6426b_03
TRANSCRIPT
-
8/18/2019 6426B_03
1/38
Module 3
Deploying andManaging Certifcates
-
8/18/2019 6426B_03
2/38
Module Overview
• Configuring Certificate Templates
• Deploying Certificates by Using AD CS
• Deploying Certificates by Using Autoenrollment
• Revoing Certificates
• Configuring Certificate Recovery
-
8/18/2019 6426B_03
3/38
!esson "# Configuring Certificate Templates
• $%at Are Certificate Templates&
• Certificate Template 'ersions
• Certificate Template Categories and (urposes
• Configuring Certificate Template (ermissions
• Met%ods for Updating a Certificate Template
• Demonstration# )ow to Modify and *nable a CertificateTemplate
-
8/18/2019 6426B_03
4/38
$%at Are Certificate Templates&
• +ormat and contents of a certificate
• (rocess of creating and submitting a valid certificatere,uest
• Security principles t%at are allowed to read- enroll- orautoenroll for a certificate
• (ermissions to read- enroll- autoenroll- or modify acertificate template
Certificate templates define#
-
8/18/2019 6426B_03
5/38
Certificate Template 'ersions
• (rovided for bacward compatibility• Created by default w%en a CA is installed• Cannot be modified or removed but can be duplicated to become version . or
/ templates
'ersion "#
• Allows customi0ation of most settings in t%e template• Several preconfigured templates are provided w%en a CA is installed
'ersion .#
• Supports advanced Suite 1 cryptograp%ic settings• 2ncludes advanced options for encryption- digital signatures- ey e3c%ange-
and %as%ing• Only supports $indows Server .445 and $indows 'ista6
'ersion /#
-
8/18/2019 6426B_03
6/38
Certificate Template Categories and (urposes
Category Single (urpose Multiple (urposes
Users
Computers
1asic *ncrypting +ileSystem 7*+S8
Aut%enticated Session
Smart Card !ogon
Administrator
User
Smart Card User
$eb Server
2(Sec
Computer
Domain Controller
-
8/18/2019 6426B_03
7/38
Configuring Certificate Template (ermissions
(ermission Description
Allows a security principal to modify all attributes
Allows a security principal to find t%e certificate in Active
Directory w%en enrolling
Allows a security principal to modify all t%e attributese3cept permissions
Allows a security principal to enroll for a certificate basedon t%e certificate template
Allows a security principal to receive a certificate t%roug%t%e autoenrollment process
+ull Control
$rite
*nroll
Autoenroll
Read
-
8/18/2019 6426B_03
8/38
Met%ods for Updating a Certificate Template
Modify t%e original certificatetemplate to incorporate t%e newsettings
Updated
Modifying
Replace one or more certificatetemplates wit% an updatedcertificate template
Superseding
Smart Card
Smart Card
Smart Cards
Two9+actor
Original
-
8/18/2019 6426B_03
9/38
Demonstration# )ow to Modify and *nable aCertificate Template
• Create- modify- and supersede a template
• 2ssue a certificate to be used by a CA
-
8/18/2019 6426B_03
10/38
!esson .# Deploying Certificates by Using AD CS
• $%at 2s a Digital Certificate&
• Overview of Certificate !ife Cycle
• Certificate *nrollment Met%ods
• Obtaining Certificates by Using $eb *nrollment
• Obtaining Certificates by Using Manual *nrollment• Demonstration# )ow to Manually Obtain a Certificate for a$eb Service
• $%at 2s :D*S&
-
8/18/2019 6426B_03
11/38
$%at 2s a Digital Certificate&
(ublic Cryptograp%ic ;ey Sub
-
8/18/2019 6426B_03
12/38
Overview of Certificate !ife Cycle
A user- computer- or servicere,uests a certificate from a
CA=
1
T%e CA generates acertificate=
2
T%e CA distributes t%ecertificate to t%e user-computer- or service=
3
T%e certificate is used wit%
(;29enabled applications=
4
T%e certificate reac%es t%eend of its lifetime=
5
T%e certificate ise3pired- renewed- orrevoed=
6
-
8/18/2019 6426B_03
13/38
Certificate *nrollment Met%ods
Met%od Use
• To automate t%e re,uest- retrieval- and storage of certificatesfor domain9based computers
• To re,uest certificates by using t%e Certificates console or
Certre,=e3e w%en t%e re,uestor cannot communicate directlywit% t%e CA
• To re,uest certificates from a $eb site located on a CA
• To issue certificates w%en autoenrollment is not available
• To provide a CA administrator t%e rig%t to re,uest certificateson be%alf of anot%er user
$eb *nrollment
Manual *nrollment
Autoenrollment
*nrollment Agents
-
8/18/2019 6426B_03
14/38
Obtaining Certificates by Using $eb *nrollment
Connect to
%ttp#>>ServerName >certsrv byusing a $eb browser=
Clic Re,uest A Certificate=
Select t%e type of certificatet%at you want to re,uest=
Type or verify youridentification=
2nstall t%e certificate=
2
3
1
5
4
-
8/18/2019 6426B_03
15/38
Obtaining Certificates by Using Manual *nrollment
Certificates MMC $eb Server :D*S
Manual *nrollment
-
8/18/2019 6426B_03
16/38
Demonstration# )ow to Manually Obtain aCertificate for a $eb Service
• To perform enrollment by using one of t%e manualenrollment met%ods
-
8/18/2019 6426B_03
17/38
$%at 2s :D*S&
CA
:etwor Router
:etwor
:D*S#
• Uses SC*( to communicate wit% compatible networ devices suc% as routersand switc%es
• +unctions as an AD CS role service
• Re,uires 22S
! / D l i C ifi b
-
8/18/2019 6426B_03
18/38
!esson /# Deploying Certificates byUsing Autoenrollment
• Discussion# 1enefits and Uses of Autoenrollment
• +unctioning of Autoenrollment
-
8/18/2019 6426B_03
19/38
Discussion# 1enefits and Uses of Autoenrollment
• )ow does autoenrollment simplify certificate management in yourorgani0ation&
• $%at are e3amples of applications t%at can benefit from autoenrollment&
-
8/18/2019 6426B_03
20/38
+unctioning of Autoenrollment
A certificate template is configured to allow- enroll-
and autoenroll permissions for users w%o receive t%ecertificates=
T%e client mac%ine receives t%e certificates during t%ene3t ?roup (olicy refres% interval=
An Active Directory ?roup (olicy Ob
-
8/18/2019 6426B_03
21/38
!esson @# Revoing Certificates
• Reason Codes for Revoing a Certificate
• Demonstration# )ow to Revoe a Certificate
• $%at 2s an Online Responder&
• )ow Online Responders $or
• Steps to Configure an Online Responder• Demonstration# )ow to Configure an Online Responder
-
8/18/2019 6426B_03
22/38
Reason Codes for Revoing a Certificate
Reason code Description
;ey compromise A computer is stolen or a smart card is lost=
CA compromise A CA certificate is compromised=
Affiliation c%ange An employee is terminated or suspended=
Superseded An issued certificate is replaced=
Cessation of operation A smart card %as failed or t%e legal name of a user
%as c%anged=
Certificate %old A certificate is put on %old temporarily=
Unspecified A certificate is revoed wit%out providing a reason=
-
8/18/2019 6426B_03
23/38
Demonstration# )ow to Revoe a Certificate
• Revoe a certificate
-
8/18/2019 6426B_03
24/38
$%at 2s an Online Responder&
Uses OCS( validation and
revocation c%ecing using )TT(
Receives and respondsdynamically to individualre,uests
Supports only $indows Server.445 and $indows 'ista6computers
+unctions as a responder tomultiple CAs
Online Responder
-
8/18/2019 6426B_03
25/38
)ow Online Responders $or
An application verifies a certificate t%at contains locationsto OCS( responders=
2f a cac%ed OCS( response is not found- t%e OnlineResponder receives a re,uest t%roug% )TT(=
T%e Online Responder $eb pro3y component decodes andverifies t%e re,uest=
T%e Online Responder taes t%e re,uest and c%ecs a
local CR!=
T%e $eb pro3y encodes and sends t%e response bac tot%e client=
-
8/18/2019 6426B_03
26/38
Steps to Configure an Online Responder
2nstall t%e Online
Responder Role Service
Configure t%e CA
Create a
Revocation Configuration
Stop
Start
-
8/18/2019 6426B_03
27/38
Demonstration# )ow to Configure an Online Responder
• Configure t%e CA to support t%e Online Responder
• 2nstall and configure t%e Online Responder role service
-
8/18/2019 6426B_03
28/38
!esson # Configuring Certificate Recovery
• 2mportance of ;ey Arc%ival and Recovery
• Manually *3porting Certificates and (rivate ;eys
• Configuring Automatic ;ey Arc%ival
• Demonstration# )ow to Configure ;ey Arc%ival
• Recovering a !ost ;ey• Demonstration# )ow to Recover a !ost ;ey
-
8/18/2019 6426B_03
29/38
2mportance of ;ey Arc%ival and Recovery
• User profile is deleted
• Operating system is reinstalled
• Dis is corrupted
• Computer is stolen
;eys get lost w%en#
Data recovery met%ods t%at use#
• ;ey arc%ival and ;RAs
• Manual ey arc%ival and recovery
-
8/18/2019 6426B_03
30/38
Manually *3porting Certificates and (rivate ;eys
Bou can use t%e following to e3port certificates#
• Certificates MMC snap9in
• Certification Aut%ority MMC snap9in
• Certutil=e3e
• Microsoft Office Outloo
• 2nternet *3plorer
T%e tool used depends upon t%e certificate template upon w%ic% t%e certificate is based=
-
8/18/2019 6426B_03
31/38
Configuring Automatic ;ey Arc%ival
Configure and issue t%e ;RA certificate template=
To configure automatic ey arc%ival#
Designate a person as t%e ;RA and enroll for
t%e certificate=
*nable ey arc%ival on t%e CA=
Modify and enable re,uired certificate templatesfor ey arc%ival=
-
8/18/2019 6426B_03
32/38
Demonstration# )ow to Configure ;ey Arc%ival
• Configure ey arc%ival
-
8/18/2019 6426B_03
33/38
Recovering a !ost ;ey
T%e CertificateManager finds t%eserial number oft%e certificate=
2
T%e private ey islost or corrupted=
1
T%e Certificate
Manager e3tractst%e number(;CS from t%eCA=
3
T%e user importst%e private ey=
6
T%e ;RA recoverst%e private ey=
5
T%e CertificateManager transferst%e number (;CS to t%e ;RA=
4
Serial # 44AD4/E
(;CS
-
8/18/2019 6426B_03
34/38
Demonstration# )ow to Recover a !ost ey
• Recover an arc%ived certificate and a ey from Active Directory
-
8/18/2019 6426B_03
35/38
!ab# Deploying and Managing Certificates
• *3ercise "# Configuring AD CS Certificate Templates
• *3ercise .# Configuring AD CS $eb *nrollment
• *3ercise /# Configuring Certificate Autoenrollment
• *3ercise @# Configuring AD CS Certificate Revocation
• *3ercise # Managing ;ey Arc%ival and Recovery
!ogon information
'irtual mac%ine [email protected])FDC4"91
User name ContosoGAdministrator
(assword (aHHw4rd
Estimated time: 110 minutes
-
8/18/2019 6426B_03
36/38
!ab Scenario
• :ow t%at you %ave deployed an AD CS infrastructure- your 2T Directorwants to e3tend t%e functionality of t%e environment by providing a
mec%anism for users to automatically utili0e t%e certificates= Bou %avedecided to implement certificate templates and mae use of t%eautoenrollment mec%anisms provided by AD CS=
• Bou must install and configure $indows Server .445 computers tosupport certificate services in t%e organi0ation= To do so- you mustperform t%e following consolidation activities#
2nstall and configure $eb enrollment for Certificate Services= Configure t%e associated $eb site to use Secure Socet !ayer
7SS!8=
Configure autoenrollment features in ?roup (olicy for CertificateServices=
Configure certificate revocation and t%e Online Responderfunctionality of Certificate Services=
2mplement custom certificate templates and a ey arc%ival and eyrecovery solution=
-
8/18/2019 6426B_03
37/38
!ab Review# Deploying and Managing Certificates
2n t%is lab- you %ave#
• Configured AD CS Certificate Templates
• Configured AD CS $eb *nrollment
• Configured Certificate Autoenrollment
• Configured AD CS Certificate Revocation
• Managed ;ey Arc%ival and Recovery
-
8/18/2019 6426B_03
38/38
Module Review and Taeaways
• Review Fuestions