Module 9:Designing Public Key

Infrastructure in Windows Server 2008

Module Overview

• Overview of PKI and Active Directory Certificate Services

• Designing a Certification Authority Hierarchy

• Designing Certificate Templates

• Designing Certificate Distribution and Revocation

Lesson 1: Overview of PKI and Active Directory Certificate Services

• Applications That Use PKI

• Certification Authorities and PKI

• Internal and Public Certification Authorities

• Active Directory Certificate Services in Windows Server 2008

Applications That Use PKI

A Windows Server PKI supports the following types of PKI-enabled applications:

Digital signatures

Smart card logon

Secure e-mail

Software code signing

IP security

802.1x

Software restriction policy

Internet authentication

Encrypting File System

Certification Authorities and PKI

The CA performs the following tasks:

Common CA roles:

• Root CA • Intermediate CA• Policy CA• Issuing CA

Types of CAs:

• Stand-alone• Enterprise

• Verifies the identity of a certificate requestor

• Verifies the identity of a certificate requestor

• Issues certificates to requestors

• Issues certificates to requestors

• Manages certificate revocation

• Manages certificate revocation

Internal and Public Certification Authorities

Internal CA Public CA

Expense No certificate cost Lower administrative cost

Flexibility More flexible Less flexible

Trust Within your Active Directory forest only Global level (Internet)

You can use both internal and public CAs, when doing so:

• Use public certificates for external Web pages, such as your Outlook Web Access site

• Use internally issued certificates for securing internal communications, such as smart card logons

Active Directory Certificate Services in Windows Server 2008

Windows Server 2008 Editions

Components Web Standard Enterprise Datacenter

CA No Yes Yes Yes

Network Device Enrollment Service

No No Yes Yes

Online Responder service

No No Yes Yes

Lesson 2: Designing a Certification Authority Hierarchy

• Certification Authority Hierarchy Roles

• Types of CA Hierarchies

• Guidelines for Designing a Certification Authority Hierarchy

Certification Authority Hierarchy Roles

Root CAs Subordinate CAs

• Most trusted CA in the hierarchy

• Should be physically secured

• Should not issue certificates except to subordinate CAs

• Often a stand-alone CA

• Certified by another CA

• Usually issues certificates to client computers

• Can certify subordinate CAs

• Often integrated with Active Directory

Common roles in a CA hierarchy include:

• Root CA

• Policy CA

• Issuing CA

Types of CA Hierarchies

Root CA

Issuing CAPolicy CA

Issuing CAIssuing CA

Root CA

Issuing CA

Policy CA

Issuing CA

Policy CA

Root CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Root CA HierarchyRoot CA

HierarchyCross-Certification TrustCross-Certification Trust

Guidelines for Designing a Certification Authority Hierarchy

Consider the following guidelines when you design your organization’s CA hierarchy:

Decide how many CAs you require and where to locate them11

Select the CA type

Deploy the root CA first, keeping it offline

Keep the CA hierarchy three to four layers deep

Define security levels and appropriate CA policies

Implement role separation

22

33

44

55

66

Certificate Templates in Windows Server 2008

CA Operating System Certificate Template Supported

Version 1 Version 2 Version 3

Windows Server 2008 Datacenter Edition Yes Yes Yes

Windows Server 2008 Enterprise Edition Yes Yes Yes

Windows Server 2008 Standard Edition Yes No No

Lesson 4: Designing Certificate Distribution and Revocation

• Certificate Distribution and Enrollment

• Choosing Enrollment Method

• Certificate Autoenrollment

• Guidelines for Designing Certificate Revocation

Certificate Distribution and Enrollment

Web EnrollmentWeb Enrollment

Manual enrollmentManual enrollment

Certificates Snap-in

AutoenrollmentAutoenrollment

Enterprise CA

Enrollment agentsEnrollment agents

Network Device Enrollment Service

Network Device Enrollment Service

Choosing Enrollment Method

Autoenrollment for:

Windows 2000

Windows XP

Windows 2003 and

later

Users and computers Yes Yes Yes

Smart cards No Yes Yes

Only enterprise CAs support:

• Autoenrollment

• Smart card enrollment

Autoenrollment is available only for domain clients

Several autoenrollment settings can be configured through group policy; these include the following:

Certificate Autoenrollment

GPO Setting Description

Certificate Services Client – Autoenrollment

Defines whether autoenrollment is enabled or disabled

Renew expired certificates, update pending certificates, and remove revoked certificates

Enables automatic certificate renewal, and removes expired certificates

Update certificates that use certificate templates

Updates certificates as needed to conform to the associated certificate templates

Expiration NotificationEnables or disables expiration notifications (if enabled, you can control when notification will occur)

Guidelines for Designing Certificate Revocation

When designing certificate revocation, follow these guidelines:

Evaluate the potential benefits of supplementing CRLs with the use of Online Responders

Identify potential locations where Online Responders would be beneficial

Identify the installation configuration that best suits your organization

Identify the locations for every Online Responder and determine how they are to be managed

Test the Online Responder and PKI configuration