8/18/2019 6426B_03

1/38

Module 3

Deploying andManaging Certifcates

8/18/2019 6426B_03

2/38

Module Overview

• Configuring Certificate Templates

• Deploying Certificates by Using AD CS

• Deploying Certificates by Using Autoenrollment

• Revoing Certificates

• Configuring Certificate Recovery

8/18/2019 6426B_03

3/38

!esson "# Configuring Certificate Templates

• $%at Are Certificate Templates&

• Certificate Template 'ersions

• Certificate Template Categories and (urposes

• Configuring Certificate Template (ermissions

• Met%ods for Updating a Certificate Template

• Demonstration# )ow to Modify and *nable a CertificateTemplate

8/18/2019 6426B_03

4/38

$%at Are Certificate Templates&

• +ormat and contents of a certificate

• (rocess of creating and submitting a valid certificatere,uest

• Security principles t%at are allowed to read- enroll- orautoenroll for a certificate

• (ermissions to read- enroll- autoenroll- or modify acertificate template

Certificate templates define#

8/18/2019 6426B_03

5/38

Certificate Template 'ersions

• (rovided for bacward compatibility• Created by default w%en a CA is installed• Cannot be modified or removed but can be duplicated to become version . or

/ templates

'ersion "#

• Allows customi0ation of most settings in t%e template• Several preconfigured templates are provided w%en a CA is installed

'ersion .#

• Supports advanced Suite 1 cryptograp%ic settings• 2ncludes advanced options for encryption- digital signatures- ey e3c%ange-

and %as%ing• Only supports $indows Server .445 and $indows 'ista6

'ersion /#

8/18/2019 6426B_03

6/38

Certificate Template Categories and (urposes

Category Single (urpose Multiple (urposes

Users

Computers

1asic *ncrypting +ileSystem 7*+S8

Aut%enticated Session

Smart Card !ogon 

Administrator

 User

 Smart Card User 

$eb Server

 2(Sec

Computer

 Domain Controller

8/18/2019 6426B_03

7/38

Configuring Certificate Template (ermissions

(ermission Description

Allows a security principal to modify all attributes

Allows a security principal to find t%e certificate in Active

Directory w%en enrolling

Allows a security principal to modify all t%e attributese3cept permissions

Allows a security principal to enroll for a certificate basedon t%e certificate template

Allows a security principal to receive a certificate t%roug%t%e autoenrollment process

+ull Control

$rite

*nroll

Autoenroll

Read

8/18/2019 6426B_03

8/38

Met%ods for Updating a Certificate Template

  Modify t%e original certificatetemplate to incorporate t%e newsettings

Updated

Modifying

  Replace one or more certificatetemplates wit% an updatedcertificate template

Superseding

Smart Card

Smart Card

Smart Cards

Two9+actor

Original

8/18/2019 6426B_03

9/38

Demonstration# )ow to Modify and *nable aCertificate Template

• Create- modify- and supersede a template

• 2ssue a certificate to be used by a CA

8/18/2019 6426B_03

10/38

!esson .# Deploying Certificates by Using AD CS

• $%at 2s a Digital Certificate&

• Overview of Certificate !ife Cycle

• Certificate *nrollment Met%ods

• Obtaining Certificates by Using $eb *nrollment

• Obtaining Certificates by Using Manual *nrollment• Demonstration# )ow to Manually Obtain a Certificate for a$eb Service

• $%at 2s :D*S&

8/18/2019 6426B_03

11/38

$%at 2s a Digital Certificate&

(ublic Cryptograp%ic ;ey  Sub

8/18/2019 6426B_03

12/38

Overview of Certificate !ife Cycle

A user- computer- or servicere,uests a certificate from a

CA=

1

T%e CA generates acertificate=

2

T%e CA distributes t%ecertificate to t%e user-computer- or service=

3

T%e certificate is used wit%

(;29enabled applications=

4

T%e certificate reac%es t%eend of its lifetime=

5

T%e certificate ise3pired- renewed- orrevoed=

6

8/18/2019 6426B_03

13/38

Certificate *nrollment Met%ods

Met%od Use

• To automate t%e re,uest- retrieval- and storage of certificatesfor domain9based computers

• To re,uest certificates by using t%e Certificates console or

Certre,=e3e w%en t%e re,uestor cannot communicate directlywit% t%e CA

• To re,uest certificates from a $eb site located on a CA

• To issue certificates w%en autoenrollment is not available

• To provide a CA administrator t%e rig%t to re,uest certificateson be%alf of anot%er user

$eb *nrollment

Manual *nrollment

Autoenrollment

*nrollment Agents

8/18/2019 6426B_03

14/38

Obtaining Certificates by Using $eb *nrollment

Connect to

%ttp#>>ServerName >certsrv byusing a $eb browser=

Clic Re,uest A Certificate=

Select t%e type of certificatet%at you want to re,uest=

Type or verify youridentification=

2nstall t%e certificate=

2

3

1

5

4

8/18/2019 6426B_03

15/38

Obtaining Certificates by Using Manual *nrollment

Certificates MMC $eb Server :D*S

Manual *nrollment

8/18/2019 6426B_03

16/38

Demonstration# )ow to Manually Obtain aCertificate for a $eb Service

• To perform enrollment by using one of t%e manualenrollment met%ods

8/18/2019 6426B_03

17/38

$%at 2s :D*S&

CA

:etwor Router

:etwor

:D*S#

• Uses SC*( to communicate wit% compatible networ devices suc% as routersand switc%es

• +unctions as an AD CS role service

• Re,uires 22S

! / D l i C ifi b

8/18/2019 6426B_03

18/38

!esson /# Deploying Certificates byUsing Autoenrollment

• Discussion# 1enefits and Uses of Autoenrollment

• +unctioning of Autoenrollment

8/18/2019 6426B_03

19/38

Discussion# 1enefits and Uses of Autoenrollment

• )ow does autoenrollment simplify certificate management in yourorgani0ation&

• $%at are e3amples of applications t%at can benefit from autoenrollment&

8/18/2019 6426B_03

20/38

+unctioning of Autoenrollment

A certificate template is configured to allow- enroll-

and autoenroll permissions for users w%o receive t%ecertificates=

T%e client mac%ine receives t%e certificates during t%ene3t ?roup (olicy refres% interval=

An Active Directory ?roup (olicy Ob

8/18/2019 6426B_03

21/38

!esson @# Revoing Certificates

• Reason Codes for Revoing a Certificate

• Demonstration# )ow to Revoe a Certificate

• $%at 2s an Online Responder&

• )ow Online Responders $or

• Steps to Configure an Online Responder• Demonstration# )ow to Configure an Online Responder

8/18/2019 6426B_03

22/38

Reason Codes for Revoing a Certificate

Reason code Description 

;ey compromise A computer is stolen or a smart card is lost=

CA compromise A CA certificate is compromised=

Affiliation c%ange An employee is terminated or suspended=

Superseded An issued certificate is replaced=

Cessation of operation  A smart card %as failed or t%e legal name of a user

  %as c%anged=

Certificate %old   A certificate is put on %old temporarily=

Unspecified   A certificate is revoed wit%out providing a reason=

8/18/2019 6426B_03

23/38

Demonstration# )ow to Revoe a Certificate

• Revoe a certificate

8/18/2019 6426B_03

24/38

$%at 2s an Online Responder&

  Uses OCS( validation and

revocation c%ecing using )TT( 

Receives and respondsdynamically to individualre,uests 

Supports only $indows Server.445 and $indows 'ista6computers

+unctions as a responder tomultiple CAs 

Online Responder

8/18/2019 6426B_03

25/38

)ow Online Responders $or

An application verifies a certificate t%at contains locationsto OCS( responders=

2f a cac%ed OCS( response is not found- t%e OnlineResponder receives a re,uest t%roug% )TT(=

T%e Online Responder $eb pro3y component decodes andverifies t%e re,uest=

T%e Online Responder taes t%e re,uest and c%ecs a

local CR!=

T%e $eb pro3y encodes and sends t%e response bac tot%e client=

8/18/2019 6426B_03

26/38

Steps to Configure an Online Responder

2nstall t%e Online

Responder Role Service

Configure t%e CA

Create a

Revocation Configuration

Stop

Start

8/18/2019 6426B_03

27/38

Demonstration# )ow to Configure an Online Responder

• Configure t%e CA to support t%e Online Responder

• 2nstall and configure t%e Online Responder role service

8/18/2019 6426B_03

28/38

!esson # Configuring Certificate Recovery

• 2mportance of ;ey Arc%ival and Recovery

• Manually *3porting Certificates and (rivate ;eys

• Configuring Automatic ;ey Arc%ival

• Demonstration# )ow to Configure ;ey Arc%ival

• Recovering a !ost ;ey• Demonstration# )ow to Recover a !ost ;ey

8/18/2019 6426B_03

29/38

2mportance of ;ey Arc%ival and Recovery

• User profile is deleted

• Operating system is reinstalled

• Dis is corrupted

• Computer is stolen

;eys get lost w%en#

  Data recovery met%ods t%at use#

• ;ey arc%ival and ;RAs

• Manual ey arc%ival and recovery

8/18/2019 6426B_03

30/38

Manually *3porting Certificates and (rivate ;eys

  Bou can use t%e following to e3port certificates#

• Certificates MMC snap9in

• Certification Aut%ority MMC snap9in

• Certutil=e3e

• Microsoft Office Outloo

• 2nternet *3plorer

T%e tool used depends upon t%e certificate template upon w%ic% t%e certificate is based=

8/18/2019 6426B_03

31/38

Configuring Automatic ;ey Arc%ival

Configure and issue t%e ;RA certificate template=

To configure automatic ey arc%ival#

Designate a person as t%e ;RA and enroll for

t%e certificate=

*nable ey arc%ival on t%e CA=

Modify and enable re,uired certificate templatesfor ey arc%ival=

8/18/2019 6426B_03

32/38

Demonstration# )ow to Configure ;ey Arc%ival

• Configure ey arc%ival

8/18/2019 6426B_03

33/38

Recovering a !ost ;ey

  T%e CertificateManager finds t%eserial number oft%e certificate=

2

  T%e private ey islost or corrupted=

1

  T%e Certificate

Manager e3tractst%e number(;CS from t%eCA=

3

  T%e user importst%e private ey=

6

  T%e ;RA recoverst%e private ey=

5

  T%e CertificateManager transferst%e number (;CS to t%e ;RA=

4

Serial # 44AD4/E

(;CS

8/18/2019 6426B_03

34/38

Demonstration# )ow to Recover a !ost ey

• Recover an arc%ived certificate and a ey from Active Directory

8/18/2019 6426B_03

35/38

!ab# Deploying and Managing Certificates

• *3ercise "# Configuring AD CS Certificate Templates

• *3ercise .# Configuring AD CS $eb *nrollment

• *3ercise /# Configuring Certificate Autoenrollment

• *3ercise @# Configuring AD CS Certificate Revocation

• *3ercise # Managing ;ey Arc%ival and Recovery

!ogon information

'irtual mac%ine E@.E19)FDC4"91

User name ContosoGAdministrator

(assword (aHHw4rd

Estimated time: 110 minutes

8/18/2019 6426B_03

36/38

!ab Scenario

• :ow t%at you %ave deployed an AD CS infrastructure- your 2T Directorwants to e3tend t%e functionality of t%e environment by providing a

mec%anism for users to automatically utili0e t%e certificates= Bou %avedecided to implement certificate templates and mae use of t%eautoenrollment mec%anisms provided by AD CS=

• Bou must install and configure $indows Server .445 computers tosupport certificate services in t%e organi0ation= To do so- you mustperform t%e following consolidation activities#

2nstall and configure $eb enrollment for Certificate Services= Configure t%e associated $eb site to use Secure Socet !ayer

7SS!8=

Configure autoenrollment features in ?roup (olicy for CertificateServices=

Configure certificate revocation and t%e Online Responderfunctionality of Certificate Services=

2mplement custom certificate templates and a ey arc%ival and eyrecovery solution=

8/18/2019 6426B_03

37/38

!ab Review# Deploying and Managing Certificates

2n t%is lab- you %ave#

• Configured AD CS Certificate Templates

• Configured AD CS $eb *nrollment

• Configured Certificate Autoenrollment

• Configured AD CS Certificate Revocation

• Managed ;ey Arc%ival and Recovery

8/18/2019 6426B_03

38/38

Module Review and Taeaways

• Review Fuestions