2008 R2 ADS Vocabulary - Session 6 Flashcards
Certificate Authorities
Secure communication of data over a network can be achieved by encrypting the data. You can encrypt the data before transmission by using a key and decipher it by using the same key after it reaches the desired location. You can ensure security of data by sharing the key only between trusted objects.
When configuring a CA you need to specify its type.
Enterprise Root CA or Enterprise Subordinate CA
Enterprise CAs are integrated in Active Directory Domain Services (AD DS).
Enterprise CAs are integrated in
Active Directory Domain Services (AD DS). These CAs use certificate templates, and publish their certificates and CRLs to AD DS. Certificate templates are predefined configurations that enable a CA to create new certificates by using predefined settings. Information in an AD database is used to approve or deny a certificate enrollment request automatically.
An enterprise CA can be specified as a
root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.
Stand-Alone Root CA or Stand-Alone Subordinate CA
Stand-alone CAs do not use certificate templates and do not require AD DS. These CAs do not respond to certificate enrollment requests automatically.
A stand-alone CA can be specified as a
root CA with a stand-alone subordinate CA. If only one stand-alone CA is created then it should be a root CA, because every CA hierarchy should be traceable to a root CA.
A root CA is the
first role service that is installed in AD CS.
After setting up a root CA, a subordinate CA can also be installed in the
hierarchy of the PKI of an organization to secure the root CA. The root CA can issue a certification to the subordinate, which in turn can then reply to requests for certificates from users.
Setting up an enterprise subordinate CA requires
a network connection to a domain controller.
Configuring Autoenrollment
Two tasks need to be completed to automatically enroll clients for certificates in a domain environment:
- Configure a certificate template with Auto-enroll permissions
- Configure an autoenrollment group policy within the domain
A CA evaluates
certificate requests and issues certificates, if the predefined conditions set for allocating certificates to requesters are fulfilled.
The allocation of a certificate to an entity or a user is known as
certificate enrollment
. A user needs to submit a request for a certificate to a
CA
The format of the request, such as PKS #10 or PKS #7, should be able to specify
the identity of the user requesting the certificate.
The CA issues the certificate to the
requester after verifying the identity of the requester.
When a CA receives an enrollment request, the following actions take place:
- The CA decrypts the digital signature in the certificate
- The CA performs a hash on the request
- The CA digitally signs the user’s public key
- The user distributes copies of its X.509 certificate
- Entities authenticate the user’s X.509 certificate
Issuing the Certificate Template
After configuring a certificate template for autoenrollment and configuring the GPO settings, you need to
issue the certificate template. This will ensure that certificates requested based on the certificate template will be automatically processed by the CA. Some certificate templates, by default, are already configured to be issued.
If the certificate template is not already configured, then you need to configure
configure the template in the Certification Authority console.
Configuring Default CA Settings
The administrator can configure two default actions that a CA can take on receiving a certificate request:
- The certificate request can be automatically approved by the CA
- The CA administrator can review the request, which changes the status of the request to pending in the CA, and take appropriate actions
Issued certificates can be stored locally on the
computer or device that requested the certificate. .
Certificates that are issued by a CA are stored
in the CA’s certificate store
When a certificate is issued, it is copied to
FileName.cer,
where FileName is the
request ID of the certificate request. The file is copied to the CertEnroll folder on the CA.
CONFIGURE CA SERVER SETTINGS
Assigning Roles to Users
Assigning Roles to Users
The administration of an organization or any other group can be divided according to roles. The administration of a CA can be organized by using separate CA roles. This administration is known as role-based administration.
In a CA, a role is assigned to a user by assigning the security settings of the role. Security settings associated with a role are specific for every role.
All roles in a CA are assigned and modified by the members of local Administrators, Enterprise Admins, or Domain Admins groups. In an enterprise CA, the role of the administrator is assigned to the members of these groups by default.
In a stand-alone CA, the role of the CA administrator is only assigned to the members of the Local Administrators group. By default, the administrator role is also assigned to the members of the Domain Admins group in a stand-alone CA, if the stand-alone CA is joined to an Active Directory domain.
There are four roles that can be assigned to users in a CA:
Certificate Manager
Auditor
CA Administrator
Backup Operator
Certificate Manager
can approve certificate enrollment and revocation requests. This role can be configured by using the Certification Authority snap-in.
Auditor
can configure, maintain, and view audit logs. This role is an operating system role.
CA Administrator
The CA administrator can renew a CA certificate and assign all the other roles to the users. This role is a built-in account in a CA by default and it can be configured by using the Certification Authority snap-in.
Backup Operator
can perform system backup and recovery.
The Issue and Manage Certificates permission is assigned to this role.
Certificate Manager
The Manage Auditing and Security Log permission is assigned to this role.
Auditor
A user who has been assigned the CA administrator role can configure and maintain a
CA Administrator
The Manage CA security permission is assigned to this role.
CA Administrator
The Backup Files and Directories permission and the Restore Files and Directories permission are assigned to this role.
Backup Operator
Backing Up and Restoring a CA
You need to back up the CA database to a different location so that it can be restored in the case of a system failure.
The CA administrator, members of the Backup Operators group, or users with the same privileges can perform the
CA backup process.
The CA administrator, members of the Backup Operators group, or users with the
the same privileges can perform the restoration process of a CA.
The restoration process only needs to be carried out for a CA, because a CA can be restored without
without restoring the server.
MANAGE CERTIFICATE TEMPLATES
Certificate Templates
AD CS in Windows Server 2008 R2 enables you to issue and manage certificates for a PKI. A PKI includes several CAs, directories, and resources that provide validation and revocation information for the certificates.
If your computer is running Windows Server 2008 R2, AD CS will enable you to
- Receive requests for certificates from users and computers
- Verify the identity of a requestor
- Issue and revoke certificates
- Publish a CRL
A CRL is a
digitally signed list of unexpired certificates revoked by a CA administrator.
Certificate templates are a set of
rules and settings configured for a CA that are applied to incoming certificate requests.
Enterprise Certificate templates are stored in
AD DS
This enables them to be used by all CAs in a forest and ensures that the CAs have access to the current standard templates.
Enterprise Certificate templates
Some default certificate templates available in Windows Server 2008 R2-based enterprise CAs are as follows:
- Computer
- Cross-Certification Authority
- Directory E-mail Replication
- CEP Encryption
- Code Signing
- Domain Controller
- Domain Controller Authentication
- EFS Recovery Agent
Microsoft CAs support three types of certificate template versions:
- Version 1 - Windows Server 2000 and Windows Server 2003 Standard Edition CAs (support for version 1)
- Version 2 - Windows Server 2003 Datacenter and Enterprise Edition CAs (support for versions 1 and 2)
- Version 3 - Windows Server 2008 R2 CAs (support for versions 1, 2, and 3)
The permissions that you can assign to a certificate template are as follows:
- Full Control
- Enroll
- Autoenroll
- Read
- Write
MANAGE ENROLLMENTS
Configuring an RA and the NDES
Configuring an RA and the NDES
The Simple Certificate Enrollment Protocol
(SCEP)
The Simple Certificate Enrollment Protocol ) is a communication protocol that
that authenticates the software running on network devices such as routers and switches.
Windows Server 2008 R2 implements SCEP through Network Device Enrollment Service (NDES).
(NDES).
In addition to authenticating software running on network devices, NDES does the following:
- It recovers certification requests that are pending with a CA
- It accepts authentication requests
- It prepares and sends one-time enrollment passwords for administrators
Enrolling for a certificate with NDES involves the
software used to manage the network device, the Registration Authority (RA), the computer hosting NDES, and the CA.
To set up and use NDES, perform two steps:
configure a user account to act as an RA for certificate requests, and then configure and install NDES.
To configure a user account to serve as the RA that NDES will use to authorize certificate requests,
add the user account to the IIS_IUSRS group.
This group is a built-in security group that
HS uses to establish and work with remote connections. No user is a member of the IIS_IUSRS group by default.
Installing the Web Enrollment Service
Certification Authority Web Enrollment service enables users outside a domain to obtain new and renewed certificates from a CA over the Internet or over an intranet connection, via a web-based enrollment process.
Submitting Certificate Requests
As a user, you access the AD CS web page for enrolling with a CA by opening a web browser and navigating to the URL for the certificate server. The URL can include the server’s name or IP address, followed by /certsrv.
Configuring Enrollment Agents
In an organization with multiple branches and Enterprise CAs in the PKI, you can enable enrollment agents to send enrollment requests on behalf of clients. Enrollment agents may be members of the corporate security, IT security, or helpdesk teams.
Each of the enrollment agents must be issued with an enrollment agent certificate from a CA.
Windows Server 2008 R2 enables different types of enrollment agents by making use of various certificate templates:
Enrollment Agent
Enrollment Agent (computer)
Exchange Enrollment Agent (offline request)
Configuring Smart Card Enrollment
Enrollment Agent
Agent template enables a user to request certificates on behalf of other users.
Enrollment Agent (computer)
template enables a user to request certificates for computers.
Exchange Enrollment Agent (offline request)
The Exchange Enrollment Agent (offline request) template enables a user to request certificates on behalf of another user and to provide the subject name in the request. This template is used by NDES for its enrollment agent certificate.
Only members of the Enterprise Admins and CA administrator groups, or those with equivalent privileges, can configure an enrollment agent.
Configuring Smart Card Enrollment
A smart card is a small electronic device that contains electronic information. A PKI certificate can be granted for a smart card to secure smart card transactions, such as computer logons.
J In Windows Server 2008 R2, users can request smart card certificates via a smart card enrollment station.
Smart card enrollment stations are useful because they
- Simplify the physical preparation of the cards that need to be issued
- Reduce the possibility of certificate service interruption
- Prevent users from validating their own identification and issuing their own certificates
CERTIFICATE REVOCATION
Install an Online Responder
Windows Server 2008 R2 provides built-in CA digital signature technology within AD CS.
When any certificate is issued, it has a validity period defined by a CA administrator. Usually this is one or two years. The certificate contains the digital signature of the certificate issuer, and a user’s public key and identity. The user is also issued a corresponding private key.
A CRL is a
a digitally signed list of unexpired certificates that a particular CA has revoked.
. A CA may revoke an otherwise valid certificate if, for example,
the private key associated with the certificate has been compromised.
A CRL, like a certificate, is valid only for a
specified period to ensure that it does not apply after a certain amount of time.
The AD CS supports two types of CRLs.
A Base CRL
A Delta CRL
A Base CRL
is a full, initial set of revoked certificates
A Delta CRL
lists only certificates that have been revoked since the last full Base CRL was implemented.
A CRL Distribution Point
(CDP)
(CDP)
) is a certificate extension that indicates where the CRL for a particular CA can be retrieved. For each revoked certificate, you need to identify a corresponding CDP.
A CRL can be published to different
different locations using Lightweight Directory Access Protocol (LDAP), HTTP, or file paths. Using CDPs enables PKI administrators to locate and access a relevant CRL so that they can manually update the entries it contains. These entries are valid only for a specified time period.
A CDP may be located in the following places:
Active Directory (AD)
Active Directory (AD)
You use the AD as the CDP to publish and store CRLs for enterprise CAs, which use certificate templates. PKI users can retrieve CRL data from an AD CDP using LDAP.
A Local Directory
You use the local directory of a CA server as the CDP to store CRLs on stand-alone CAs, which do not require AD or the use of certificate templates. By default, stand-alone CAs hold all certificate requests in a pending queue until a CA approves them.
Configure an Online Responder
To enable an Online Responder to enroll for signing certificates, you need to do the following:
- Configure the OCSP Response Signing template
- Include the URL for the Online Responder in the AIA extensions of the certificates
- Assign the OCSP Response Signing template to the CA
- Create a revocation configuration
Publishing a CRL Manually
By default, AD CS automatically publishes
publishes an updated CRL within a publish period, which you set as the CA administrator. Clients that have a cached copy of the previously published CRL or Delta CRL will continue using it until its validity period has expired.
