6426b_02
TRANSCRIPT
-
8/18/2019 6426B_02
1/30
Module 2
Deploying andManaging Active
Directory® CertifcateServices
-
8/18/2019 6426B_02
2/30
Module Overview
• Overview of PKI
• Deploying a CA Hierarchy
• Installing AD C
• Managing CAs
-
8/18/2019 6426B_02
3/30
• !hat Is PKI"
• Discussion# Managing IDA and $nhancing ecurity %y&sing PKI
• Co'ponents of a PKI olution
• (alidating Certificates %y &sing PKI olutions
• How AD C upports PKI
)esson *# Overview of PKI
-
8/18/2019 6426B_02
4/30
!hat Is PKI"
PKI#
PKI#
Is a standards approach to security+%ased tools, technologies , processes, andservices used to enhance the security of co''unications, applications and%usiness transactions
-elies on the e.change of digital certificates %etween authenticated users andtrusted resources
Is a standards approach to security+%ased tools, technologies , processes, andservices used to enhance the security of co''unications, applications and%usiness transactions
-elies on the e.change of digital certificates %etween authenticated users andtrusted resources
PKI enhances infrastructure security %y providing#
PKI enhances infrastructure security %y providing#
Confidentiality
Integrity
Authenticity
/on+repudiation
Confidentiality
Integrity
Authenticity
/on+repudiation
-
8/18/2019 6426B_02
5/30
Discussion# Managing IDA and $nhancingecurity %y &sing PKI
• !hat %enefit would a PKI solution provide to your organi0ation"
• 1ive a few e.a'ples of applications or services that can use certificatesto enhance security2
• How does a PKI solution support IDA 'anage'ent"
-
8/18/2019 6426B_02
6/30
Co'ponents of a PKI olution
CA Digital Certificates
C-)s and Online-espondersCertificate 3e'plates
Pu%lic Key4$na%ledApplications and
ervices
Certificates and CAManage'ent 3ools
AIA and CDPs
-
8/18/2019 6426B_02
7/30
(alidating Certificates %y &sing PKI olutions
PKI+ena%led applications use CryptoAPI to validate certificates2PKI+ena%led applications use CryptoAPI to validate certificates2
Certificate Discovery Path (alidation -evocation Chec5ing
-
8/18/2019 6426B_02
8/30
How AD C upports PKI
CA
AD C
CA !e% $nroll'entOnline -esponder /D$
-
8/18/2019 6426B_02
9/30
)esson 6# Deploying a CA Hierarchy
• Overview of CA
• Discussion# Options for I'ple'enting CA
• 3ypes of CAs
• tand+Alone (ersus $nterprise CAs
• &sage cenarios in a CA Hierarchy• !hat Is a Cross+Certification Hierarchy"
-
8/18/2019 6426B_02
10/30
Overview of CA
CA
Issues a Certificatefor Itself
(erifies the Identity ofthe Certificate -e7uestor
Manages Certificate-evocation
Issues Certificates to &sers,Co'puters, and ervices
-
8/18/2019 6426B_02
11/30
Discussion# Options for I'ple'enting CA
• !hat are the advantages and disadvantages of using an internalprivate CA"
• !hat are the advantages and disadvantages of using an e.ternal pu%licCA"
-
8/18/2019 6426B_02
12/30
3ypes of CAs
• Is the 'ost trusted type of CA in a PKI
• Is a self+signed certificate
• Issues certificates to other su%ordinate CAs
• Certificate issuance policy is typically 'ore rigorousthan su%ordinate CAs
• -e7uires physical security policy
-oot CA
• Is issued %y another CA
• Addresses specific usage policies,organi0ational or geographical %oundaries,load %alancing, and fault tolerance
• Issues certificates to other CAs to for' ahierarchical PKI
u%ordinate CA
-
8/18/2019 6426B_02
13/30
tand+Alone (ersus $nterprise CAs
tand+Alone CAs $nterprise CAs
tand+alone CA 'ust %e used ifany CA 8root or inter'ediate 9policy: is offline, %ecause astand+alone CA is not ;oined toan AD D do'ain
-e7uires the use of AD D
Can use 1roup Policy topropagate certificate totrusted root CA certificatestore
&sers provide identifyinginfor'ation and specify type ofcertificate
Pu%lishes user certificates andC-)s to AD D
Does not re7uire certificate
te'plates
Issues certificates %ased upona certificate te'plate
All certificate re7uests are 5eptpending until ad'inistratorapproval
upports autoenroll'ent forissuing certificates
-
8/18/2019 6426B_02
14/30
&sage cenarios in a CA Hierarchy
-oot
u%ordinate
-A$
-
8/18/2019 6426B_02
15/30
!hat Is a Cross+Certification Hierarchy"
-oot CA -oot CA
Organi0ation * Organi0ation 6
u%ordinateCA
u%ordinateCA
-oot CA -oot CA
Organi0ation * Organi0ation 6
u%ordinateCA
u%ordinateCA
Cross+Certification at the -oot CA)evel
Cross+Certification u%ordinate CA to -ootCA
-
8/18/2019 6426B_02
16/30
)esson =# Installing AD C
• Considerations for Installing a -oot CA
• De'onstration# How to Install AD C as a -oot CA
• Considerations for Installing a u%ordinate CA
• How the CAPolicy2inf
-
8/18/2019 6426B_02
17/30
Considerations for Installing a -oot CA
Co'puter /a'e andDo'ain Me'%ership
/a'e andConfiguration
Private Key Configuration
(alidity Period
Certificate Data%aseand )og )ocation
CP
Default# 6>?@
Key Character )ength
Hash Algorith'
Certificate
Planning a -oot CA
-
8/18/2019 6426B_02
18/30
De'onstration# How to Install AD C As a -oot CA
• Install the AD C server role as an $nterprise -oot CA
-
8/18/2019 6426B_02
19/30
Considerations for Installing a u%ordinate CA
Co'puter /a'e andDo'ain Me'%ership
/a'e andConfiguration
Private Key Configuration
(alidity Period
Certificate Data%aseand )og )ocation
-e7uest Certificate for u%ordinate CA
CP
Default# 6>?@
Key Character )ength
Hash Algorith'
Certificate
Planning a -oot CA
-
8/18/2019 6426B_02
20/30
How the CAPolicy2inf
-
8/18/2019 6426B_02
21/30
De'onstration# Overview of the CAAd'inistrative Console
• Open the CA ad'inistrative console and review the availa%le options
-
8/18/2019 6426B_02
22/30
)esson ?# Managing CAs
• !hat Are C-)s"
• How C-)s Are Pu%lished
• !here to Pu%lish AIAs and CDPs
• De'onstration# How to Configure AIA and C-) Availa%ility
-
8/18/2019 6426B_02
23/30
!hat Are C-)s"
Delta C-)s
Client Co'puter &sing!indows® P or
!indows erver® 6>>=
ase C-)s
All -evo5edCertificates
1reater Pu%lication Interval
)ast ase C-)Certificate
)esser Pu%lication Interval
+
-
)arge i0e
'all i0e
Client Co'puter &singAny (ersion of !indows
-
8/18/2019 6426B_02
24/30
How C-)s Are Pu%lished
Cert=
ase C-)*
-evo5eCertE
Delta C-)6
CertE
-evo5eCertF
CertECertF
Delta C-)=
Cert=CertECertF
3i'e
ase C-)6
-
8/18/2019 6426B_02
25/30
!here to Pu%lish AIAs and CDPs
Offline-oot CA
Pu%lish the root certificate CA and &-) to#
• Active Directory
• !e% servers
•
-
8/18/2019 6426B_02
26/30
De'onstration# How to Configure AIA andC-) Availa%ility
• Configure AIA and CDP settings
• Pu%lish the latest version of the C-)
• Pu%lish the C-) and CA certificate for the offline root CA to an H33Plocation
• (iew the C-)
• Pu%lish the C-) and CA certificate to Active Directory
-
8/18/2019 6426B_02
27/30
)a%# Installing and Configuring AD C
• $.ercise *# Installing the AD C erver -ole
• $.ercise 6# Issuing and Installing a u%ordinate Certificate
• $.ercise =# Pu%lishing the C-)
)ogon infor'ation
(irtual 'achineG?6G+HDC>*
G?6G+H-(>*
&ser na'e ContosoAd'inistrator
Password PaJJw>rd
Estimated time: 40 minutes
-
8/18/2019 6426B_02
28/30
)a% cenario
• uilding upon the %lueprint that was created in the previous la%,you have %een as5ed to i'ple'ent AD C within the Contoso
Phar'aceuticals infrastructure2 ince this is the first AD C role installed,you have %een as5ed to perfor' the following tas5s#
Install and configure the AD C server role on a !indows erver6>>@ server
Configure the server as a root Certification Authority 8CA:
Install a su%ordinate server and configure the server to distri%utecertificates %y using a !e% interface
Change the default C-) pu%lishing 'etrics, 'anually pu%lish theC-), and then view the C-) for the ContosoCA Certificate Authority
-
8/18/2019 6426B_02
29/30
)a% -eview
In this la%, you have#
• Installed the AD C erver role with ;ust the CA role service andconfigured it as a stand+alone root CA
• Installed an enterprise su%ordinate CA with the !e% enroll'ent roleservice
• Issued the su%ordinate certificate
•Installed and verified the su%ordinate certificate
• ac5ed up the su%ordinate CA
• -estored the su%ordinate CA
• $.a'ined the default CDPs and configured the C-) pu%lication interval
• Manually pu%lished the C-)
• (iewed the pu%lished C-)
-
8/18/2019 6426B_02
30/30
Module -eview and 3a5eaways
• -eview uestions
• -eal+!orld Issues and cenarios