofthe others. Let's just put it that way.Yes?Student: Couldn't you-- you couldprobably leverage off of Verisign tosay for a certificate authority, havethat be Verisign, and then everythingelse after that will be intermediate.Mark Williams: That's what--Student: You wouldn't have to askanybody. You just sign it with their-I mean you pay them for the SSLcertificate and then reference it.Mark Williams: Maybe. Maybe youcan do it that way. I'm not sure.Student: They don't know what youdo with it after they give it to you.Mark Williams: Yeah. That's true.All they're verifying is that you arethat particular organization, and theyverified that. What you do beyondthat is-- well, keep in mind,certificates have-- when you get acertificate, there are going to becertain uses, depending on the levelPage 9 of 27

of verification that is done. A lowlevel certificate is only probably goingto be valid for email verification.If you want to have a certificate thatyou can use for financial transactionsor software signing, for example,then that's a higher-level certificate.Much more verification is going tohave to happen. So, I could not go toVerisign, for example, and get a lowlevel certificate, and then assumethat I'm going to use that within mycorporation to sign every othercertificate within the company. Itprobably would not be as trusted inthat fashion. Do you have a thought,Terry?Student: I was-- are intermediatecertificate authority certificates in aspecific format or?Mark Williams: The certificates areformatted the same way. Whether it'sa root certificate authority certificateor an intermediate. But it will saysomewhere on there it's anintermediate. It will say what its usesare for. And it will be signed by aroot. Whereas a root, it will say it's aroot and it's self-signed. That's one ofthe big differences there. Yes.Student: Yeah I want to add on yes,the certificates you receive from thepublic CA's, they do contain a bitactually dictate what use it can beused for. And that's part of the-- youcannot misuse that. They made itpretty secure.Page 10 of 27

Mark Williams: You can attempt tomisuse it, but will anyone trust it?Probably not.Student: You cannot even make itwork. You can-- basically, you haveyour own private key-- have yourpublic key, but you will probably failin the first step if you want to importthat key and certificate pair into yourown CA. It just won't complete-- failin the first place.Mark Williams: Right. Yeahbecause of the formatting says it'snot supposed to be used for thatfunctionality.Student: Exactly.Mark Williams: Right.Page 11 of 27

Windows AD CS CA TypesWindows AD CS CA TypesThere are two core types of Certificate Authorities Root Certificate Authorities Subordinate Certificate Authorities— A subcategory here is Intermediate Certificate Authorities— Also known as Policy or Issuing Certificate Authorities47**047 All right. So, we talked a littlebit about this already. There areintermediate CAs, and we identifythose as subordinate CAs. And thenthere are root certificate authorities.Page 12 of 27

Windows AD CS Root CAWindows AD CS Root CAA root CA must always be designated, whether creating ahierarchical enterprise CA structure or a stand alone CA.The root CA is the top CA in a hierarchical structure.48**048 So, this is showing you thehierarchy. The root certificationauthority is going to create its ownself-signed certificate. And then the rootwill sign for various subordinates. Thesubordinates will sign for other subordinates.Eventually, what we have down hereat the bottom is not a CA. So, if Iwere to add another little tree off ofthis. It would be Mark. And it wouldbe Mike. And it would be Bob. Andwhoever would be the people thatactually have these certificates at thelower levels. That's the whole reasonwe want to do this. We want to do itso that people will trust Mark, orpeople will trust Bob.Page 13 of 27

The alternative to this hierarchicalmodel is what is referred to as a webof trust. And there are someorganizations out there that offercertificates that follow a web of trustmodel.For example, for email, Thawte-- Ithink it's Thawte. Thawte does aweb of trust. And what that is is I canget a Thawte certificate. AndThawte really has not done anythingto verify my identity.So, here's my certificate from Mark.And then I go to a key signing party.I don't know what kind of fun youhave at a key signing party. Butpeople go to key signing parties. Orwe could just do it in thisenvironment. I could say if you havea Thought certificate, I could askyou, Bob, will you sign my certificate.So, Bob could verify that I am Mark,and Mark could verify that's Bob.And then we could have Joe. Markcould verify that this is Joe. And Joecould verify that this is Mark. And wecould have Sally. And we verify eachother. And then we could have-- well,Joe and Sally, they can sign eachother's certificates, right? And theidea is the more people that sign mycertificate, the more people thatbelieve that I am Mark, the morelikely you are, when you see mycertificate, the more likely you are tobelieve that I am Mark. That's theweb of trust.This is not considered to be nearly assecure as the hierarchical model. AndPage 14 of 27

the reason-- I guess the big reasonsit's not considered as secure is whatdid I do to convince Sally and Joeand Bob that I am Mark? Could havebeen in a bar and bought them acouple of beers. Told them my nameis Fred Flintstone and please sign offon my certificate. Okay, here you go.Now, they should do certain things toverify my identity, but there's noguarantee of that because they'reindividuals. At least the corporationsthat run CAs will have process inplace. I hope they have process inplace to verify identity.What might you do to verify identitybefore you issue or publish acertificate? For a low-level certificate,you might decide that all you're goingto do is make sure they have a validemail address. So, respond to thisemail. And if you respond to thisemail appropriately, I'll believe youare who you claim to be and issuethe certificate. Usually, that low-levelcertificate is only for email sending.If you want to get an intermediatelevel certificate, we might require yougive us enough information so thatwe can track you in publicly availabledatabases. So, give me your name.Tell me what address you live at. Tellme who your employer is, some ofthose types of things, maybe evenenough information so I can look youup in the credit bureau records.If I wanted to get a high levelcertificate, say for a financialtransactions, well now maybe wehave our CA require you come in inPage 15 of 27

person and show government issuedphoto ID. And then once you give methe government issued photo ID,then I'll give you that high levelcertificate for transactions.What if you want to get a certificateon behalf of your company? Now, wemight say we'll give you a certificateon behalf of your company, if youcan prove that you're authorized todo that. So, give me proof oncompany letterhead, signed by aboard of directors, that you areauthorized to act on their behalf toget a certificate.That's the public key infrastructure.That's the policy. And, again, if I'mrunning my own CA, I can decidewhat actions are appropriate for myorganization. You might decide thattwo person integrity is required to doverification. So, not just one personin my organization's going to verifyyou identity, somebody else in theorganization might also verify youridentity. And if they both come to thesame conclusion, then we'll believeyou are Fred Flintstone. And we willissue the certificate. All right?Page 16 of 27

AD CS CA Private KeysAD CS CA Private KeysCertificate Authority uses a Private key to digitally signcertificates.The private key must be secured so that others NEVER havea copy!A best practice is to store the private key on an HSM(Hardware Security Module). 3rd Party Root CA’s may require you to have these.If the key is stored on the computer, it is very critical to ensurethe computer is secure through hardening.50**050 Private keys, the wholereason we're doing all of this is thoseprivate keys. One thing to keep inmind about private keys, we usethose keys to create the digitalsignatures. The certificatesthemselves do not contain the privatekey. The certificates contain thepublic key associated with the privatekey.I need to make sure that I properlyprotect and secure my private key.Trusted hardware's a good idea.There's a common misconceptionthat the certificate authoritygenerates my private key and myPage 17 of 27

pubic key pair for me. That's nottrue. If you generate my private keyand my public key, then it's not aprivate key, is it because you willhave a copy of it, and I will have acopy of it?So, I generate my own. And then Itake the public key and I say here isa public key. It belongs to me. Andyou verify my identity. And then youhave my public key. And you publishmy public key. But my private keyhas to be exactly that, private.Now, could I ask you, as a thirdparty, to hold on to a copy of myprivate key? What would be thebenefit of that? In case I lose it, it'snot gone forever. It's in escrow. Andthere are companies that do that,private key escrow companies. Mostof the certification authorities will runsome escrow capability. So, if I losemy private key, I can still get it backand continue to sign emails and such.But the CA does not generate theprivate keys.So, if I have my private key, wheream I going to store it? I certainlydon't want to store it on a thumbdrive that I'm likely to lose. I don'twant to store it on a laptop that'slikely to get stolen.I went to do some work at acompany. They had all of theirprivate keys stored-- well, it was thefifth floor of the building. I rememberthat. I remember that because theelevator, you had to have a specialkey just to stop on the fifth floor. IPage 18 of 27

did not have that special key. So, Icould not get onto the fifth floor.They did take me there on a little bitof a tour.And they had this big-- on the floor-it's an open floor space. But on thatfloor, they had a fenced in area. It'skind of a chain link like fence. So,they had a fenced in area. And thenall of the equipment that had to dowith their certificate authority, theirprivate key storage and such, all thatwas inside of that locked in cage.So, they took special care tophysically, and I'm sure logically,secure their certificate authority, theirprivate key-- I lost the term, escrowserver, and so forth.They mention about an HSM,hardware security module. I mighthave special hardware, a special chipon my machine, that I can store-- it'snot going to be on the hard drive.But it will be on a chip. It's harder toget the information, the key, off ofthat chip than it is to get it off of ahard drive. So, make sure yourprivate keys are properly secured.Page 19 of 27

AD CS CA Public KeysAD CS CA Public KeysUsed to validate the signature of a digital certificateAvailable to everyoneMade available on a certificate signed by an authority higherup in the hierarchy51**051 We know that we use thepublic keys to decrypt the digitalsignature. And we use the certificatesto verify the public key belongs towho it belonged to.Page 20 of 27

Root CA Self-Signed CertificateRoot CA Self-Signed CertificateThe root CA self signs their own public key certificate. The structure must begin somewhere.The root CA MUST be explicitly trusted. If compromised the hierarchy collapses.The “root of trust” is critical. There are several “roots” like Entrust, DoD, GlobalSign, QuoVadis,Thawte, and VeriSign. If

As of Server 2008, Certificate Service are known as Active Directory Certificate Services. AD CS is the server functionality that allows a Public Key Infrastructure (PKI) to be built within an organization. AD CS allows the creation and management of public key certificates. **042 So, active directory certifi