creating and managing digital certificates chapter eleven
TRANSCRIPT
![Page 1: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/1.jpg)
Creating and Creating and ManagingManaging
Digital Digital CertificatesCertificates
ChapterEleven
![Page 2: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/2.jpg)
Exam Objectives in this Chapter: Configure Active Directory directory
service for certificate publication. Plan a public key infrastructure (PKI) that
uses Certificate Services. Identify the appropriate type of certificate
authority to support certificate issuance requirements.
Plan the enrollment and distribution of certificates.
Plan for the use of smart cards for authentication.
![Page 3: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/3.jpg)
Lessons in this Chapter: Introducing Certificates Designing a Public Key Infrastructure Managing Certificates
![Page 4: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/4.jpg)
Certificates To provide this protection, Windows Server
2003 includes the components needed to create a PKI.
We need to understand: The secret key encryption The contents of a certificate The function of a certification authority
![Page 5: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/5.jpg)
The Public Key Infrastructure A public key infrastructure is a collection
of software components and operational policies that govern the distribution and use of public and private keys, using digital certificates.
![Page 6: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/6.jpg)
Understanding Secret Key Encryption EncryptionEncryption is essentially a system in which a system in which
one character is substituted for anotherone character is substituted for another. If you create a key specifying that the letter A
should be replaced by Q, the letter B by O, the letter C by T, and so forth, any message you encode using that key can be decoded by anyone else who has that key.
This is called secret key encryptionsecret key encryption, because you must protect the key from compromise.
![Page 7: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/7.jpg)
Public Key Encryption For encryption on a data network to be
both possible and practical, computers typically use a form of public key encryption.
In public key encryptionpublic key encryption, every user has two keys, a public key and a private key.
![Page 8: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/8.jpg)
Note: It is usually not practical to encrypt an
entire message for the purpose of digitally signing it.
Instead, most PKI systems create a hash from the message and then encrypt the hash using the private key.
A hash is a digital summary of the message created by removing redundant bits according to a specialized hashing algorithm.
![Page 9: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/9.jpg)
Using Certificates To distribute public keys, Windows Server
2003 and most other systems supporting a PKI use digital certificatesdigital certificates.
A digital certificatedigital certificate is a document that verifiably associates a public key with a particular person or organization.
![Page 10: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/10.jpg)
Digital Certificate Contains:
The public key for a particular entity Information about the entity About the certification authority (CA) that
issued the certificate.
![Page 11: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/11.jpg)
X.509 “The Directory: Public-key and Attribute
Certificate Frameworks,” which defines the format of the certificates used by most PKI systems, including Windows Server 2003.
every digital certificate contains these attributes:
Version Serial number Signature algorithm identifier Issuer name Validity period Subject name
![Page 12: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/12.jpg)
Using Public Key Encryption To use public key encryption, you must
obtain a certificate from an administrativeentity called a certification authority certification authority (CA)(CA). A CACA can be a third-party company that is
trusted to verify the identities of all parties involved in a digital transaction, or
It can be a piece of software on a computer running Windows Server 2003 or another operating system.
![Page 13: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/13.jpg)
Obtaining a certificate from a CA Two ways to obtain a certificate:
can be manual or automatic
The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s
computer in encrypted form, and The public key is issued as part of a certificate.
![Page 14: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/14.jpg)
Using Internal and External CAs For a certificate to be useful in securing a digital
transaction, it must be issued by an authority that both parties to the transaction trust to verify each other’s identities.
If you want to ensure that internal communications in your organization are secure, you would be best served by installing your own CAs.
For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority.
![Page 15: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/15.jpg)
Understanding PKI Functions Network administrators can perform the
following tasks: Publish certificates Enroll clients Use certificates Renew certificates Revoke certificates
![Page 16: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/16.jpg)
Practice: Viewing a Certificate
Page 11-7
![Page 17: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/17.jpg)
Designing a Public Key Infrastructure Defining Certificate Requirements
Digital signatures Encrypting File System user and recovery
certificates Internet authentication IP Security Secure e-mail Smart card logon Software code signing Wireless network authentication
![Page 18: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/18.jpg)
Creating a CA Infrastructure If you trust a particular root CA, you should also
trust any lowerlevel CAs that are authenticated and validated by that root CA.
Trusts between CAs flow downward through the hierarchy, just as file system permissions do.
Root CATrust
Intermediate CA
Issuing CAIssuing CA
Trust
Trust
![Page 19: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/19.jpg)
Using Internal or External CAs The choice depends on the needs and
capabilities of your organization. The advantages and disadvantages of
using internal and external CAs are summarized in Table 11-2.
Use internal CAsinternal CAs to secure their internalinternal communicationscommunications and
Use external CAsexternal CAs when you must secure communications with outside partiesoutside parties, such as customers.
![Page 20: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/20.jpg)
How Many CAs? A single CA running on Windows Server
2003 can support as many as 35 million certificates, issuing two million or more a day.
Factors affect the performance and number of a CA: Number and speed of processors Key length Disk performance
![Page 21: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/21.jpg)
Creating a CA Hierarchy Root CAsRoot CAs are the only CAs that do not
have a certificate issued by a higher authority.
A root CAroot CA issues its own self-signed self-signed certificatecertificate, which functions as the top of the certificate chain for all the certificates issued by all the CAs subordinate to the root.
![Page 22: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/22.jpg)
Creating a CA Hierarchy cont. Subordinate CAs
Every CA in a PKI is either a root CAroot CA or a subordinate CAsubordinate CA. A root CA is the parent that issues certificates to the subordinate CAs beneath it.
If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA.
![Page 23: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/23.jpg)
Creating a CA Hierarchy cont. Subordinate CAs can also issue certificates
to other subordinate CAs. Every certificate issued by every CA in the
hierarchy can trace its trust relationships back to a root CA.
This hierarchy of relationships is called a certificate chaincertificate chain.
![Page 24: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/24.jpg)
Understanding Windows Server 2003 CA Types Enterprise Enterprise CAs are integrated
into the Active Directory directory service. They use certificate templates, publish
their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically.
![Page 25: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/25.jpg)
Understanding Windows Server 2003 CA Types cont.
Stand-alone Stand-alone CAs do not use certificate templates or Active Directory; they store their information locally.
By default, stand-alone CAs do not automatically respond to certificate enrollment requests, as enterprise CAs do.
Requests wait in a queue for an administrator to manually approve or deny them.
Stand-alone CAs are intended for situations in which users outside the enterprise submit requests for certificates.
![Page 26: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/26.jpg)
Smart Card Certificates If you plan to use smart cards to
authenticate users on your network, you must create enterprise CAs,
![Page 27: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/27.jpg)
Exam Tip Be sure to understand the differences
between enterprise rootenterprise root CAs, enterprisesubordinatesubordinate CAs, stand-alone rootstand-alone root CAs, and stand-alone subordinatesubordinate CAs.
![Page 28: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/28.jpg)
Configuring Certificates Criteria to consider when planning
certificate configurations are as follows: Certificate type Encryption key length and algorithm Certificate lifetime Renewal policies
![Page 29: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/29.jpg)
Installing Certificate Services Add/Remove Programs
![Page 30: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/30.jpg)
Installing Certificate Services Components for
Certificate Services
![Page 31: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/31.jpg)
Installing Certificate Services Choose the CA Type
![Page 32: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/32.jpg)
Installing Certificate Services Information
![Page 33: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/33.jpg)
Installing Certificate Services Location of the
Certificate Logs
![Page 34: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/34.jpg)
Installing Certificate Services Certificate Services
will now install
![Page 35: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/35.jpg)
Installing Certificate Services Must have IIS installed
![Page 36: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/36.jpg)
Practice: Installing a Windows Server 2003
Certification Authority Page 11-16
![Page 37: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/37.jpg)
Managing Certificates
![Page 38: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/38.jpg)
Understanding Certificate Enrollment and Renewal The actual process by which CAs issue
certificates to clients varies, depending on the types of CAs you have installed.
If you have installed enterprise CAs, you can use auto-enrollmentauto-enrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request.
![Page 39: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/39.jpg)
Exam Tip Be sure to understand the circumstances
in which clients use auto-enrollmentand manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used to manage certificates and certification authorities
![Page 40: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/40.jpg)
Using Auto-Enrollment Auto-enrollment enables clients to
automatically request and receive certificates from a CA with no manual intervention from administrators.
![Page 41: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/41.jpg)
Using Auto-Enrollment Auto-enrollment enables clients to automatically
request and receive certificates from a CA with no manual intervention from administrators.
To use auto-enrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional.
You control the auto-enrollment process using a combination of group policy settings and certificate templates
![Page 42: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/42.jpg)
Auto-Enrollment In a GPO
![Page 43: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/43.jpg)
Using Manual Enrollment Stand-alone CAs cannot use auto-
enrollment, so when a stand-alone CA receives a certificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate.
![Page 44: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/44.jpg)
Manually Requesting Certificates Using the Certificates
Snap-in
![Page 45: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/45.jpg)
Manually Requesting Certificates Using Web Enrollment To function properly, this module requires
you to have IIS installed on the computer first, along with support for ASP.
The Web Enrollment Support interface is intended to give internal or external network users access to stand-alone CAs.
![Page 46: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/46.jpg)
Revoking Certificates If a private key is compromised, or An unauthorized user has gained access to
the CA, or If you want to issue a certificate using
different parameters, such as longer keys, you must revoke the certificates that are no longer usable.
![Page 47: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/47.jpg)
Revoking Certificates By selecting the Revoked Certificates
folder in the Certification Authority console and then displaying its Properties dialog box, you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs.
![Page 48: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/48.jpg)
Practice: Requesting a Certificate
Exercise 1: Requesting a Certificate Exercise 2: Issuing a Certificate
Page 11-26 Exercise 3: Retrieving a Certificate Exercise 4: Viewing a Certificate
Page 11-27
![Page 49: Creating and Managing Digital Certificates Chapter Eleven](https://reader036.vdocuments.us/reader036/viewer/2022062309/5697bfdf1a28abf838cb2ced/html5/thumbnails/49.jpg)
Summary Case Scenario Exercise
Page 11-29 Troubleshooting Lab
Page 11-30 Exam Highlights
Key Points Key Terms
Page 11-32