module 9: designing public key infrastructure in windows server 2008
TRANSCRIPT
Module 9:Designing Public Key
Infrastructure in Windows Server 2008
Module Overview
• Overview of PKI and Active Directory Certificate Services
• Designing a Certification Authority Hierarchy
• Designing Certificate Templates
• Designing Certificate Distribution and Revocation
Lesson 1: Overview of PKI and Active Directory Certificate Services
• Applications That Use PKI
• Certification Authorities and PKI
• Internal and Public Certification Authorities
• Active Directory Certificate Services in Windows Server 2008
Applications That Use PKI
A Windows Server PKI supports the following types of PKI-enabled applications:
Digital signatures
Smart card logon
Secure e-mail
Software code signing
IP security
802.1x
Software restriction policy
Internet authentication
Encrypting File System
Certification Authorities and PKI
The CA performs the following tasks:
Common CA roles:
• Root CA • Intermediate CA• Policy CA• Issuing CA
Types of CAs:
• Stand-alone• Enterprise
• Verifies the identity of a certificate requestor
• Verifies the identity of a certificate requestor
• Issues certificates to requestors
• Issues certificates to requestors
• Manages certificate revocation
• Manages certificate revocation
Internal and Public Certification Authorities
Internal CA Public CA
Expense No certificate cost Lower administrative cost
Flexibility More flexible Less flexible
Trust Within your Active Directory forest only Global level (Internet)
You can use both internal and public CAs, when doing so:
• Use public certificates for external Web pages, such as your Outlook Web Access site
• Use internally issued certificates for securing internal communications, such as smart card logons
Active Directory Certificate Services in Windows Server 2008
Windows Server 2008 Editions
Components Web Standard Enterprise Datacenter
CA No Yes Yes Yes
Network Device Enrollment Service
No No Yes Yes
Online Responder service
No No Yes Yes
Lesson 2: Designing a Certification Authority Hierarchy
• Certification Authority Hierarchy Roles
• Types of CA Hierarchies
• Guidelines for Designing a Certification Authority Hierarchy
Certification Authority Hierarchy Roles
Root CAs Subordinate CAs
• Most trusted CA in the hierarchy
• Should be physically secured
• Should not issue certificates except to subordinate CAs
• Often a stand-alone CA
• Certified by another CA
• Usually issues certificates to client computers
• Can certify subordinate CAs
• Often integrated with Active Directory
Common roles in a CA hierarchy include:
• Root CA
• Policy CA
• Issuing CA
Types of CA Hierarchies
Root CA
Issuing CAPolicy CA
Issuing CAIssuing CA
Root CA
Issuing CA
Policy CA
Issuing CA
Policy CA
Root CA
Issuing CA
Issuing CA
Issuing CA
Issuing CA
Root CA HierarchyRoot CA
HierarchyCross-Certification TrustCross-Certification Trust
Guidelines for Designing a Certification Authority Hierarchy
Consider the following guidelines when you design your organization’s CA hierarchy:
Decide how many CAs you require and where to locate them11
Select the CA type
Deploy the root CA first, keeping it offline
Keep the CA hierarchy three to four layers deep
Define security levels and appropriate CA policies
Implement role separation
22
33
44
55
66
Certificate Templates in Windows Server 2008
CA Operating System Certificate Template Supported
Version 1 Version 2 Version 3
Windows Server 2008 Datacenter Edition Yes Yes Yes
Windows Server 2008 Enterprise Edition Yes Yes Yes
Windows Server 2008 Standard Edition Yes No No
Lesson 4: Designing Certificate Distribution and Revocation
• Certificate Distribution and Enrollment
• Choosing Enrollment Method
• Certificate Autoenrollment
• Guidelines for Designing Certificate Revocation
Certificate Distribution and Enrollment
Web EnrollmentWeb Enrollment
Manual enrollmentManual enrollment
Certificates Snap-in
AutoenrollmentAutoenrollment
Enterprise CA
Enrollment agentsEnrollment agents
Network Device Enrollment Service
Network Device Enrollment Service
Choosing Enrollment Method
Autoenrollment for:
Windows 2000
Windows XP
Windows 2003 and
later
Users and computers Yes Yes Yes
Smart cards No Yes Yes
Only enterprise CAs support:
• Autoenrollment
• Smart card enrollment
Autoenrollment is available only for domain clients
Several autoenrollment settings can be configured through group policy; these include the following:
Certificate Autoenrollment
GPO Setting Description
Certificate Services Client – Autoenrollment
Defines whether autoenrollment is enabled or disabled
Renew expired certificates, update pending certificates, and remove revoked certificates
Enables automatic certificate renewal, and removes expired certificates
Update certificates that use certificate templates
Updates certificates as needed to conform to the associated certificate templates
Expiration NotificationEnables or disables expiration notifications (if enabled, you can control when notification will occur)
Guidelines for Designing Certificate Revocation
When designing certificate revocation, follow these guidelines:
Evaluate the potential benefits of supplementing CRLs with the use of Online Responders
Identify potential locations where Online Responders would be beneficial
Identify the installation configuration that best suits your organization
Identify the locations for every Online Responder and determine how they are to be managed
Test the Online Responder and PKI configuration